Guestbook Security

I would like some sugestions on how I can secure my very first guestbook.

As many of you are aware, I have set up my computer as a web server. This has made me more aware of security. Since then I have installed and configured PHP suport in my server. I have also been working on creating my own guestbook instead of relying on someone elses work.

The guestbook will be done with a combination of php, javascript and html, since I am new to php I cant do it all with PHP yet. Ok so here is the deal:

I have been made aware that html and SSI includes could be contructed in a guestbook entery such that it would execute a binary on the server, or delete files, ext...

To fix this I devised a plan. I will create a JavaScript form verifier that will look at each field and determine if the corect format of information has been entered. Once the JavaScript aproves of the form, it will be sent to my PHP script, which will then strip out any HTML, SSI or JavaScript from all the fields, format the whole thing as one string, store it in a file, and display it to the user.

I so far have got my php script to strip all HTML Javascript and any SSI from all fields, also my form verifier is now complete.

However I have a few more concerns that I would like your advice for and here they are:

First it was sugested to me that I use expose_php = off in my php.ini file, which I have done, to reduce information available to atackers, and to use a weird file extension for php MIME type:

AddType application/x-httpd-php .asp .py .pl

My question: Do you recomend changeing the default php extension, and are there any other security considerations I may be overlooking

I am aware that turning on php in my server is now a major security concern as now atackers can locate my php files, and try to exploit them. I am known to be a very sloppy programer periodicaly, you may call me a spagetti programer, althout I dont use any goto statements are anything like that. I dont want to do a sloppy job with my very first guestbook and end up with a dosen security holes.

Can you give me some sugestions on how I can make this guestbook secure. I am now thinking that useing a javascript form checker may have been a bad choice as people can download the source, modify the javascripot, and run it, and i will have know way of knowing my code has been modified, how can I prevent this?

I would like some sugestions on how I can secure my very first guestbook.

As many of you are aware, I have set up my computer as a web server. This has made me more aware of security. Since then I have installed and configured PHP suport in my server. I have also been working on creating my own guestbook instead of relying on someone elses work.

The guestbook will be done with a combination of php, javascript and html, since I am new to php I cant do it all with PHP yet. Ok so here is the deal:

I have been made aware that html and SSI includes could be contructed in a guestbook entery such that it would execute a binary on the server, or delete files, ext...

To fix this I devised a plan. I will create a JavaScript form verifier that will look at each field and determine if the corect format of information has been entered. Once the JavaScript aproves of the form, it will be sent to my PHP script, which will then strip out any HTML, SSI or JavaScript from all the fields, format the whole thing as one string, store it in a file, and display it to the user.

I so far have got my php script to strip all HTML Javascript and any SSI from all fields, also my form verifier is now complete.

However I have a few more concerns that I would like your advice for and here they are:

First it was sugested to me that I use expose_php = off in my php.ini file, which I have done, to reduce information available to atackers, and to use a weird file extension for php MIME type:

AddType application/x-httpd-php .asp .py .pl

My question: Do you recomend changeing the default php extension, and are there any other security considerations I may be overlooking

I am aware that turning on php in my server is now a major security concern as now atackers can locate my php files, and try to exploit them. I am known to be a very sloppy programer periodicaly, you may call me a spagetti programer, althout I dont use any goto statements are anything like that. I dont want to do a sloppy job with my very first guestbook and end up with a dosen security holes.

Can you give me some sugestions on how I can make this guestbook secure. I am now thinking that useing a javascript form checker may have been a bad choice as people can download the source, modify the javascripot, and run it, and i will have know way of knowing my code has been modified, how can I prevent this?

The golden rule for web application security is "NEVER EVER trust client side information".

Any data that your web application is going to receive needs to be tested server side and validated to prove that it is what it should be. For example if it should be a number between 0-10 then make sure that it is. If these tests are done client side i.e. by JavaScript. It would take anyone with a small amount skill about 10 seconds of works to bypass it. All these tests need to done in your PHP code as well.

Your PHP source code should be hidden from the user by the web server, but to make sure, give the files only execute rights, not read and not write. This means the OS should stop any one from reading the PHP source code.

Hope that helps
As you are doing a guest book, how are you planning to store the data?

SittingDuck

The golden rule for web application security is "NEVER EVER trust client side information".

Any data that your web application is going to receive needs to be tested server side and validated to prove that it is what it should be. For example if it should be a number between 0-10 then make sure that it is. If these tests are done client side i.e. by JavaScript. It would take anyone with a small amount skill about 10 seconds of works to bypass it. All these tests need to done in your PHP code as well.

Your PHP source code should be hidden from the user by the web server, but to make sure, give the files only execute rights, not read and not write. This means the OS should stop any one from reading the PHP source code.

Hope that helps
As you are doing a guest book, how are you planning to store the data?

SittingDuck

Data will be stored in a txt file since I dont have enough Ram or CPU speed to use MySQL or any other database, I did try mySQL once when I thought that it was required for snort to work, I later learned that snort could work without any database server and that MySql was slowing down my computer.

