Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: php vulns?

  1. #1
    Senior Member
    Join Date
    Nov 2001

    php vulns?

    we just hired a new web programmer. she wants to program our extranet in php. i know nothing about php programming and im not sure she knows anything about programming security. this will be running on an iis server.

    how dangerous is this?

    is there any test questions i can ask her to find out what she knows?

    should i stop her from using php?
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  2. #2
    Senior Member kr5kernel's Avatar
    Join Date
    Mar 2004
    Sure PHP will open you to vulnerabilities, but so does turning your computer on and putting it on the internet. WIth the amount of PHP websites out today handling everything from message boards, to e-commerce security it essetial, and achievable. One thing I found real interesting about PHP security was IronGeeks PHP shoveling post. Don't think that applies to IIS though....Makeing sire you have a tight IIS setup is your first resort.
    (kr5kernel at hotmail dot com)
    Linux: Making Penguins Cool Since 1994.

  3. #3
    What kind of data will be running on the server? Is there a database involved? Maybe ask her if she knows what an injection is, is familiar with securing a php installation, and if she has a plan for securing her code.

  4. #4
    Senior Member
    Join Date
    Nov 2001
    yeah there's databases involved and our extranet is currently being accessed from about 300 locations around the country. they can run daily reports etc.

    nessus checks for bad php code doesn't it?
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  5. #5
    Speaking of which -- are any of you guys well-versed in "attacking" a website to find out if it has any wide open PHP vulnerabilities?

  6. #6
    I wouldn't say I'm well versed, but I can check for vulnerabilities, did you have a question about it?


    I don't think it would be able to, but there are some "rule of thumb" ways to check for vulnerabilities, like length, bad characters, injections, XSS, so forth.

  7. #7
    Senior Member
    Join Date
    Nov 2001
    You can write your own using the Metasploit framework, or find some already-written tools based on it. In reality, ANY poorly written code written using ANY web language is going to be as vulnerable as the code is bad. The only protection is solid development. That being said, you CAN secure PHP more than its default configuration, but unfortunately all the guides I've seen revolve around chrooting it on unixes, not on IIS.

    If you are really uncertain of the result, you could always ask them for sample code and do some auditing yourself, or getting a contractor to look it over. If you are comfortable, you could ask people online for advice, but be exceptionally weary of the responses.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  8. #8
    Senior Member
    Join Date
    Nov 2001
    "You must spread your AntiPoints around before giving it to Soda_Popinsky again."

    ...so thanks!

    there doesn't seem to be any exploits for 5.0.2....yet

    guess im just going to have to learn all about php.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  9. #9
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Most of what I've encountered with php vulnerabilities is the lack of error checking, declaring variables, and $_SERVER/$_GET/$_POST/$_REQUEST. There's the whole line on sql-injection, but that's only if you use a DB with php.

    At work, we have a message board system written so that the Flat lines can message a lead with a problem. It's all based on IP addressing (the db has a table called stations with a name and a corresponding IP address). Bypassing the lookup of the lane, here's an example:

    Station logs in and goes to "Submit a trouble ticket".
    Now, their URL looks like this:

    See where that can be abused already?

    In the 'view.php' page, I have the following:

    PHP Code:
    $ip = isset($_GET['ip']) ? $_GET['ip'] : null;
    $real_ip $_SERVER['REMOTE_ADDR'];

    if (!
    preg_match("/$ip/"$real_ip)) {
    "Trying to forge IP addresses? Read someone else's stuff? Denied!");
    } else if (
    is_null($ip)) {
    // redirect to login page...

    That's just one example of making sure your code is checked repeatedly. Reason I did the above is because we have monarch 9450 printers (3 per lane, 50 lanes) and it's nothing for someone to log out in the unix application and log in as another station (lane 1 logs in to lane 10) and go to a certain printer function and blast out 100 real quick (just spam-hit the Insert key), then log out and back in as themselves....nobody's the wiser, no tracking on that one label and it causes problems.

    Never trust the user, error check everything, and double check after that! If you had any code you wanted checked, I could look at it...although, I do a lot of php/postgresql interfacing so if it's db-driven, I'm not that good with mysql/etc. It's relatively all the same though.
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

  10. #10
    Senior Member
    Join Date
    Dec 2003
    LA, CA
    check out this class file, template.inc

    its very nice because it allows you to seperate your php code from the html

    just place comment lines in your html for your scripts to reference blocks
    and {these} for areas to insert data
    <!-- BEGIN loopblock -->
    <option value={val}>{label}</option>
    <!-- END loopblock -->
    then create a template object, set the file, and set the block
    $display = new Template();
    $display->set_file("page", "yourfile.html");
    $display->set_block("page", "loopblock", "theloop");
    within a loop set your information and parse the block
    $display->set_var("val", $optionvalue);
    $display->set_var("label", $optionlabel);
    $display->parse("theloop", "loopblock", TRUE);
    to finish it off and send it out
    $display->pparse("OUT", "page");
    A note on parse():
    do not parse non repeating blocks if your script also contains looping blocks, if it does not parse with a FALSE instead of TRUE
    A mind full of questions has no room for answers

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts