Tip of the Day - PHP Security - GoFuckYourself.com

ScannerX · 08-23-2006, 07:27 AM

For all of us here coding in PHP, I put together a couple of configuration tips to provide an extra layer of security. Now while all of your own applications are of course bug free and will never get exploited, you just may have to use some third party code once in a while.

php.ini choices:
The following options should be no-brainers and are the default choices for current php installs:

magic_quotes_gpc = Onregister_globals = OffThe first option will automagically escape all quotes, taking essentially care of 90% of your SQL injection worries. The second part will prevent creative users from adding their own variables without you explicitly requesting them. You probably want to get rid of any php application that breaks after you turn off register_globals.

For some extra credit, you can play with 'safe_mode'. But read the instructions carefully. safe_mode is something you best enable before starting to code, as it can be tricky to enable it for an existing application.

/tmp partition:
Most php exploits need a bit of space to pull down additional code. Now we don't allow our web server to write files just anywhere. But if you are an exploit, you always got /tmp to use as your "scrap space". Probably the most effective defense against php exploits is to make /tmp its own partition and make it non executable. Don't forget to make /usr/tmp and /var/tmp a symlink to /tmp. Any other directory that has to be writable by Apache should be placed on this partition. You don't have to repartition your system. Just use a loopback file.

Honeytokens:
The two tips above should protect you from most of the automated codes thats running around the net these days with not too much effort on your side. After all, you need to get back to coding quickly. So how do you keep the more pesky little kids aways from exploring the underbelly of your applications? Now this is where a little bit of IDS and automated response can go a long way. First of all, lets talk dirty for a bit: robots.txt. As the name implies, robots.txt is for 'bots. But then again, some web developers associate magic powers with it and expect it to cloak all files listed in it from all bad influences. Now yes, this may be true. But did you use the key stroke associated with "magic spell" as you edited the file in vi? If not: your files are still all visible and robots.txt can provide a roadmap to an attacker. Consider this robots.txt file pulled from some random website:

User-agent: *Disallow: /adminpage.phpNow where would you go today attacking this website?

Simple lesson: Add a good looking file like this to your robots.txt file, with a little twist: "adminpage.php" should not unlock all your secrets. Instead, have it send you a quick e-mail and maybe have the IP added to a shun-list if this page is hit.

CIVMatt · 08-23-2006, 07:51 AM

fantastic thread, very intresting thank you for taking the time

calmlikeabomb · 08-23-2006, 08:25 AM

Nice tips! I especially like the register globals off suggestion. There are alot of people out there running scripts that *require* it to be turned on.

calmlikeabomb · 08-23-2006, 11:03 AM

Quote:

Originally Posted by ScannerX

magic_quotes_gpc = On, this will automagically escape all quotes, taking essentially care of 90% of your SQL injection worries.

However, you shouldn't ever assume it's gonna be enabled on every machine. I'll share two functions that I use to escape quotes in data:

PHP Code:


			
if(!function_exists('my_stripslashes')) { function my_stripslashes($str) {    if (!get_magic_quotes_gpc()) { return stripslashes($str); } else { return $str; }}}

if(!function_exists('my_addslashes')) { function my_addslashes($str) { if (!get_magic_quotes_gpc()) { return addslashes($str); } else { return $str; }}}

k0nr4d · 08-23-2006, 11:24 AM

Can't you do like
php_flag magic_quotes_gpc on
in htaccess?

Quote:

Originally Posted by calmlikeabomb

However, you shouldn't ever assume it's gonna be enabled on every machine. I'll share two functions that I use to escape quotes in data:

PHP Code:


			
if(!function_exists('my_stripslashes')) { function my_stripslashes($str) {    if (!get_magic_quotes_gpc()) { return stripslashes($str); } else { return $str; }}}

if(!function_exists('my_addslashes')) { function my_addslashes($str) { if (!get_magic_quotes_gpc()) { return addslashes($str); } else { return $str; }}}

woj · 08-23-2006, 11:55 AM

good tips

The Sultan Of Smut · 08-23-2006, 12:24 PM

It's refreshing to see a good thread here from time to time!

TurboAngel · 08-23-2006, 12:31 PM

Quote:

Originally Posted by The Sultan Of Smut

It's refreshing to see a good thread here from time to time!

It is.

calmlikeabomb · 08-23-2006, 12:32 PM

Quote:

Originally Posted by k0nr4d

Can't you do like
php_flag magic_quotes_gpc on
in htaccess?

http://us3.php.net/magic_quotes

Quote:

Originally Posted by Php.net

Magic Quotes is a process that automagically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed.

