Finding and Exploiting Bugs in PHP Code
Programs and scripts developed with PHP, one of the most popular languages, are often vulnerable to different attacks. The reason is not that the language is insecure, but that inexperienced programmers frequently commit design errors.
Author: Sacha Fuentes
Source: http://hakin9.org Hakin9 12/2007
What you will learn…
- you will learn about popular flavours of input validation attacks,
- you will gain knowledge on common design errors in PHP scripts.
What you should know…
- you should know the PHP language.
PHP is a server-side scripting language, with a syntax which comes from a mix of C, Perl and Java, which allows for the dynamic generation of web pages. It is used by millions of sites worldwide and lots of projects written in PHP can be found in opensource repositories like SourceForge (http:// sourceforge.net). The ease of use and the amount of libraries accessible from PHP allow anyone, with a minimum of knowledge, to write and publish complex applications. A lot of times, these applications are not well designed and do not provide the necessary security in a publicly accessible site. Due to this, we are going to have a look at the most habitual security errors in PHP; we’ll see how to find these bugs having access to the code and how to exploit them. Unchecked user input The main security problem in PHP is the lack of checks on user input, so we need to know where user input can come from. There are four types of variables that can be sent to the server: GET/POST variables, cookies and files. Let’s see an example with GET variables. A request like http://example.com/ index.php?var=MYINPUT, with index.php being: <?php echo $var; ?> This is a very convenient way of working, but a very insecure one too. As arbitrary variables can be defined and assigned by the user, the programmer must be very careful to assign default values to variables. Let’s take a look at an example taken from the PHP manual (Listing 1).
download id="127" format="1"] <div id="upgrade"> <div id="headersubscriptionform">Option for individual subscribers</div> </div>