Leehoo authors of the letter : (A-), PHP letter :
Title : How to attack the loopholes in the Common procedures PHP (2)
Wuhan : Baiyun Flavor Point Station letter (November 30, 2002 18:51:14 Saturday), the letter points
Translation : analysist (analysts)
Source : http://www.china4lert.org
Common procedures on how to attack the loopholes in PHP (2)
Clowes : Mr. Shaun original "http://www.securereality.com.au/>
Translation : analysist "http://www.nsfocus.com/>
[Reservoir]
As we have previously discussed, include () and require () is to support the code library, because we
As is the frequent use of the function to an independent paper, the independent paper is the code library, when demand
To use the function, if we include this code library will be able to present the paper.
Initially, PHP development and release procedures, designed to differentiate between main program code and the code library, the Secretary-General is to
Provision of a document. " Inc "the expansion were, but they soon discovered that this was a mistake, because no such document
PHP interpreter was correct analytic method for PHP code. If we request these documents at the server, we
The document will be the source code, as and when to use PHP as an Apache module, the PHP interpreter is
Analysis to determine whether the documents were for the expansion of the PHP code. Site managers are appointed by the expansion in general. " PHP
"." Php3 "." Php4. " If the distribution of important information was included in the expansion were not suitable to the text PHP
Incident, a long-range strike could easily get such information.
The most simple solution is to document each of the documents specified a PHP extension, and this may well prevent leaks
Disclosed source code, but also produced a new issue by requesting the document, so the attackers were likely in the
The code below operating environment operate independently, and this may lead to discussions in front of all attacks.
Now is a very obvious example :
In main.php :
"?php
$libDir = "/libdir";
$langDir = "$libdir/languages";
...
Include ( "$libdir/loadlanguage.php" :
?>
In libdir/loadlanguage.php :
"?php
...
Include ( "$langDir/$userLang");
?>
When "libdir/loadlanguage.php" by "main.php" is quite safe when deployed, but because "libd
Ir/loadlanguage "is." PHP "expansion, and therefore a long-range strike can directly request this document, and
And can arbitrarily designated "$langDir" and "$userLang" value.
[Session]
PHP 4 or updated versions of sessions with the support of its major role in the preservation process PHP pages and pages
The state information. For example, when a user access to the landing sites and the fact that he landed on the landing who enter
The website has been kept in the session, when a look around his web site, have access to all the PHP code
These state information.
In fact, when a session started (in the configuration file is set up to automatically activate when the first request
), It will generate a random "session id" If long-range browser always sent in the request submitted
"Session id", the session will be maintained. This is easily accomplished through Cookie also through
Submit a Form page variables (including "session id") is to be achieved. PHP registration procedures can be a session
A special variable, the value of which will exist after the end of each session PHP script documents, but also in every PHP script
Before loading variables. The following is a simple example :
"?php
Session_destroy (); 4003rd Kill any data currently in the session
$session_auth = "Shaun";
Session_register ( "session_auth"); 4003rd Register as a session $session_auth
Variable
?>
The new version of PHP will automatically "$session_auth" for the setting of "shaun" If they were to amend the
, The script will automatically accept the revised after the value of the Web is indeed a kind of a state without a good tool
However, we should also carefully.
An obvious question is really to ensure that the variables from the session, for example, the code given above, if the follow-up
This script is below :
"?php
If (!empty ($session_auth))
4003rd Grant access to site here
?>
If the above assumption that the code "$session_auth" was home spaces, which is from the session, rather than lose customers
Entry to the home place, if attacks through Form input to the home place, he would be the right to visit the site. Note
Italy attacks were registered in the session before using variables such attacks, once it was put into the session variables
, Will cover the importation of any Form.
Session data is generally kept in the document (see location can be configured in general "/tmp"), generally Document
Similar "sess_<session id>" in the form of the document contains variable name, variable type and value of some variable
Other data. In many mainframe systems, Web server running on the user identity document (normally nobody
) Preserved, it can be malicious site owners to obtain documents through the creation of a session of the other stations
Visit, or even to inspect documents session of sensitive information.
