What Security Issues Should I Look Out for in PHP

What Security Issues I should have in PHP Hosting

Here are some of the things:

  • Disable functions like eval, passthru, shell_exec,etc
  • Remote url injection, disable allow_url_fopen
  • Disable register_globals

And don't forget:

  • You are responsible too. Write secure code, read security tutorials out there.

PHP Security Guide

Finally as suggested by Rook, you should run:

PHPSecInfo script to see security settings of your host.

http://phpsec.org/projects/phpsecinfo/

For webhosts and Development Teams

In development environments make sure you have appropriate coding standards. If you feel you are hosting insecure code which you did not write, consider installing a Web Application Firewall. Also consider steps to prevent bruteforce attacks (for example if you are hosting popular CMS tools), an Intrusion Prevention System like Fail2Ban can help you do this. A lot of these issues are covered in this talk Practical Web Security – Junade Ali, the video of the talk is here.

For PHP you can also consider using Suhosin which adds a number of security features to the PHP core. Be careful installing it first and test your sites afterwards to ensure it doesn't break anything.

What security problems could come from exposing phpinfo() to end users?

Knowing the structure of your filesystem might allow hackers to execute directory traversal attacks if your site is vulnerable to them.

I think exposing phpinfo() on its own isn't necessarily a risk, but in combination with another vulnerability could lead to your site becoming compromised.

Obviously, the less specific info hackers have about your system, the better. Disabling phpinfo() won't make your site secure, but will make it slightly more difficult for them.

How to find any potential security issues in PHP and MySQL

Straight off the bat it looks like there is a SQL injection issue going on here. POST requests are being put straight into an SQL query which allows someone with a specially crafted POST request to execute any query pretty much on the server...

It might be worth looking at this...

How can I prevent SQL injection in PHP?

Hope that helps

Security threats with uploads

First of all, realize that uploading a file means that the user is giving you a lot of data in various formats, and that the user has full control over that data. That's even a concern for a normal form text field, file uploads are the same and a lot more. The first rule is: Don't trust any of it.

What you get from the user with a file upload:

  • the file data
  • a file name
  • a MIME type

These are the three main components of the file upload, and none of it is trustable.

  1. Do not trust the MIME type in $_FILES['file']['type']. It's an entirely arbitrary, user supplied value.

  2. Don't use the file name for anything important. It's an entirely arbitrary, user supplied value. You cannot trust the file extension or the name in general. Do not save the file to the server's hard disk using something like 'dir/' . $_FILES['file']['name']. If the name is '../../../passwd', you're overwriting files in other directories. Always generate a random name yourself to save the file as. If you want you can store the original file name in a database as meta data.

  3. Never let anybody or anything access the file arbitrarily. For example, if an attacker uploads a malicious.php file to your server and you're storing it in the webroot directory of your site, a user can simply go to example.com/uploads/malicious.php to execute that file and run arbitrary PHP code on your server.

    • Never store arbitrary uploaded files anywhere publicly, always store them somewhere where only your application has access to them.

    • Only allow specific processes access to the files. If it's supposed to be an image file, only allow a script that reads images and resizes them to access the file directly. If this script has problems reading the file, it's probably not an image file, flag it and/or discard it. The same goes for other file types. If the file is supposed to be downloadable by other users, create a script that serves the file up for download and does nothing else with it.

    • If you don't know what file type you're dealing with, detect the MIME type of the file yourself and/or try to let a specific process open the file (e.g. let an image resize process try to resize the supposed image). Be careful here as well, if there's a vulnerability in that process, a maliciously crafted file may exploit it which may lead to security breaches (the most common example of such attacks is Adobe's PDF Reader).

To address your specific questions:

[T]o check even the size of these images I have to store them in my /tmp folder. Isn't it risky?

No. Just storing data in a file in a temp folder is not risky if you're not doing anything with that data. Data is just data, regardless of its contents. It's only risky if you're trying to execute the data or if a program is parsing the data which can be tricked into doing unexpected things by malicious data if the program contains parsing flaws.

Of course, having any sort of malicious data sitting around on the disk is more risky than having no malicious data anywhere. You never know who'll come along and do something with it. So you should validate any uploaded data and discard it as soon as possible if it doesn't pass validation.

What if a prankster gives me a url and I end up downloading an entire website full of malware?

It's up to you what exactly you download. One URL will result at most in one blob of data. If you are parsing that data and are downloading the content of more URLs based on that initial blob that's your problem. Don't do it. But even if you did, well, then you'd have a temp directory full of stuff. Again, this is not dangerous if you're not doing anything dangerous with that stuff.

PHP Security information?

Check this page : PHP Security Guide. Most attacks are documented. If after implementing these security checks, you're still hacked, there are high chances that the problem doesn't come from your PHP application.

By the way, as @Jacco stated, there is some wrong stuff on the article I linked to.

  1. Use prepared statements instead of mysql_real_escape_string(), but you already did that.
  2. About salting, follow this answer instead : https://stackoverflow.com/a/401684/851498
  3. Finally, checking ['type'] (for file upload) is unsafe since a malicious user can change this value. Instead, see the suggested solution of this link : http://www.acunetix.com/websitesecurity/upload-forms-threat.htm

Related Topics

Inkscape Inside PHP/Apache Doesn't Render Fonts to Png

Using PHP to Execute Multiple MySQL Queries

How to Get All Combinations from Multiple Arrays

Implicit Class Variable Declaration in PHP

PHP Variable Inside Echo 'HTML Code'

Now() Function in PHP

Why Doesn't This Code Simply Print Letters a to Z

Authenticating in PHP Using Ldap Through Active Directory

How to Define an Empty Object in PHP

Type-Juggling and (Strict) Greater/Lesser-Than Comparisons in PHP

Multi-Line Strings in PHP

Using Usort in PHP with a Class Private Function

Phpexcel Auto Size Column Width

Asynchronous Function Call in PHP

PHP Curl Http Put

Using the PHP Http_Accept_Language Server Variable

How to Prevent Multiple Logins in PHP Website

Android JSON Httpclient to Send Data to PHP Server with Httpresponse


Leave a reply



Submit