It is good thing you pointed out about server side verification, as I was going to do all validation with javascript :), but now that you mention that, I will write some sort of validation on the server side, and at the same time use the javascript, perhaps knowing that if nobody messes with my javascript that I will recieve everything in the corect format, then when i check it with php I can open a window warning them that I detected they have modified my javascript :)

I have Windows which was problably a bad desision to run a web server on due to security, but since I am strugleing with geting Red Hat linux to work with my graphics card, I took the chance and installed the web server on Windows. I did change some things such as a limit to 6 visitors at the same time, so if 7 people are trying to view my site at the same time, one will be locked out. And my error 404 as well as headers have been spoofed to reduce information spitted out.

Is there any way in a FAT32 file system to restrict access to execute only? There are no user groups on my system.

Data will be stored in a txt file since I dont have enough Ram or CPU speed to use MySQL or any other database, I did try mySQL once when I thought that it was required for snort to work, I later learned that snort could work without any database server and that MySql was slowing down my computer.

It is good thing you pointed out about server side verification, as I was going to do all validation with javascript :), but now that you mention that, I will write some sort of validation on the server side, and at the same time use the javascript, perhaps knowing that if nobody messes with my javascript that I will recieve everything in the corect format, then when i check it with php I can open a window warning them that I detected they have modified my javascript :)

I have Windows which was problably a bad desision to run a web server on due to security, but since I am strugleing with geting Red Hat linux to work with my graphics card, I took the chance and installed the web server on Windows. I did change some things such as a limit to 6 visitors at the same time, so if 7 people are trying to view my site at the same time, one will be locked out. And my error 404 as well as headers have been spoofed to reduce information spitted out.

Is there any way in a FAT32 file system to restrict access to execute only? There are no user groups on my system.

I guess that you are using IIS, which I have no experience in. But you can still make it secure even on windows, it's just that it is a lot easier on Linux.

Have you tried apache for win32?

But which ever web server you use it must be patched as soon as a new patch comes out.

The fact that you are using a txt to hold the information sloves the problem of having to write validation against SQL injection. There for you need to protect against XSS. replace all < with &lt; and > with &gt; and ' with \' and " with &quot;. I think those are the main ones, does anyone wont to add any more?

SittingDuck

I guess that you are using IIS, which I have no experience in. But you can still make it secure even on windows, it's just that it is a lot easier on Linux.

Have you tried apache for win32?

But which ever web server you use it must be patched as soon as a new patch comes out.

The fact that you are using a txt to hold the information sloves the problem of having to write validation against SQL injection. There for you need to protect against XSS. replace all < with &lt; and > with &gt; and ' with \' and " with &quot;. I think those are the main ones, does anyone wont to add any more?

SittingDuck

I am useing a web server called keyfocus web server from www.keyfocus.net

Yes I did try apache for windows, I unfortunately could not get it to work, but that was a long time ago, since then I have also tryed simple server from analog x, one called omnihttpd, windows httpd and website web server.

I did get website, simple server and omni working, except for CGI, and since my origional idea was to use the server for local testing only I figured I would be safe. But omni was not working with CGI for me, so I found KF Web Server and am very pleased.

Useing your sugestions for validation server side, I can see your point, that anyone can bypass the javascript, to prove it to myself I did it, I bypassed the javascript. So last night I found a tutorial on makeing a guestbook with php, from it I took the validation for email and form fields:

if($nick == "" || $msges == "")
and
if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email) && $email != ""){


I also used the strip_tags to strip any html ssi and javascript from form fields:

$nick = strip_tags ($nick);
$email = strip_tags ($email);
$homepage = strip_tags ($homepage);
$msges = strip_tags ($msges);
$msges = ereg_replace('\\\"',"&quot;",$msges);
$msges = ereg_replace("\\\'","'",$msges);
$msges = nl2br($msges);

I will add a few more checks, In javascript I already included a check to see if the maximum length for each field has been reached.

Thank you for pointing that out to me, I hope to finish the PHP checking tonight. I have checked the site for keyfocus the other day but there were no updates available, but I expect on soon since looking at the patch history they seem to be releasing a patch every month or two.

When I downloaded the PHP I made sure it was the latest version, but i hered somewhere that if you download the new and latest version of software as soon as it is released it can be a bad idea because thats when many exploits are found, Is this true? Should I wait a while before getting patches and updates?

I am useing a web server called keyfocus web server from www.keyfocus.net

Yes I did try apache for windows, I unfortunately could not get it to work, but that was a long time ago, since then I have also tryed simple server from analog x, one called omnihttpd, windows httpd and website web server.

I did get website, simple server and omni working, except for CGI, and since my origional idea was to use the server for local testing only I figured I would be safe. But omni was not working with CGI for me, so I found KF Web Server and am very pleased.