Session mechanism for the importation of the attackers kept their distance in the document provided a convenient place to another
For the above example, the attack in a remote systems include PHP code placed in the paper, if not
Use File Upload done, he will usually use a variable session for a given value in accordance with their wishes, he
After the position paper to speculate session, which he knows documents are "php<session id>", so only speculate Head
, In which the general list "/tmp."
In addition, the attacker can arbitrarily designated "session id" (such as the "Panorama"), then this "session
Id, "the creation of a session (for example," /tmp/sess_hello "), but" session id "can only be
Combination of letters and numbers.
[Types of] data
PHP is a loose data types, the type of dependent variables in the context of the environment in which they exist. For example : "$hel
Lo "is the beginning of string variable, the value of" ", but seeking value, it becomes a plastic variables" 0 ", which can sometimes
Can lead to some unexpected results. If "$hello" the value of "000" or "0" is different from the e
Mpty () will return the results to be genuine.
PHP array is associated array, say, the array index is the string type. This means that "$hello[" 00
0 "]" and "$hello[0]" different.
The development of procedures should carefully consider the above issues, for example, we should not change a test in one place
Does the "0", while in other places empty () to verify.
[Function] easy to make mistakes
PHP procedures in our analysis of the loopholes, if we can get the source code, then the function of a series of easy to make mistakes
Table is very necessary. If we can make changes to the parameters of the long-range, then we can be very
Be able to find the loopholes. Below is a more detailed list of the function of the error-prone :
"PHP code enforcement"
Require () : read the contents of the documents specified as PHP code and explanation
Include () : Idem
Eval () : As regard to the string PHP code enforcement
Preg_replace () : When "10/e institutes" switch when used together, the string will be interpreted as PHP code replacement
"Order"
Exec () : the specified order, the final outcome of his return
Passthru () : the specified order, the return of all the results to the client browser
`` Specified order : to return to an array of all results
System () : with passthru (), but does not deal with binary data
Popen () : the specified order, import or export link to PHP Wenjianmiaoshufu
"Leaked documents"
Fopen () : open the document, and a corresponding PHP Wenjianmiaoshufu
Readfile () : read the content of the document, and then output to the client browser
File () : read the entire document as an array
Translator's Note : Actually, this is not the whole list, such as "mail ()" may also order the implementation of the order, there is a need
Add their own.
How to enhance the security of PHP []
I just installed the default for all attacks on the PHP 4 can achieve good, but I have a lot of plots
Repeatedly, PHP very flexible configuration through some PHP configuration option, we may resist the attacks
. Now, I realize the difficulty of some of the distribution in accordance with the classification :
* Low difficulty
** Low difficulty
*** Were tough
**** Tough
The classification is only my personal view, but I can guarantee that if you use all the options provided by the PHP,
PHP then you will be safe, even if the third-party code is so because not many functions
Use.
**** Installed "register_globals" to "off"
This option would prohibit the importation of a common user PHP variables, ie, if the user submission form variables "hell
O ", PHP will create" $ Panorama, "and will" create HTTP_GET/POST_VARS[ 'Panorama']. " This is P
HP an extremely important option, the option closed, the program will bring a lot of inconvenience.
*** Set up "safe_mode" to "on"
Opened this option will add the following restrictions :
1. Limit orders which can be implemented
2. Restrictions which can be used for function
3. Script - based ownership restrictions and objectives document of title documents visit
4. File Upload function ban
This is a great option for ISP, it can greatly improve the security of PHP.
** Set up the "open_basedir"
This option can be specified to prohibit the paper catalog operation, effectively eliminating the local paper or long-range document i
Nclude () attacks, but still need to pay attention to documents and papers attacks session.
** Set up "display_errors" to "off" their "log_errors" to "on"
This option ban would send the wrong message on the website, but to record log files, which can effectively resist the offensive
Some people function in the detection of targets script.
* Set up "allow_url_fopen" to "off"
Well, the article ends here, if you want to know some other pertinent information, please refer to the original http://www.se
Curereality.com.au/studyinscarlet.txt.
"1607-1648"
--
Source : Wuhan activity Baiyun Flavor Station bbs.whnet.edu.cn [FROM feet working group] :
|
[] How to reproduce a common procedure to attack the loopholes in PHP (2)