Contact
Subscribe

Day 23 – Additional Security

Jan 12, 2010
Zend PHP Certification

Okay, today should be the last day of Security topics (finally).  The first one we’re going to cover is:


Remote Code Injection

Remote Code Injection is when a malicious user causes your PHP code to execute remote malicious code.  The most obvious way is by an query string input.  See this example:

require_once “{$_GET['page']}.php”;
  1.  
  2. <p>If you were to pass <strong>page=http://www.example.com/malicious</strong> into that script, it would then include and execute that <strong>malicious.php</strong> script.&#160; This is easily preventable by whitelist filtering your input.&#160; Here is an example:</p>
  3.  
  4. <p>
  5.   <div style="padding-bottom: 0px; margin: 0px; padding-left: 0px; padding-right: 0px; display: inline; float: none; padding-top: 0px" id="scid:887EC618-8FBE-49a5-A908-2339AF2EC720:ed6d274d-2cd4-4bd5-907f-cc7c6b22931a" class="wlWriterEditableSmartContent"><pre lang="php">$valid = array('home', 'news', 'blog');
  6.  
  7. if (in_array($_GET['page'], $valid))
  8.   require_once "{$_GET['page']}.php";
  9. else
  10.   echo "Invalid page.

The alternate way to protect against this is by disabling allow_url_fopen. But that also prevents any script from accessing any remote content (images, files, etc).

Command Injection

This will be quick.  When executing shell commands in PHP (using system, exec, passthru, or backtick), you can prevent any malicious code from being inserted by using the escapeshellcmd() and escapeshellarg() functions.

Shared Hosting

When you are running a shared hosting environment, you have to be careful about how various user's PHP scripts interact with eachother.  The most important thing is you want to prevent one user from accessing another user's files.  In PHP 6, safe_mode will no longer be an option.  Therefore you can use the following php.ini directives:

  • open_basedir: limits what folders PHP can open/read from
  • disable_functions: disables specific functions (usually exec, passthru, system)
  • disable_classes: disables specific classes (directory, etc.)

 

Okay, that's it about Security.  Remember, NEVER TRUST THE USER!

No Comments
Tags

Leave a Reply

Allowed tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>



  • Donate

    If my work has helped you and you want to return the favor, you could purchase something for me from my Amazon Wish List or send me a donation via PayPal.

  • My Lifestream

  • License

    Unless otherwise noted, all source code and compiled files published on this website are released under the terms of the GNU Lesser General Public License.