Saturday, 14 February 2009

indroduction to php security

Introduction
PHP has a reputation as having issues with web-site security this report investigates this to see if this statement is justified.
This report also looks at other security issues of websites.
Most security problems to do with PHP are caused by badly designed code and badly managed servers.
This is what Jordan Dimov in article entitled On the Security of PHP which can be found at http://www.developer.com/lang/article.php/918141
“PHP has achieved a stable and solid presence on the Web in the last several years, and its popularity as a server-side scripting language is only increasing. Its primary use is for providing dynamically generated interfaces between Web users and the host. As such, PHP scripts fall a natural prey to many Internet attacks. Despite the fact that the language is designed with security in mind, a familiarity with its more dangerous aspects and conformance to common secure programming guidelines is essential to minimizing the possibility of security compromises. The aim of this document is to provide an overview of various security issues with PHP and to offer advice on secure PHP programming practices.”
The most common programming mistakes are the following, adapted from PHP and the OWASP Top Ten Security Vulnerabilities which can be found at http://www.sklar.com/page/article/owasp-top-ten.
Putting private information such as passwords in the public area this is bad idea has hackers can get your information and in turn take down your site, private information should be put in a high level of the tree as this is not accessible to people out side your site.
The below code it dangerous as people can know what your root password it is better to put such information the includes directory which is at a higher level then the public assess directory, so people can not access it.
// list_dbs.php - mysqli version
$host_name = "localhost";
$user_name = "root";
$user_password = "";
?>


Trusting user input, Designing forms without filters before processing instructions this is a bad idea because hackers can take down your code just by using dangerous SQL code in the form.
The below code takes information from a form and puts the information on to the screen, this code does not use filters and does not process the information it this program passes to another program and the user puts something dangerous in one the comment fields such as a SQL this could take down your site.
$name = $_POST['name'];
$email = $_POST['email'];
$comm = $_POST['comm'];
$links = $_POST['links'];
$sugg = $_POST['sugg'];
$date2 = $_POST['date'];
echo "thank you for using this form this is what you submitted";
echo "
";
echo "
";
echo "name = ".$name;
echo "
";
echo "email = ".$email;
echo "
";
echo "comm = ".$comm;
echo "
";
echo "links = ".$links;
echo "
";
echo "Suggestions = ".$sugg;
echo "
";
echo "date = ".$date2;
echo "
";
?>


Not putting error handling in your code, which in it self may not seem a security problem, but errors not handled the right way could take down your server which could cost a company a small fortune in lost income.

An example of error handing can be found below, which is to add a trigger, this piece of code is from the article entitled PHP Error Handling by George Schlossnagle which can be found at http://www.informit.com/articles/article.asp?p=170279&rl=1
while(!feof($fp)) {

$line = fgets($fp);

if(!parse_line($line)) {

trigger_error("Incomprehensible data encountered", E_USER_NOTICE);

}


Not putting patches on your server that could close security problems, which is a bad idea has over looking these could bring the server down

Not disabling, the register globals as it bypasses the access control of the system, this is what The PHP Security Guide by the PHP Security Consortium which can be found at http://phpsec.org/projects/guide/ 
“The register_globals directive is disabled by default in PHP versions 4.2.0 and greater. While it does not represent a security vulnerability, it is a security risk. Therefore, you should always develop and deploy applications with register_globals disabled. Why is it a security risk? Good examples are difficult to produce for everyone, because it often requires a unique situation to make the risk clear. However, the most common example is that found in the PHP manual:
if (authenticated_user())
{
$authorized = true;
}
if ($authorized)
{ include '/highly/sensitive/data.php';
}
?>


With register_globals enabled, this page can be requested with ?authorized=1 in the query string to bypass the intended access control. Of course, this particular vulnerability is the fault of the developer, not register_globals, but this indicates the increased risk posed by the directive. Without it, ordinary global variables (such as $authorized in the example) are not affected by data submitted by the client. A best practice is to initialize all variables and to develop with error_reporting set to E_ALL, so that the use of an uninitialized variable won't be overlooked during development.” Not using passwords for secure areas of the website.

