+

Finding and Exploiting Bugs in PHP Code

December 1, 2007


Finding and Exploiting Bugs in PHP Code

Programs and scripts developed with PHP, one of the most popular languages, are often vulnerable to different attacks. The reason is not that the language is insecure, but that inexperienced programmers frequently commit design errors.
Author: 
Sacha Fuentes
Source: https://hakin9.org Hakin9 12/2007

What you will learn…

  • you will learn about popular flavours of input validation attacks,
  • you will gain knowledge on common design errors in PHP scripts.

What you should know…

  • you should know the PHP language.

PHP is a server-side scripting language, with a syntax which comes from a mix of C, Perl and Java, which allows for the dynamic generation of web pages. It is used by millions of sites worldwide and lots of projects written in PHP can be found in opensource repositories like SourceForge (http:// sourceforge.net). The ease of use and the amount of libraries accessible from PHP allow anyone, with a minimum of knowledge, to write and publish complex applications. A lot of times, these applications are not well designed and do not provide the necessary security in a publicly accessible site. Due to this, we are going to have a look at the most habitual security errors in PHP; we’ll see how to find these bugs having access to the code and how to exploit them. Unchecked user input The main security problem in PHP is the lack of checks on user input, so we need to know where user input can come from. There are four types of variables that can be sent to the server: GET/POST variables, cookies and files. Let’s see an example with GET variables. A request like http://example.com/ index.php?var=MYINPUT, with index.php being: <?php echo $var; ?> This is a very convenient way of working, but a very insecure one too. As arbitrary variables can be defined and assigned by the user, the programmer must be very careful to assign default values to variables. Let’s take a look at an example taken from the PHP manual (Listing 1).

download id="127" format="1"]


<div id="upgrade">
<div id="headersubscriptionform">Option for individual subscribers</div>

</div>

Comments

Tagged with:

Leave a Comment

Please keep in mind that comments are moderated and rel="nofollow" is in use. So, please do not use a spammy keyword or a domain as your name, or it will be deleted. Let us have a personal and meaningful conversation instead.

You must be logged in to post a comment.


IT MAGAZINES: Hakin9 Magazine | Pentest Magazine | eForensics Magazine | Software Developer's Journal | Hadoop Magazine | Java Magazine
IT Blogs: Hakin9 Magazine Blog | Pentest Magazine Blog | eForensics Magazine Blog | Software Developer's Journal Blog | Hadoop Magazine Blog | Java Magazine Blog
IT ONLINE COURSES: Pentest Laboratory
JOB OFFERS FOR IT SPECIALIST: Jobs on Hakin9 Magazine | Jobs on Pentest Magazine | Jobs on eForensics Magazine | Jobs on Software Developer's Journal | Jobs on Java Magazine | Jobs on Hadoop Magazine
Hakin9 Media Sp. z o.o. Sp. komandytowa ul. Postępu 17D, 02-676 Warszawa