Securing My website even more than it is

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

QuickSnail
Forum Commoner
Posts: 46
Joined: Fri Dec 21, 2007 11:13 am

Securing My website even more than it is

Post by QuickSnail »

Alrighty..

Lets start with what I'm working with..
I have user inputs. You must log in to post anything.
The user inputs are being filtered with this:

Code: Select all

$fix1=str_ireplace("javascript", "-", $info);
$fix2=str_ireplace("mysql", "..", $fix1);
$fix3=str_ireplace("mysqli", "..", $fix2);
$fix4=str_ireplace("connect", "..", $fix3);
$fix5=str_ireplace("query", "..", $fix4);
$fix6=str_ireplace("[b]", "<b>", $fix5);
$fix6_1=str_ireplace("[/b]", "</b>", $fix6);
$fix7=str_ireplace("[i]", "<i>", $fix6_1);
$fix7_1=str_ireplace("[/i]", "</i>", $fix7);
$fix8=str_ireplace("[p]", "<p>", $fix7_1);
$fix8_1=str_ireplace("[/p]", "</p>", $fix8);
$fix9=str_ireplace("[break]", "<br />", $fix8_1);
$fix10=str_ireplace("$_session", "..", $fix9);
$fix11=str_ireplace("$user_id", "..", $fix10);
$fix12=str_ireplace("array (", "..", $fix11);
$fix13=str_ireplace("mail(", "..", $fix12);
$fix14=str_ireplace("$id", "..", $fix13);
$fix15=str_ireplace("submit", "..", $fix14);
$fix16=str_ireplace("<form", "..", $fix15);
$fix17=str_ireplace(".php", "..", $fix16);
$fix18=str_ireplace(".cfm", "..", $fix17);
$fix19=str_ireplace(".asp", "-", $fix18);
$fix20=str_ireplace("/?", "..", $fix19);
$final=$fix20;
I have a few things disabled in my php.ini

disable_functions = fopen,popen,file,exec,rmdir,set_time_limit,filepro,filepro_retrieve,filepro_rowcount,highlight_file,system


I am storing users ip's every time they log in if it changes they must re-log in.
On log out I am using session_destroy(); Not just setting the session details to nothing aka unset them. (unset $_session['*'];)

What else do you suggest I do to secure my website?
I have tested php on the user input and it seems to NOT run the php but send the code to the browser hidden..? it's there it just doesn't show almost like it's in an HTML hidden input tag.
So I'm unsure on how that is working that way But I like it Haha...

But anyway.

Obviously the data is being stored within a Database.
That is MySQL 5.0.
Users have a profile so I am allowing Css and some html.
Should I user html entities and list every html I am allowing? so it filters the others?
User avatar
andyhoneycutt
Forum Contributor
Posts: 468
Joined: Wed Aug 27, 2008 10:02 am
Location: Idaho Falls

Re: Securing My website even more than it is

Post by andyhoneycutt »

I'm not entirely sure what the data is that you're filtering, or what system it belongs to. Generally I make sure to escape all data that any user enters and properly destroy sessions for security as far as the database goes as well as "permissions". You could take it a step further and write a custom session handler to store sessions in a database if you wish to rule out session hijacking.

-Andy
QuickSnail
Forum Commoner
Posts: 46
Joined: Fri Dec 21, 2007 11:13 am

Re: Securing My website even more than it is

Post by QuickSnail »

Yes I would like to rule out SID hijacking. What do you mean a custom session handler? Storing SID's with ID#'s and IP's?
If all three do not match Re-log in?
Also As far as making sure SID's are properly destroyed Does session_destroy(); Do that? or should I add more to the process.

Some data will include ( " ' = - _ ` ~ > < ? ! @ # $ % ^ & * [A-Z][a-z][0-9].
So pretty much everything.. Ha..


I'm running everything on a Windows Xp.
User avatar
andyhoneycutt
Forum Contributor
Posts: 468
Joined: Wed Aug 27, 2008 10:02 am
Location: Idaho Falls

Re: Securing My website even more than it is

Post by andyhoneycutt »

If you're on a shared-host set-up, rewriting your session handlers to dump to a database is considered another layer of security. The problem being that session data is stored in a more-or-less open to the world area on the machine.