Php4 in recent years has been seen to have core security problems what are these problems and what can be done in this section we will be looking at this.
Symantec NetRecon 3.6 Security Update 30 (SU 30) detects and reports 193 updated vulnerabilities most of which are in php4.
the php security issues are on the symantec web site which can be found at http://www.symantec.com/avcenter/security/Content/2006.11.17a.html
How to solve these problem:-
  • Use patches, make sure your server is up to date
  • Update to php5 which has less problems
  • Use hardened PHP.
The below statement is from the hardened PHP website which can be found at http://www.hardened-php.net/
“Founded in 2004 by three Security Researchers from Germany, the Hardened-PHP Project has the goal to help you with securing your applications and Web Pages. We check well known applications for security holes and inform the vendors about them. If you're a software vendor or plan to deploy a PHP-powered web site, you will have to make sure that proper security measures have been taken to protect data integrity. We can help you by auditing your code and examining the underlying server structure for security problems”.
Security issues are not addressed to PHP most web sites will be attack at some time in their life, in this section we talk about hackers and general website security
The definition of the word hacker from the foldoc free computer online dictionary found at http://foldoc.org/?query=hacker
“(Originally, someone who makes furniture with an axe)
  1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.
  2. One who programs enthusiastically (even obsessively) or who enjoys programming rather than just theorizing about programming.
  3. A person capable of appreciating hack value.
  4. A person who is good at programming quickly.
  5. An expert at a particular program, or one who frequently does work using it or on it; as in "a Unix hacker". (Definitions 1 through 5 are correlated, and people who fit them congregate.)
  6. An expert or enthusiast of any kind. One might be an astronomy hacker, for example.
  7. One who enjoys the intellectual challenge of creatively overcoming or circumventing limitations.
  8. Deprecated) A malicious meddler who tries to discover sensitive information by poking around. Hence "password hacker", "network hacker". The correct term is cracker.
The term "hacker" also tends to connote membership in the global community defined by the net (see The Network and Internet address). It also implies that the person described is seen to subscribe to some version of the hacker ethic.
It is better to be described as a hacker by others than to describe oneself that way. Hackers consider themselves something of an elite (a meritocracy based on ability), though one to which new members are gladly welcome. Thus while it is gratifying to be called a hacker, false claimants to the title are quickly labelled as "bogus" or a "wannabee".
(University of Maryland, rare) A programmer who does not understand proper programming techniques and principles and doesn't have a Computer Science degree. Someone who just bangs on the keyboard until something happens. For example, "This program is nothing but spaghetti code. It must have been written by a hacker".
In this section we are really looking at paragraph 8 (in the quote above) of the word hacker, which is really a misused term in this case, as a hacker is really a person who likes programming or likes building, stretching or making better computer systems, some of the early pioneers of computers can be referred to as hackers, hackers are the people who develop open source software,
What we are really talking about here are crackers, some crackers are also programmers but their programs destroy and are called viruses, they also like breaking the law and getting into systems they should not be getting into for so called fun by getting around your system security measures on your computer systems.
Crackers are anti social people that can destroy a whole system in a matter of minutes that took years to build.
But as everyone knows these crackers are now called hackers as the media uses this term a lot to describe crackers, we will continue to use this word in the rest of this document for clarity of what we are talking about.
Sometimes hackers will get into a system to destroy it by viruses or using other methods that attack the system, sometimes they get in steal information held on your computer or deface websites; sometimes they do a bit of both, whatever the reason for them to be in your system they should not be there.
Having said this there are ethical hackers about who just test the security of systems and don’t do any damage, these people are sometimes security experts you can hire to test your systems security, sometimes they test the system without you hiring them just to make people aware of the security holes in the systems.
Hacking is a crime and is against the computer misuse act 1990, also under the Data Protection act 1998 is protection of data so companies need to guard there system from these people Companies also need to know about the data protection act if you keep records about people on your system as it tells you what you can do with the information and why you can store it.
If any size company collects information about people and websites do that a lot, in particularly personnel information such as credit card number, address, name, telephone number etc, you must follow the data protection guidelines
  • You must say what the data is for and why you collect it (this you must stick to).
  • You must register your data collection system with the information commission; you should not the give the information about people to anyone else without permission You must keep information safe using passwords etc.
  • You must show information stored about a person to the subject of that data and delete it, if told to by the subject of the data
(For the purpose of protecting your systems, the keeping the data safe is important here, what you do with the data is covered in the rest of the act which is also very important to follow as the data held about people is sensitive information and should only be held on your system if you have a valid reason for doing so)
This Act states you should not:-
  • Access computers which you are unauthorised to access.
  • Access computers which you are unauthorised to access to cause damage or perform other crimes with the information you obtained illegally Modify computers or data you do not have the right to access
(This act is really talking to the hacker, it in important not to become one because if you do you are breaking the law)
Keeping in mind these acts the issues of protecting data must be addressed such as the use of passwords
You must change the passwords of the system regularly and not to use words as passwords which can be easily guessed i.e. words such as pet names etc which can be easily be discovered by a hacker if they wanted to get into the system.
