Some PHP security tips for programmers & non-programmers

cd34 · 2005-10-12, 03:39 PM

Recently, there have been a number of exploits targeted on holes in commonly run software. Autolinks Pro was one such exploit with a direct call to al_initialize.php.

Today, we found another script that has also been exploited -- a script that was downloaded off a site that provides some quick and easy functionality, however, has a pretty serious url injection issue.

There are a few things that can be done to prevent this pretty easily. If the software you installed has an include or inc directory, it is generally accepted that you wouldn't ever directly link those files. To avoid most web exploits, an .htaccess file in the include directory with

Code:

deny from all

will prevent web hits on those files without preventing those files to be included by scripts on that machine. If you are remotely including those files, this won't work and you need to have those files still accessible.

Another method that can be used within your php script is:

Code:

if(strpos($_SERVER['PHP_SELF'], "filename.php") !== false) {
  exit;
}

where filename.php is the name of your include file. Since we're using strpos, you'll want to use somewhat unique filenames to avoid any false matches. For example, if your script blog.php includes /include/blog.php, it would match and thus error. This is probably not the desired behavior. You could name your include files, filename.inc.php or have some standard naming convention that you use.

I'm not a fan of using somefile.php.inc as a filename because even though you have prevented the server from parsing the file, a normally configured server will make that file viewable by a surfer, perhaps giving them other opportunities to exploit other code.

Even if it is code that is written by reputable firms, you still need to protect yourself.

Another possibility which might add some headaches is running mod_security, an apache module which attempts to filter requests that might be exploit attempts.

It isn't just php that is a problem here. Safe coding really needs to be used whenever you use any programming language.

2005-10-12, 03:39 PM	#1
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	Some PHP security tips for programmers & non-programmers Recently, there have been a number of exploits targeted on holes in commonly run software. Autolinks Pro was one such exploit with a direct call to al_initialize.php. Today, we found another script that has also been exploited -- a script that was downloaded off a site that provides some quick and easy functionality, however, has a pretty serious url injection issue. There are a few things that can be done to prevent this pretty easily. If the software you installed has an include or inc directory, it is generally accepted that you wouldn't ever directly link those files. To avoid most web exploits, an .htaccess file in the include directory with Code: deny from all will prevent web hits on those files without preventing those files to be included by scripts on that machine. If you are remotely including those files, this won't work and you need to have those files still accessible. Another method that can be used within your php script is: Code: if(strpos($_SERVER['PHP_SELF'], "filename.php") !== false) { exit; } where filename.php is the name of your include file. Since we're using strpos, you'll want to use somewhat unique filenames to avoid any false matches. For example, if your script blog.php includes /include/blog.php, it would match and thus error. This is probably not the desired behavior. You could name your include files, filename.inc.php or have some standard naming convention that you use. I'm not a fan of using somefile.php.inc as a filename because even though you have prevented the server from parsing the file, a normally configured server will make that file viewable by a surfer, perhaps giving them other opportunities to exploit other code. Even if it is code that is written by reputable firms, you still need to protect yourself. Another possibility which might add some headaches is running mod_security, an apache module which attempts to filter requests that might be exploit attempts. It isn't just php that is a problem here. Safe coding really needs to be used whenever you use any programming language. __________________ SnapReplay.com a different way to share photos - iPhone & Android