Top 10 2007-Malicious File Execution - Revision history

Neil Smithline: Loosened mention of Windows OS as being needed for PHP file-sharing remote execution

2014-04-10T20:28:42Z

Loosened mention of Windows OS as being needed for PHP file-sharing remote execution

2010-04-19T02:42:23Z

2009-03-22T12:00:33Z

‎References

2009-03-22T11:58:44Z

‎Protection

2009-03-22T11:56:42Z

‎Protection

2008-12-07T17:34:02Z

‎References

2008-09-20T23:57:54Z

2008-09-20T23:55:48Z

‎References

2008-09-20T23:55:30Z

‎References

2008-09-20T23:54:08Z

‎References

@@ Line 7: / Line 7: @@
 *Remote code execution
 *Remote root kit installation and complete system compromise
-*On Windows, internal system compromise may be possible through the use of PHP’s SMB file wrappers
+*Internal system compromise may be possible through the use of PHP’s SMB file wrappers
 This attack is particularly prevalent on PHP, and extreme care must be taken with any stream or file function to ensure that user supplied input does not influence file names.
@@ Line 22: / Line 22: @@
   <code>include $_REQUEST['filename’];</code>
-Not only does this allow evaluation of remote hostile scripts, it can be used to access local file servers (if PHP is hosted upon Windows) due to SMB support in PHP’s file system wrappers.
+Not only does this allow evaluation of remote hostile scripts, it can be used to access local file servers due to file share support in PHP.
 Other methods of attack include:

← Older revision		Revision as of 02:42, 19 April 2010
Line 104:		Line 104:

	{{Top_10_2007:BottomTemplate\|usenext=NextLink\|next=-Insecure Direct Object Reference\|useprev=PrevLink\|prev=-Injection Flaws\|usemain=MainLink\|main=}}		{{Top_10_2007:BottomTemplate\|usenext=NextLink\|next=-Insecure Direct Object Reference\|useprev=PrevLink\|prev=-Injection Flaws\|usemain=MainLink\|main=}}
		+
		+	[[Category:OWASP Top Ten Project]]

@@ Line 93: / Line 93: @@
 *CWE: CWE-98 (PHP File Inclusion), CWE-78 (OS Command Injection), CWE-95 (Eval injection), CWE-434 (Unrestricted file upload)
 *WASC Threat Classification:
-[http://www.webappsec.org/projects/threat/classes/os_commanding.shtml http://www.webappsec.org/projects/threat/classes/os_commanding.shtml] http://www.webappsec.org/projects/threat/classes/os_commanding.shtml
+http://www.webappsec.org/projects/threat/classes/os_commanding.shtml
 *OWASP Development Guide, [[File_System#Includes_and_Remote_files|Includes and Remote Files]]
 *OWASP Testing Guide, [[Testing for Path Traversal  (OWASP-AZ-001)|Testing for Path Traversal]]

@@ Line 72: / Line 72: @@
 *'''Strongly validate user''' input using "accept known good" as a strategy
 *'''Add firewall''' rules to prevent web servers making new connections to external web sites and internal systems. For high value systems, isolate the web server in its own VLAN or private subnet
-*'''Check any user supplied files or filenames''' taken from the user for legitimate purposes, which cannot obviate other controls. Otherwise be obviated, tainting could include user supplied data in the session object, avatars and images, PDF reports, temporary files, and so on
+*'''Check any user supplied files or filenames''' taken from the user for legitimate purposes, which cannot obviate other controls. Otherwise be obviated, tainting could include user supplied data in the session object, avatars and images, PDF reports, temporary files, and so on [[category:FIXME| What is meant by "otherwise be obviated"? I think there's a problem here]]
 *'''Consider implementing a chroot jail '''or other sand box mechanisms such as virtualization to isolate applications from each other
 *'''PHP:''' '''Disable allow_url_fopen and allow_url_include''' in php.ini and consider building PHP locally to not include this functionality. Very few applications need this functionality and thus these settings should be enabled on a per application basis

@@ Line 60: / Line 60: @@
      &lt;option value=”78463a384a5aa4fad5fa73e2f506ecfc”&gt;English&lt;/option&gt;</code>
-Consider using salts to prevent brute forcing of the indirect object reference. Alternatively, just use index values such as 1, 2, 3, and ensure that the array bounds are checked to detect parameter tampering.3.
+Consider using salts to prevent brute forcing of the indirect object reference. Alternatively, just use index values such as 1, 2, 3, and ensure that the array bounds are checked to detect parameter tampering.
 *'''Use explicit taint checking mechanisms''', if your language supports it. Otherwise, consider a variable naming scheme to assist with taint checking:

@@ Line 95: / Line 95: @@
 [http://www.webappsec.org/projects/threat/classes/os_commanding.shtml http://www.webappsec.org/projects/threat/classes/os_commanding.shtml] http://www.webappsec.org/projects/threat/classes/os_commanding.shtml
 *OWASP Development Guide, [[File_System#Includes_and_Remote_files|Includes and Remote Files]]
-*OWASP Testing Guide, [[Testing for Path Traversal]]
+*OWASP Testing Guide, [[Testing for Path Traversal  (OWASP-AZ-001)|Testing for Path Traversal]]
 *OWASP PHP Top 5, [[PHP_Top_5#P1:_Remote_Code_Execution|Remote Code Execution]]
 *Stefan Esser,

@@ Line 100: / Line 100: @@
 [http://blog.php-security.org/archives/45-PHP-5.2.0-and-allow_url_include.html http://blog.php-security.org/archives/45-PHP-5.2.0-and-allow_url_include.html]
 *[SIF01] SIFT,Sift Networks, Web Services: Teaching an old dog new tricks, [http://www.ruxcon.org.au/files/2006/web_services_security.ppt http://www.ruxcon.org.au/files/2006/web_services_security.ppt]
-*[[Java_Table_of_Contents#Defining_a_Java_Security_Policy|Defining a Java Security Policy]]
+*[[OWASP_Java_Table_of_Contents#Defining_a_Java_Security_Policy|Defining a Java Security Policy]]
 *Microsoft - Programming for Partial Trust, [http://msdn2.microsoft.com/en-us/library/ms364059(VS.80).aspx http://msdn2.microsoft.com/en-us/library/ms364059(VS.80).aspx]
 {{Top_10_2007:BottomTemplate|usenext=NextLink|next=-Insecure Direct Object Reference|useprev=PrevLink|prev=-Injection Flaws|usemain=MainLink|main=}}