I wouldn't worry about it if you're running on a stand-alone system that you admin.

I'm still curious as to what it is you're doing with all the i_replacing. What type of application are you building?

-Andy
QuickSnail
Forum Commoner
Posts: 46
Joined: Fri Dec 21, 2007 11:13 am

Re: Securing My website even more than it is

Post by QuickSnail »

Well It's still under wrap so I can't tell you exactly.
But I can tell you that users have profiles, friends, photos and such.
Involves CSS and HTML. No other languages are allowed. You could probably have a good guess from that little info.
But anyway.

I admin my own server.
How could you find out if the SID's stored location is open or not?
In other words where are SID's stored normally on a windows xp, php 5, Apache 2.0 machine?

Also Do you suggest disabling any other functions in my php.ini?


Also whats are the best ways of stopping Cross site coding.
I plan on filtering links to a custom page that will ask the user if they are sure if they want to go to that site and that it will log them out by destroying there session of course.
User avatar
andyhoneycutt
Forum Contributor
Posts: 468
Joined: Wed Aug 27, 2008 10:02 am
Location: Idaho Falls

Re: Securing My website even more than it is

Post by andyhoneycutt »

I couldn't tell you much about php/apache or iis under windows, and am not very keen on the topic of security of those systems. I would check the documentation for your web server application and read up on PHP to determine what types of vulnerabilities you face.

If your server is stand-alone then really all you should need worry about as far as session data goes is what you would normally worry about: have a decent firewall in place and keep current with all security topics related to running your particular brand of server.

-Andy
QuickSnail
Forum Commoner
Posts: 46
Joined: Fri Dec 21, 2007 11:13 am

Re: Securing My website even more than it is

Post by QuickSnail »

O.k.
Thanks for the info :D
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Securing My website even more than it is

Post by Mordred »

This is wrong both in theory and in practice.

You should escape the input values according to the context they will be used in - htmlspecialchars for HTML output (to prevent XSS), mysql_real_escape_string for mysql_query (to prevent SQL injection) and so on. This is all it takes to ensure that:
1. You preserve all characters in their original form...
2. ... and yet you are safe from injection attacks

This is where your approach is wrong in theory.
In practice, some lesser techniques, like str_replace, can be made to work correctly against injection, at the price of reduced freedom in the user input, more ugly and complex code, and therefore more chances of making a mistake.
The posted code, though, is not one of these less-successful cases, instead it is plain wrong.

First, it doesn't protect against any particular vulnerability, instead it's a mixture of functionality (bbcode conversion) and security theater (i.e. security measures which are only for the show).
Second, it has bugs in it, like the double quotes side effects - have you tried passing the string "Array" (after session_start() ) through this?
Third, the real attacks will pass this with flying banners, if you haven't done proper escaping; if you have proper escaping, this code becomes superfluous.

It seems that you are not aware of the kinds of attacks one can expect - what's wrong with the string ".asp" for example? Or the words "submit", "connect" and "mysql", or the number - say - 1? All of these will get broken by your code. In fact it should be so obvious, that it appears it hasn't really been tested at all.
User avatar
omniuni
Forum Regular
Posts: 738
Joined: Tue Jul 15, 2008 10:50 pm
Location: Carolina, USA

Re: Securing My website even more than it is

Post by omniuni »

I am curious, though, about your choice of Operating System.

If security is such a large issue, if I were you I would be far more concerned with the vulnerabilities of your system itself. Windows XP is nearing the end of its supported life, and even in the very best of circumstances, it has only "good" security. If you truly want your system secure from the ground up, I would recommend looking into something like Ubuntu Server LTS, CentOS, or RedHat Linux. By default, these distributions are both easy to install and setup, as well as secure against most types of attacks that target firewalls, services, and/or attempt to install or run software on the machine.

Beyond security, I would be concerned about the stability and portability of your web application on a Microsoft box. While PHP is certainly a better choice than ASP (in my opinion), you will still have to reboot frequently (for a server, probably once or twice a week or so), and your files will be stored in some odd places than a cleanly set up Linux box.

Also, on the topic of Firewalls, I strongly recommend Comodo Firewall, it's free, but it works just great.

Of course, all of this is just my opinion, so take it for what it's worth.