If you have a e-commence site Provide security facilities in your website, e.g a user area which the user can log in to using a user name and passwords to change their own information, such as address and shipping details plus, encryption for transferring credit card numbers, if you use the World Pay option you will have this.
Encryption uses two electronic keys one to close the message and change the message to make unreadable to anyone intercepting it and other key opens the message and change it to a readable format, the key to open the message is usually sent to the receiver before hand.
128bit Encryption is good as the higher the bit number the harder the Encryption is to break and makes the message harder to intercept
You need to make backups of all your customer records, and don’t allow them to fall into the wrong hands, in other words don’t give them to anyone unauthorized to have them and use passwords to prevent unauthorized access, also make sure the host of your website does backups
You should also make use of firewalls and virus checkers.
A firewall is software or hardware that sits between a private network or a single home computer and the Internet and acts like a kind of computer filter preventing unwanted people from entering your system
This is what vicomsoft’s knowledge base says about firewalls found at http://www.vicomsoft.com/knowledge/reference/firewalls1.html
“A firewall sits at the junction point or gateway between the two networks, usually a private network and a public network such as the Internet. The earliest firewalls were simply routers. The term firewall comes from the fact that by segmenting a network into different physical subnetworks, they limited the damage that could spread from one subnet to another just like fire doors or firewalls.
A firewall examines all traffic routed between the two networks to see if it meets certain criteria. If it does, it is routed between the networks, otherwise it is stopped. A firewall filters both inbound and outbound traffic. It can also manage public access to private networked resources such as host applications. It can be used to log all attempts to enter the private network and trigger alarms when hostile or unauthorized entry is attempted. Firewalls can filter packets based on their source and destination addresses and port numbers. This is known as address filtering. Firewalls can also filter specific types of network traffic. This is also known as protocol filtering because the decision to forward or reject traffic is dependant upon the protocol used.”
Computer viruses are small pieces of program code at sometimes lock on to the boot sector of the computer system they can Replicate itself as it spreads around the system and causes damage.
This is what the website how stuff works descries them found at http://www.howstuffworks.com/virus.htm
"Computer viruses tend to grab our attention. On the one hand, viruses show us how vulnerable we are. A properly engineered virus can have an amazing effect on the worldwide Internet. On the other hand, they show how sophisticated and interconnected human beings have become.
For example, experts estimate that the Mydoom worm infected approximately a quarter-million computers in a single day in January 2004. (Times Online). Back in March 1999, the Melissa virus was so powerful that it forced Microsoft and a number of other very large companies to completely turn off their e-mail systems until the virus could be contained. The ILOVEYOU virus in 2000 had a similarly devastating effect. That's pretty impressive when you consider that the Melissa and ILOVEYOU viruses are incredibly simple. When you listen to the news, you hear about many different forms of electronic infection. The most common are:
Viruses - A virus is a small piece of software that piggybacks on real programs. For example, a virus might attach itself to a program such as a spreadsheet program. Each time the spreadsheet program runs, the virus runs, too, and it has the chance to reproduce (by attaching to other programs) or wreak havoc.
E-mail viruses - An e-mail virus moves around in e-mail messages, and usually replicates itself by automatically mailing itself to dozens of people in the victim's e-mail address book.
Worms - A worm is a small piece of software that uses computer networks and security holes to replicate itself. A copy of the worm scans the network for another machine that has a specific security hole. It copies itself to the new machine using the security hole, and then starts replicating from there, as well.
Trojan horses - A Trojan horse is simply a computer program. The program claims to do one thing (it may claim to be a game) but instead does damage when you run it (it may erase your hard disk). Trojan horses have no way to replicate automatically. “
The computer security resource centre (CSRC) says this about computer viruses found at http://csrc.nist.gov/virus/
“Viruses are the colds and flues of computer security: ubiquitous, at times impossible to avoid despite the best efforts and often very costly to an organization's productivity.
NIST recommends using a two-tiered approach for detecting and preventing viruses from spreading:
On personal computers, install and use anti-virus software capable of scanning disks, attachments to email, files downloaded from the web, and documents generated by word processing and spreadsheet programs. Use anti-virus software at Internet gateways or firewalls to scan email attachments and other downloaded files.
Anti-virus software should be installed when the personal computer is initially configured. The software should be updated weekly with new virus definitions, and your vendor may provide an automated update feature. Organizations may benefit from using several brands of anti-virus software. For an updated website of virus information, check out the Symantec virus database. The WildList site provides a list of viruses that are currently loose "in the wild," or active and infecting systems at the current moment. “
The system must be reliable in other words it must not fail and the data held on it must be accurate because it is people’s personal information and must not have mistakes.
You need to test the systems to breaking point before handing the system to the client, this way you can rule out any mistakes in the system, also you would have to build in error checks into the system, Data held in systems must be updated and checked.
  • Even though there are problems with the PHP core, these can be fixed through the use of patches or upgrading to more stable versions.
  • Another thing you have to do is being aware of the problems and designing your PHP programs accordingly.
  • On the whole the main problem with PHP is through people designing bad code for web sites that can be hacked, but being hacked is not a PHP problem as most sites are hacked the problem is a programming one and not being aware of security issues.
  • People should educate themselves to the security issues before they design websites and maintain servers.
PHP and the OWASP Top Ten Security Vulnerabilities
[www] http://www.sklar.com/page/article/owasp-top-ten

