Secure php Server and programming practices

In one of my works, the company wanted to have their webpage and they contracted a freelance programmer.

He coded this in PHP:

if(!$top)
$top="top_home.php";
include($top)

Proof Of Concept – This code works this way, you call the webpage with this url:

www.server.com/index.php?top=page.php

For this to work we need in php.ini this variable in ON

register_globals = On

This is very insecure, so we asked him to do this change:

if(!$_GET[top])
$_GET[top]="top_home.php";
include($_GET[top])

This is a little more secure, but it is a trap, you can still compromise the security of the server with a query like this:

www.server.com/index.php?top=/etc/passwd

I recommend: 1) To hardcode the filenames you want to open.
2) Use fopen() to open the filename, store it in a variable and then print it.
3) Do not use include()
4) Check the input variables with regular expressions ! Like this:

if (ereg("^[a-z]+\.html$", $_GET[cen])) {
 echo "Good!";
} else {
 die("Try hacking somebody else's site.");
}

5) Be preventive, save into logs or send you an email when somebody is trying strange things in your server, you will probably not be able to send the hacker to prison but detect the attack and take preventive measures if neccesary, with new politics.

I hope it helped somebody, this is very common.

What is required to be safe when you program a website and worry about Security is…

In httpd.conf configure

php_admin_value open_basedir "/home/webpagedirectory/"

In php.ini configure

allow_url_fopen = Off
enable_dl = Off
expose_php = Off
error_log = /var/log/error_php.log
Advertisements