PHP security

[sb85]

hiho

i run a site >> http://dfhq.net with another guy who's just written a php script "simple squad site".

this basically allows gaming squads that do not know any html or web design to have a website they can update and run withought knowing any programming at all.

it is kind of a simple php nuke type thing specifically for a gaming squad. you can check out an example here of some guys who have used it >> http://atinof.com/cadet/



ok basically the reason i'm here is because the guy making it is concerned about the security of the scripts and admin etc. obviously he's making them as secure as he knows how to but can anyone suggest how to make sure it is as solid as possible?

i don't know if you can secure it is just by visiting the site etc or would have to look through the code.

the script can be downloaded from here >> http://www.panthersden.net/index.php?op=scripts

if any one can suggest any tips etc i will be most greatfull

[NetherBen]

There are some easy way to strengthen the security of PHP. I see a few basic potential problem areas. The first is outside users forging sessions.

Granted it is not trivial to forge a PHP session, it is not impossible. You an protect from this by logging the IP to initially create each session and only the person with that IP to use the session key. This might annoy frequent users by forcing them to log in every time they want to edit their site, but will be worth it in the long run.

Next is file system level protection. You need to make sure that users using your script do not have direct file system access. Depending on how your code works this should be pretty simple. Do not use any user input in determing where files go and you should be safe. If you do choose to use user input ensure that it is sanity checked before using it in conjunction with the file system.

Do not specify user ids as form fields, the user for the program should be specified once when the PHP session is first created, don't allow user input that controls who is executing the program. Ie passing USER as a hidden form field.

Whenever you query from your database verify that queries all check that the user performing the query also owns the database record. It is a common error to have seperate IDs for each entry in the database and simply use that ID to update and select records without verifying that the owner of that row is the same as the person submitting the query. (Think update blah set stuff=stuff where id=1) instead of (update blah set stuff=stuff where id=1 and owner=userid)

Just some basic info, (please ignore the typo's.. hope I was helpfull)

Thanks,
Ben

[KissCool]

I'm not a php expert, but I know you should firstly activate the php safe mode, putting a "safe_mode = on" in your php.ini file. It will create some limitations in commands executed by scripts. But ways to override those limitations exists.
You should primarily read some tutorials concerning scripts injections, it is the main threat for you I think. After what you should check the security of your whole server (and not only of your scripts) with a tool like Nessus

[xmaddness]

NetherBen, You are correct when you say that by logging the ip you will have better and more secure sessions, although it has the possibility to cause headaches with people using AOL or other ISP's that are known to roll their ips during connections. Some ISPs like to switch your ip to a different proxy or gateway while your surfing. I used to use IP sessions, and eventually had to remove them because they were just causing to many invalid session error headaches with my users.

It is a judgement call for whether to use them or not. Just figured you would like to know the potential downside to doing sessions that way.

[adiz]

I know very little about PHP or the structure of it, but one thing came to mind immediately. After the pages are created using some sort of encyption key(??) Using something as around 128bit would help. just a thought



Adiz

[MicroBurn]

It is important to secure PHP when you install it too, phsiphphreak posted a good tutorial on Unerror that can be found here http://www.unerror.com/forum/viewtopic.php?t=59