security issues in php

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
pelegk2
Forum Regular
Posts: 633
Joined: Thu Nov 27, 2003 5:02 am
Location: Israel - the best place to live in after heaven
Contact:

security issues in php

Post by pelegk2 »

what security thing's are there in php, for example like the include/require that should be used carefully?
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Any of the shell commands.... Anyone wanting to make a mess of things could do a pretty good job if these are poorly implemented....

They always seem obvious ones to me :D

exec(), system(), passthru()....
User avatar
pelegk2
Forum Regular
Posts: 633
Joined: Thu Nov 27, 2003 5:02 am
Location: Israel - the best place to live in after heaven
Contact:

can you give an example

Post by pelegk2 »

to one of them?
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Re: can you give an example

Post by Chris Corbyn »

pelegk2 wrote:to one of them?
:? You want an example?

Untested but...

Code: Select all

echo passthru($_GET['command']);
Which basic allow complete control of the server if PHP has good enough permissions....

You could get all the source code of files for example with the awfully insecure script....

http://www.yourdomain.com?command=ls (see the filenames)
http://www.yourdomain.com?command=cp%20 ... 0file2.txt (copy the files to text files)
http://www.yourdomain.com/file1.txt (download the source code).

With this you could access mysql databases from passwords in the scripts etc. However a unix-happy kinda person could do far more damage than that....
User avatar
pelegk2
Forum Regular
Posts: 633
Joined: Thu Nov 27, 2003 5:02 am
Location: Israel - the best place to live in after heaven
Contact:

nice to know:)

Post by pelegk2 »

are there any other dangerous functions like that?
i thouhgt of something for example like :
the use of $$
which for example if you have
$x="function1";
and u do
$$x;
u activate the function!
so if in some way u know that
$_REQUEST['some_var'] is equals to "mysql_query(drop table")
then mabe some how a
$$_REQUEST['some_var'] can be done to!
i am still rolling the idea if thi is possible in any way!
what do u think?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

You know better than to post in the wrong forum.. :roll:

Moved to PHP-Security
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

are there any other dangerous functions like that?
Any function is dangerous in the hands of am expert with unfilitered data. 8)

Actually, that's not necessarily true, but always don't trust external data.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Another common security flaw is the possibility of "sql injection"..

While this is not completely PHP's problem, once again it is an example of how poor coding practices and lack of sanitation from user input can cause some problems.

But what does this mean? It means that any language has its core vulnerabilities, and it also has its defences -- where the problem is, as mentioned erlier, is the coder himself.
User avatar
pelegk2
Forum Regular
Posts: 633
Joined: Thu Nov 27, 2003 5:02 am
Location: Israel - the best place to live in after heaven
Contact:

Jcart i agree with every word

Post by pelegk2 »

but what do u say abut :
$x="function1";
and you do
$$x;
you activate the function
is it possible my idea?
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Re: Jcart i agree with every word

Post by Chris Corbyn »

pelegk2 wrote:but what do <span style='color:blue' title='ignorance is bliss'>you</span> say abut :
$x="function1";
and you do
$$x;
you activate the function
is it possible my idea?
Well all that is doing is using a string to make a variable variable.

If you did have $x as the result of a function then I guess you'd just have be careful about what the function actually does.

The main security issues... as already mentioned is anything designed to allow external control.
Post Reply