Best of Luck,
OmniUni
QuickSnail
Forum Commoner
Posts: 46
Joined: Fri Dec 21, 2007 11:13 am

Re: Securing My website even more than it is

Post by QuickSnail »

Well all of that code has been tested. But only by yours truly.
I am only a php developer of about 1 year now. So I do not have any where near massive knowledge on php.


Also I have considered dropping xp and picking up Linux and a distribution like red hat. I didn't think it would matter that much. But it seems that it does.

Although Now that I think about it.. It would make sense that choosing something like Red Hat would be some what safer than windows because more people I would assume use windows over Linux.
Drop xp
Linux Red hat
Comodo firewall.. Alrighty (I'm taking notes in my notebook)

What exactly does mysql_real_escape_string Do?
Also does that apply to mysqli Because that is what I am using.

htmlspecialchars now Take in mind that I am allowing some html such as <img> and such.
I was trying to stop some attacks that I could think of. Which obviously isn't a lot.

Oh Also I should mention that I have Safe_mode turned ON.


Thank you for the help you are giving me. It's all greatly appreciated.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Securing My website even more than it is

Post by Mordred »

mysqli_real_escape_string()
http://www.logris.org/security/the-unex ... -injection
(Check the reference section at the bottom for the beginner papers on SQL injection)

http://htmlpurifier.org for dealinth with allowing only *some* HTML tags.

Use htmlspecialchars() for the areas that you don't want *any* HTML - like usernames etc.

This is not the place to discuss OS-level security - we are experts in PHP, not OSes. Even if the advises here happen to be well-educated, you will get better information at fora specialising in OS security.
QuickSnail
Forum Commoner
Posts: 46
Joined: Fri Dec 21, 2007 11:13 am

Re: Securing My website even more than it is

Post by QuickSnail »

Alright. Thank you.
So htmlspecialchars() for NO HTML what so ever.

As for the HTML Purifier, It says it only works with PHP 5.0 which is fine. I'm using that. I take it that it works on any OS? I don't see it telling me otherwise.
Also How in the world am I suppose to install this thing?! :dubious:

I downloaded the .Zip I seem to understand that you require it. Then call the function.
Does this mean I drop ALL of these files in my Http:// directive folder? aka ./ of the host.
User avatar
omniuni
Forum Regular
Posts: 738
Joined: Tue Jul 15, 2008 10:50 pm
Location: Carolina, USA

Re: Securing My website even more than it is

Post by omniuni »

@Quick Snail: Comodo Firewall is for Windows, Linux comes with a rather secure one built on (And you can tweak it if you need additional security)

@Mordred: It's true, this is a PHP forum, not an OS forum, but this was a broad topic about creating a situation with maximal security. As such, I felt it was pertinent to mention the OS. It's not that Windows can't be secured, it can, but my opinion is that it is easier to create a secure web hosting environment on a *nix based system. I never stated it as an absolute, it is my opinion only.

In general, I think you're on a good track, but I agree with the comment above that using a WYSIWYG editor like TinyMCE would help with keeping code clean; even if you just run it in HTML editing mode, so you still code everything, it has a built in code cleaner that should help when people click "Submit".

Good Luck!
QuickSnail
Forum Commoner
Posts: 46
Joined: Fri Dec 21, 2007 11:13 am

Re: Securing My website even more than it is

Post by QuickSnail »

Maybe switching to Linux would be a good idea.
I also have wanted to use sendmail for mail() but of course couldn't. I know there is other ways but I see a lot of them as rather huge massive processes.. :banghead:


But yes. If someone could give me a clue or a little help on using HTML purifier 3.1.1 I looked over there forum and I don't see an answer.. I feel sorta dumb haha.. I see a .htacess in some of the folders. Am I right on assuming you drop all the folders and files in your Doc root?
QuickSnail
Forum Commoner
Posts: 46
Joined: Fri Dec 21, 2007 11:13 am

Re: Securing My website even more than it is

Post by QuickSnail »

New question same subject:

In php.ini Should I set the session.save_path to something that isn't in my www/ folder? (where the .com is located)
So that it isn't accessible by web or would that render the sessions unusable?
Also should I change the session.name? which is used for cookie names. Right now it's at the default 'PHPSESSID'.
Post Reply