Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
PHP application security and the vulnerabilities which are often found in PHP apps have already been discussed at length. PHP is a great language, but it suffers in that it provides no simple method of escaping special characters when handling input and thus leaves many budding programmers' web applications vulnerable to remote file inclusion (RFI) exploits, Cross Site Scripting (XSS), SQL injection and a host of other remote exploitation techniques which may allow the attacker to steal confidential data (such as clients' credit card details), disrupt services and cause many other problems. These techniques allow the attackers to use the web application to do things it was not originally designed for.
The programmer in question can be blamed to a certain extent for not reading up on how to secure their web application, but the problem is that many new programmers are not aware of the fact that they need to escape and clean the data they receive from the application's inputs in order to stop it from doing what it was not designed to do. They are probably unaware that such types of attacks exist anyway. However, PHP provides limited, complex and slightly obscure functions to secure input handling which are usually insufficient and lack the functionality required to prevent certain attacks. Worse still, many books and tutorials written to teach people with no previous experience how to code in PHP usually omit secure data handling techniques or tips, and provide examples thoughout the book/tutorial which are vulnerable to the attacks mentioned above! This is irresponsible on the authors' behalf: it's no wonder that PHP application vulnerabilities accounted for 43% of the security issues found in 2006.
However, all hope is not lost. The Open Web Application Security Project (OWASP) have produced a set of PHP filters which allow the newest of PHP programmers to secure their input data handling methods. Doing so is a simple as downloading the filters, including them in the web app (with a command such as require_once('sanitize.inc.php')), storing the input into a variable and then sanitizing the data as shown on the project's homepage.
It would be better if the PHP developers added functions such as OWASP's PHP filters into the PHP code itself and if the authors of PHP instruction material added sections on securing input handling, but these filters are far better than nothing
Too many people don't realize that PHP input has to be hardened else the entire server can be compromised. I have a handful of scripts I have written for myself and keep in a library, but some of these are better than what I have written for myself, so I think I'll start using them.
Actually, I tend to approach it a bit differently than these scripts. These scripts clean up an input string, like from a form, while I just assume that an input string from a form that has invalid characters or codes in it is from a bad guy, and I drop the input. To that end, my scripts test for bad things and return true if found, false if not.
For instance, I verify form fields with this function, to prevent email relaying:
Code:
function killheaders($ourstr){
$outstr = eregi("(\r|\n|Subject:|Content-type:|From:|MIME-Version:|to:|bcc:|cc:)",$ourstr);
if ($outstr != false){
return true;
}
else {
return false;
}
} //end function killheaders
Where appropriate, I will do an eregi("('|\")",$ourstr);
in order to prevent sql injection attacks. Have to be careful there though because in comment fields quotes are perfectly OK.
Adding another take on filtering: PHP Input Filtering Library, don't forget to read the discussion (OWASP seems gets stuck halfway through the filtering idea), then go up one level and maybe check out topics like "Requested PHP Security Patches"...
Thanks unSpawn - as discussed in that article, the OWASP filters aren't perfect, but they can be put to good use by inexperienced and experienced programmers alike. Actually, Andrew van der Stock, OWASP's Executive Director, left a comment on my post saying that the filters are going to be updated soon, so I'm looking forward to the new version
Another article which pertains to this discussion is one by Jeremiah Grossman on the benefits of both input validation and output filtering. It's well worth the read.
Interesting reading but I would have put this thread (as well as the firefox one) in a not-only-linux part of LQ (Programming for example)
In general cases, it has nothing to do with Linux or any OS.
Nice content still. PHP is very often used to do harm and it is more complicated than it seems to secure it.
Thank you.
Yea the problem is the colleges and universities... they don't focus on real world problems such as performance and security.
They focus on academic neatness and theoretical elegance which doesn't prepare people for the real world.
Nothing is a panacea for defensive coding practices.
You can't fix naivety with some functions.
There should be 4 levels(each being taught across 2 semesters) of required code security courses for CS and IS majors starting in the first year with philosophies such as default deny etc.
Right now the only way to learn this stuff is with osmosis and hard knocks, which isn't exactly great for your career.
They focus on academic neatness and theoretical elegance which doesn't prepare people for the real world.
I take it there's some association between security and inelegant hacked-together solutions? Don't hate on schools for teaching "theoretical elegance" - IMHO there isn't enough of it being taught! Rather, how about we focus instead on how there is a lack of focus on common security issues in many classes (about which you *are* correct). Though it may not be the epidemic we should all fear; at least as of several years ago the teaching assistants at Purdue greatly enjoyed taking off points for programs which failed to properly and safely handle invalid input. Still, at some smaller universities I have witnessed a complete lack of concern surrounding security issues. Maybe it comes from some misconception that by using the right libraries you have nothing to fear, as these are the same schools which insist on using Java for everything. To be sure, there's a lot to be learned by writing everything yourself, and watching somebody else find a way to bend it to do their bidding.
I remember I used a php script called "SQuery" that had RFI vulnerability and I someone started to send ALOT of fraud emails through my host...
thanks for this useful post
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
