SYSTEM SECURITY EMERGENCY!!

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
jami045
Forum Newbie
Posts: 2
Joined: Sat Jun 28, 2003 1:57 am

SYSTEM SECURITY EMERGENCY!!

Post by jami045 »

Hello my php'ers I have a problem with the security of a system I am trying to develop, and it is the following: I have no idea of how to authenticate who is sending the POST vars to my script, and I am worried someone could "Save As" the introduction form and introduce unwanted info in my system. does anyone have ideas about how to authenticate the sending form or URL? I need this urgently so I will be gratefull to anyone that answers my question...

in other words how can I know if it was my own submition form or a hacking copy of my form who sent the $HTTP_POST_VARS['foo'] to my script????

I am worried someone is introducing data from an unwanted location or machine violating my security capabilities.

some ideas of how to secure my script?
qartis
Forum Contributor
Posts: 271
Joined: Sat Dec 14, 2002 4:43 pm
Location: BC, Canada
Contact:

Post by qartis »

Are the variables submitted through a form?
Drachlen
Forum Contributor
Posts: 153
Joined: Fri Apr 25, 2003 1:16 am

Post by Drachlen »

Okay i searched, but i couldnt find it. I have a suggestion but no code.

What you could do is use the command which checks what url you came from, im thinking its something with 'refer' in it.. Then make an if statement that says:
if([refer command] == "The url of the post area") {
came from ur page, not the evil peoples page!
} else {
It didnt come from that page, so its not going to work!
}
Sorry for not specifying enough, i know i saw it around here, maybe a guru will give you the command :)
qartis
Forum Contributor
Posts: 271
Joined: Sat Dec 14, 2002 4:43 pm
Location: BC, Canada
Contact:

Post by qartis »

Code: Select all

$_SERVER["HTTP_REFERER"]
contains their referrer, but true crackers know how to spoof that, so don't rely on it for any kind of strong security.
User avatar
BDKR
DevNet Resident
Posts: 1207
Joined: Sat Jun 08, 2002 1:24 pm
Location: Florida
Contact:

Re: SYSTEM SECURITY EMERGENCY!!

Post by BDKR »

jami045 wrote:Hello my php'ers I have a problem with the security of a system I am trying to develop, and it is the following: I have no idea of how to authenticate who is sending the POST vars to my script, and I am worried someone could "Save As" the introduction form and introduce unwanted info in my system. does anyone have ideas about how to authenticate the sending form or URL? I need this urgently so I will be gratefull to anyone that answers my question...

in other words how can I know if it was my own submition form or a hacking copy of my form who sent the $HTTP_POST_VARS['foo'] to my script????

I am worried someone is introducing data from an unwanted location or machine violating my security capabilities.

some ideas of how to secure my script?
Just send a digital signature with your form. If the form doesn't come back with the signature, somethings wrong.

Cheers,
BDKR
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

You may also want to do some reading here: http://www.php.net/manual/en/security.php
Drachlen
Forum Contributor
Posts: 153
Joined: Fri Apr 25, 2003 1:16 am

Post by Drachlen »

"Just send a digital signature with your form. If the form doesn't come back with the signature, somethings wrong. "
Even though this isnt my problem, im curious as to what you mean, what would be a digital signature and how would it be coded?
User avatar
BDKR
DevNet Resident
Posts: 1207
Joined: Sat Jun 08, 2002 1:24 pm
Location: Florida
Contact:

Post by BDKR »

Drachlen wrote:"Just send a digital signature with your form. If the form doesn't come back with the signature, somethings wrong. "
Even though this isnt my problem, im curious as to what you mean, what would be a digital signature and how would it be coded?
Well, I'm using the term rather loosely. The basic idea is that you send with a form a signature.

But what is a signature? It could be any number of things. Some people will dynamically create images with a keyword or something in it. That person is then required to type that key word into a field and send it back. There are holes in this approach as there are in many others.

Here is what I do...

1) Hash client side using Javascript md5 or sha1.
2) Maintain a session var for forms and store IP/OS/Platform data.
3) Send a key with that form (making it unique).

By hashing client side, the users password is never sent in the clear. It's hash is however. So, to deal with that fact, the key that is sent with the form in the first place is a hash of the users IP/OS/Platform plus an additional hash var used on the server.

Is the above bullet proof? No. But nothing is. To me, you just throw enough impediments at a person to make it not worth trying.

Cheers,
BDKR
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Another option, without relying on client-side code:

1. Use $_SERVER["HTTP_REFERER"]
2. Preform full validation on returned variables:
A. Only validate variales you expect to receive, don't use register_globals, or any "tricks" that simulate it
B. This includes validating any hidden variables, validating hidden variables will often require using a MAC (message authentication code), the value of the variable should be set as "value+MD5(value+server secret)". By exploding the variable on return you'll be able to compare it to what you thought it should be.
C. Make sure that any selectbox/radio button/checkbox returns a legal value, don't assume they are valid by default. Being very paranoid, MAC each option here as well.
D. Basically, the only "safe" inputs are text/textarea/password. They are "unrestricted user input" so you can't check for too much, other than using regexp's. All others need to have the options individually signed.

That should do it.... Doesn't depend on client side code, uses REFERER as a simple check, but true hackers can avoid it. However the more paranoid validation will trap them as well. To crack the site they will have learn a server secret, on the same order as your database password.
jami045
Forum Newbie
Posts: 2
Joined: Sat Jun 28, 2003 1:57 am

Post by jami045 »

THANK YOU ALL!!, I made this code out and it works, I verify if the request method is POST, and if my host is in the HTTP_REFERER... I hope this helps people that had the same question as I did. :lol:

Code: Select all

<?php
if ($_SERVER['REQUEST_METHOD']=="POST"){
	if (strpos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST'])>7 || !strpos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST'])){
         die(""); //or maybe EXIT;
	 }
}
?>
Post Reply