PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Sun Oct 22, 2017 3:56 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 10 posts ] 
Author Message
PostPosted: Mon Aug 15, 2005 2:53 am 
Offline
DevNet Master
User avatar

Joined: Thu Aug 15, 2002 5:53 am
Posts: 4235
Location: Sussex, UK
PHP Security Blog wrote:
Tobias Schlitt gave me a link to the article 10 Tips That Every PHP Developer Should Know, Part 2 by Jeffery Vaska that recently appeared on phpbuilder.com. I was kinda shocked when I saw Tip #5, that describes howto deal with $_GET and $_POST. It mentions that a developer can use extract($_POST) to eliminate the need of assigning every single entry manually. It also mentions:

This is a matter of
convenience and is not always a best practice.

It completely fails to mention, that using extract() without using prefixes or the parameter EXTR_SKIP is usually a very big security hole, because it allows an external attacker to overwrite every variable, including the superglobals (unless you use the Hardening-Patch) and this can lead in many cases to SQL injection or even Remote Code Execution Vulnerabilities.


Gulftech has recently released an advisory for Squirrelmail, that describes exactly such an extract($_POST) flaw.


source: http://blog.php-security.org/archives/5 ... -Know.html


Top
 Profile  
 
 Post subject:
PostPosted: Mon Aug 15, 2005 8:59 am 
Offline
DevNet Resident
User avatar

Joined: Sat Dec 06, 2003 10:52 pm
Posts: 1679
Location: Mumbai, India
If extract was replaced by parse_str then wouldnt the same security issue arise ?


Top
 Profile  
 
 Post subject:
PostPosted: Mon Aug 15, 2005 9:03 am 
Offline
DevNet Master
User avatar

Joined: Thu Aug 15, 2002 5:53 am
Posts: 4235
Location: Sussex, UK
Yup. The issue is really that unchecked/unverified user-input is assigned to PHP variables. extract(), however, is, from my experience, more commonly used than parse_str().


Top
 Profile  
 
 Post subject:
PostPosted: Mon Aug 15, 2005 9:08 am 
Offline
Forum Contributor

Joined: Sat Feb 19, 2005 9:35 am
Posts: 332
Location: USA
So basically... Don't use them ?


Top
 Profile  
 
 Post subject:
PostPosted: Mon Aug 15, 2005 9:11 am 
Offline
DevNet Master
User avatar

Joined: Thu Aug 15, 2002 5:53 am
Posts: 4235
Location: Sussex, UK
For superglobals (e.g. $_POST, $_GET, $_REQUEST etc.) it's a gaping security hole waiting to be exploited. Don't use extract/parse_str on them as these functions blindly assign unchecked values.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Aug 15, 2005 9:19 am 
Offline
Forum Contributor

Joined: Sat Feb 19, 2005 9:35 am
Posts: 332
Location: USA
Well, from what I've heard, Superglobals have always been a security hole since inception...


Top
 Profile  
 
 Post subject:
PostPosted: Mon Aug 15, 2005 9:20 am 
Offline
DevNet Master
User avatar

Joined: Thu Aug 15, 2002 5:53 am
Posts: 4235
Location: Sussex, UK
nope.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Aug 15, 2005 9:32 am 
Offline
Forum Contributor

Joined: Sat Feb 19, 2005 9:35 am
Posts: 332
Location: USA
Well, not on their own, I mean, but they've been the center of a lot of wholes relating to other functions that use them. I believe PHP.net's website mentioned to turn off Superglobals at one time, and even had them turned off as default in their installs (before Php5 of course... This is all Php4). I've been playing with PHP since PHP3... Yet I still haven't given PHP enough time to learn it X_x.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Aug 15, 2005 9:34 am 
Offline
DevNet Master
User avatar

Joined: Thu Aug 15, 2002 5:53 am
Posts: 4235
Location: Sussex, UK
you're confusing globals and superglobals. See http://uk.php.net/register_globals


Top
 Profile  
 
 Post subject:
PostPosted: Mon Aug 15, 2005 9:38 am 
Offline
Forum Contributor

Joined: Sat Feb 19, 2005 9:35 am
Posts: 332
Location: USA
Ah yes, one of the two. I tend to confuse the two, and probably will continue to. Such distinctions don't reside in my mind for long...


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group