Useing your sugestions for validation server side, I can see your point, that anyone can bypass the javascript, to prove it to myself I did it, I bypassed the javascript. So last night I found a tutorial on makeing a guestbook with php, from it I took the validation for email and form fields:

if($nick == "" || $msges == "")
and
if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email) && $email != ""){


I also used the strip_tags to strip any html ssi and javascript from form fields:

$nick = strip_tags ($nick);
$email = strip_tags ($email);
$homepage = strip_tags ($homepage);
$msges = strip_tags ($msges);
$msges = ereg_replace('\\\"',"&quot;",$msges);
$msges = ereg_replace("\\\'","'",$msges);
$msges = nl2br($msges);

I will add a few more checks, In javascript I already included a check to see if the maximum length for each field has been reached.

Thank you for pointing that out to me, I hope to finish the PHP checking tonight. I have checked the site for keyfocus the other day but there were no updates available, but I expect on soon since looking at the patch history they seem to be releasing a patch every month or two.

When I downloaded the PHP I made sure it was the latest version, but i hered somewhere that if you download the new and latest version of software as soon as it is released it can be a bad idea because thats when many exploits are found, Is this true? Should I wait a while before getting patches and updates?

For vulnerabilities in programs there is only one place worth looking

Security focus's vulnerability database

have a look here for the programs you are using. As it feeds from the bugtraq mailing list it is about as uptodate as you are going to get.

As for update etc you should always get them, mainly when you find a vulnerability in a program you tell the vendor, when they have fixed it and made a patch then you post to bugtraq (it doesn't always happen like that but most times). So the patch solves the problem before the rest of the world and every script kiddie finds out

SittingDuck

For vulnerabilities in programs there is only one place worth looking

Security focus's vulnerability database

have a look here for the programs you are using. As it feeds from the bugtraq mailing list it is about as uptodate as you are going to get.

As for update etc you should always get them, mainly when you find a vulnerability in a program you tell the vendor, when they have fixed it and made a patch then you post to bugtraq (it doesn't always happen like that but most times). So the patch solves the problem before the rest of the world and every script kiddie finds out

SittingDuck

Thank you SittingDuck for all of your help,

I used security focus a few times but will try to be a more frequent visitor :), I did not know that the information is gathered from bugtraq, infact I dont know much about bugtraq, I will have to research this weekend. I did a search for my sew server in security focus, there were exploits found for previous versions, but the latest version has yet to be exploited. I am trying to exploit it myself,

The guestbook is now complete, I decided to scrap the javascript form validator since that can be bypassed, and set up a new validator with php. It checks for too many characters entered, the format of the dta such as valid names, emails and home sites, and strips any html, javascript and ssi from all fields. I have verified it is all working by purposly filling in invalid information into the fields. And am now confident that it cant be exploited, I also changed the file extension from php to a not obvious extension for the php mime type to make those script kiddies dance in their seats.

I downloaded N-Stealth 3.5 build 63 and scanned with the complete scan, 4 possible bugs were found, all of which I have verified are not exploitable on my server, mainly test.cgi which I made myself, it was not included with the server, guestbook.html I determined cant be exploited, and backup.shtml was found, since my server does not suport SSI, it cant be exploited. But I am very pleased with N-Stealth vulnerability scanner, I tryed a few others includeing one for CGI.

I would like to say thank you so much for all of your help and guidence in creating my guestbook and securing my server.

Thank you SittingDuck for all of your help,

I used security focus a few times but will try to be a more frequent visitor :), I did not know that the information is gathered from bugtraq, infact I dont know much about bugtraq, I will have to research this weekend. I did a search for my sew server in security focus, there were exploits found for previous versions, but the latest version has yet to be exploited. I am trying to exploit it myself,

The guestbook is now complete, I decided to scrap the javascript form validator since that can be bypassed, and set up a new validator with php. It checks for too many characters entered, the format of the dta such as valid names, emails and home sites, and strips any html, javascript and ssi from all fields. I have verified it is all working by purposly filling in invalid information into the fields. And am now confident that it cant be exploited, I also changed the file extension from php to a not obvious extension for the php mime type to make those script kiddies dance in their seats.

I downloaded N-Stealth 3.5 build 63 and scanned with the complete scan, 4 possible bugs were found, all of which I have verified are not exploitable on my server, mainly test.cgi which I made myself, it was not included with the server, guestbook.html I determined cant be exploited, and backup.shtml was found, since my server does not suport SSI, it cant be exploited. But I am very pleased with N-Stealth vulnerability scanner, I tryed a few others includeing one for CGI.

I would like to say thank you so much for all of your help and guidence in creating my guestbook and securing my server.

your welcome

I'm yet to use N-Stealth, is it does it do the same job as whisker? i.e. it look for default files with vulnerabilities in them.

I would be very interested to see what you have done, any chance you could PM me the URL.

SittingDuck

your welcome

I'm yet to use N-Stealth, is it does it do the same job as whisker? i.e. it look for default files with vulnerabilities in them.

I would be very interested to see what you have done, any chance you could PM me the URL.

SittingDuck

the URL is http://www.nstalker.com/ to download a trial version of N-Stealth, but you cant update the database without the full version as far as I understand. Figured I would post it here too incase anyone else was interested in trying N-Stealth.