Archive for August 2008
“Essential PHP Security” is an introduction to the PHP applications security written by Chris Shiflett. Though you could say that it suits any other language too. Well atleast to some point it does. It is a really short easy read. Developing PHP applications for quite a few years I have never tried to take a look at all the security issues in one place to see if I’m up to date. To say the truth I expected something more but that is why the book name includes a word “essential”. Let’s take a closer look at the book.
Chapter I – Intro
Basically it tells you to avoid the deprecated register globals (that are going down in PHP6), turning on the error_reporting(E_ALL | STRICT), “Defense in Depth”or otherwise adding additional “safeguards” where possible to make it harder for the attacker, “Least Privillege” or otherwise giving only required permissions, writing simple, elegant code to easier spot security issues.
Chapter II – Forms and URLs
Basic, basic, basic .. Don’t do things like firstname.lastname@example.org, use is_file_uploaded() and move_uploaded_file() for uploads, prevent XSS using htmlentities with ENT_QUOTES and the encoding that you specified in the HTTP response of your application, the CRSF topic is quite old now but quite not taken seriously and a few thoughts not to take HTTP_REFERER too seriously.
Chapter III – Databases and SQL
Keep your db credentials outside of document root or atleast not visible from outside, better yet in server environment variables, avoid SQL injections using database specific escape functions, prepared statements or addslashes() and encrypt stuff like SSN or credit card numbers.
Chapther IV – Sessions and Cookies
Things get more interesting here. Cookie theft or it’s just a subtopic of XSS, session fixation is a topic like CRSF – known for a long time and not taken seriously. For those of you that don’t know session fixation is about regenerating your session id every time a user in your application gets higher permissions like logging in. Also an old trick to check whether user’s USER_AGENT suddenly changed on every page load to make it harder for the attacker.
Chapter V – Includes
This chapter explains to keep as much as possible of your application outside of document root, filtering every user given variable that you use for includes with basename, realpath, pathinfo or any other tools. Also disabling allow_url_fopen though I prefer disabling allow_url_include more.
Chapter VI – Files and Commands
Almost the same as Chapter V. Except that you learn new functions like escapeshellcmd() and escapeshellarg().
Chapter VII – Authentication and Authorization
A nice idea to use 15 second login timeouts to make it harder for the attackers while keeping the legitimate users safe. Use SSL. Try to avoid persistent logins. And if you can’t don’t store sensitive information in the cookies like usernames or passwords. A really nice idea to generate one-time-use tokens that you save in cookies with a timeout for persistent logins and regenerate them every login.
Chapter VIII – Shared Hosting
It’s best to avoid PHP shared hosting. The book was written in 2005 when PHP had a lot more security issues. Most good hostings have virtual machines or have open_basedir, safe_mode enabled with lots of stuff disabled. Safe mode will be removed in PHP 6 but it has a really nice feature like allowing to run executables from a certain directory.
Not too interesting. Configuration directives. Disable allow_url_fopen, use disable_functions, turn display_errors off, disable enable_dl, set error_reporting E_ALL | E_STRICT, log errors, turn off magic_quotes_gpc, set memory limit 8mb if you can, use open_basedir, turn of register_globals, use safe mode.
Avoid eval, avoid functions that allows to execute commands on the server, use includes carefuly, be careful when using preg_replace modifier /e.
Nice idea to use salt when generating password hashes to make rainbow tables ineffective.
All in all it’s a very good book to get started. Maybe not as detailed as the latests Steffan Essers recent findings but if only every site on the web would do the things described in the various book chapters… Projects like Google Hacking Database show how secure the web really is. And for the last words .. It’s not the PHP that is not secure .. Enormous amount of effort was put into PHP to make PHP more secure. Just to give you an idea listen to “The state of PHP security” or read about what Steffan Esser is doing. Yes there still are security bugs in PHP .. But honestly like Steve Balmer would say it’s all about: Developers, developers, developers. PHP deserves a better name.