Brain Bulb (2005) PHP Security Guide, PHP Security Consortium
[www] http://phpsec.org/projects/guide/

Dorothy E. Denning (1998) Information Warfare and Security, Addison-Wesley Publishing Co.
Dorothy E. Denning and Peter J. Denning (1997) Internet Besieged, Addison-Wesley Publishing Co.,.
Peter J. Denning (editor) (1990) Computers Under Attack, Addison-Wesley Publishing Co.,.
Computer misuse acts, Crown 1990
[www] http://www.hmso.gov.uk/acts/acts1990/Ukpga_19900018_en_1.htm

Viruses, How stuff works [www] http://www.howstuffworks.com/virus.htm
The computer security resource center (CSRC)
[www] http://csrc.nist.gov/virus/

Stuart McClure, Joel Scambray, George Kurtz (2005) Hacking Exposed: Network Security Secrets and Solutions (Hacking Exposed), Osborne/McGraw-Hill,U.S. 2005
Bruce Schneier (2004) Secrets and Lies: Digital Security in a Networked World, Hungry Minds Inc,U.S
Kevin D. Mitnick, William L. Simon (2003) The Art of Deception: Controlling the Human Element of Security, Hungry Minds Inc,U.S. 2003
Kevin D. Mitnick, William L. Simon (2005 The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers, Hungry Minds Inc,U.S. 2005
foldoc free computer online dictionary
[www] http://foldoc.org/?query=hacker

firewalls, vicomsoft’s knowledge base
[www] http://www.vicomsoft.com/knowledge/reference/firewalls1.html

(GNRT) Guide to Network Resource Tools, TERENA (Trans-European Research and Education Networking Association) (University Computing Centre, University of Zagreb) 2003
[www] http://gnrt.terena.nl/

Jordan Dimov, On the Security of PHP
[www] http://www.developer.com/lang/article.php/918141

George Schlossnagle, PHP Error Handling
[www] http://www.informit.com/articles/article.asp?p=170279&rl=1

Hardened PHP
[www] http://www.hardened-php.net/

No comments:

Post a Comment