Here's another interesting comment from that page:

Quote:

Originally Posted by judas dot iscariote at gmail dot com

Just for the record. this feature has been removed as of PHP6.
now PHP works always like if magic_quotes_gpc Off.

get_magic_quotes_gpc, get_magic_quotes_runtime are kept but always return false, set_magic_quotes_runtime raises an E_CORE_ERROR.

this is great news, magic_quotes were a big annoyance.

Magix · 08-23-2006, 12:35 PM

thanks for nice thread ...

ScannerX · 08-23-2006, 03:50 PM

Anyone played with SNORT rules in mod_security?

08-23-2006, 07:27 AM	#1
ScannerX Registered User Join Date: Feb 2006 Posts: 73	Tip of the Day - PHP Security For all of us here coding in PHP, I put together a couple of configuration tips to provide an extra layer of security. Now while all of your own applications are of course bug free and will never get exploited, you just may have to use some third party code once in a while. php.ini choices: The following options should be no-brainers and are the default choices for current php installs: magic_quotes_gpc = Onregister_globals = OffThe first option will automagically escape all quotes, taking essentially care of 90% of your SQL injection worries. The second part will prevent creative users from adding their own variables without you explicitly requesting them. You probably want to get rid of any php application that breaks after you turn off register_globals. For some extra credit, you can play with 'safe_mode'. But read the instructions carefully. safe_mode is something you best enable before starting to code, as it can be tricky to enable it for an existing application. /tmp partition: Most php exploits need a bit of space to pull down additional code. Now we don't allow our web server to write files just anywhere. But if you are an exploit, you always got /tmp to use as your "scrap space". Probably the most effective defense against php exploits is to make /tmp its own partition and make it non executable. Don't forget to make /usr/tmp and /var/tmp a symlink to /tmp. Any other directory that has to be writable by Apache should be placed on this partition. You don't have to repartition your system. Just use a loopback file. Honeytokens: The two tips above should protect you from most of the automated codes thats running around the net these days with not too much effort on your side. After all, you need to get back to coding quickly. So how do you keep the more pesky little kids aways from exploring the underbelly of your applications? Now this is where a little bit of IDS and automated response can go a long way. First of all, lets talk dirty for a bit: robots.txt. As the name implies, robots.txt is for 'bots. But then again, some web developers associate magic powers with it and expect it to cloak all files listed in it from all bad influences. Now yes, this may be true. But did you use the key stroke associated with "magic spell" as you edited the file in vi? If not: your files are still all visible and robots.txt can provide a roadmap to an attacker. Consider this robots.txt file pulled from some random website: User-agent: *Disallow: /adminpage.phpNow where would you go today attacking this website? Simple lesson: Add a good looking file like this to your robots.txt file, with a little twist: "adminpage.php" should not unlock all your secrets. Instead, have it send you a quick e-mail and maybe have the IP added to a shun-list if this page is hit. __________________

08-23-2006, 07:51 AM	#2
CIVMatt Amateur Pimpin Industry Role: Join Date: Aug 2004 Location: Orlando, FL Posts: 13,075	fantastic thread, very intresting thank you for taking the time __________________ Make easy money with Webcams

08-23-2006, 08:25 AM	#3
calmlikeabomb Confirmed User Join Date: May 2004 Location: SW Palm Bay, Florida Posts: 1,323	Nice tips! I especially like the register globals off suggestion. There are alot of people out there running scripts that require it to be turned on. __________________ subarus.

08-23-2006, 11:55 AM	#6
woj <&(©¿©)&> Industry Role: Join Date: Jul 2002 Location: Chicago Posts: 47,882	good tips __________________ Custom Software Development, email: woj#at#wojfun#.#com to discuss details or skype: wojl2000 or gchat: wojfun or telegram: wojl2000 Affiliate program tools: Hosted Galleries Manager Banner Manager Video Manager Wordpress Affiliate Plugin Pic/Movie of the Day Fansign Generator Zip Manager

08-23-2006, 12:35 PM	#10
Magix Confirmed User Industry Role: Join Date: Jun 2006 Location: ICQ: 263238646 Posts: 2,616	thanks for nice thread ... __________________ PSD to HTML/XHTML/CSS Services

08-23-2006, 12:24 PM	#7
The Sultan Of Smut Confirmed User Join Date: Dec 2004 Location: Vancouver Posts: 4,325	It's refreshing to see a good thread here from time to time!

08-23-2006, 03:50 PM	#11
ScannerX Registered User Join Date: Feb 2006 Posts: 73	Anyone played with SNORT rules in mod_security? __________________