Secure PHP Development- P12 potx
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (96.43 KB, 5 trang )
26 Part I: Designing PHP Applications
Minimizing User-Input Risks
As previously mentioned, user input poses the most likely security risk to your Web
applications. Let’s look at a few scenarios for how seemingly harmless and simple
programs can be made to do malicious tasks.
Running external programs with user input
Listing 2-1 shows a simple PHP script called bad_whois.php (bad_ has been added
so that you think twice before actually putting this script in any real Web site).
Listing 2-1: bad_whois.php
<?php
// Set error reporting to all
error_reporting(E_ALL);
// Get domain name
$domain = (! empty($_REQUEST[‘domain’])) ?
$_REQUEST[‘domain’] : null;
// The WHOIS binary path
$WHOIS = ‘/usr/bin/whois’;
// Execute WHOIS request
exec(“$WHOIS $domain”, $output, $errors);
// Initialize output buffer
$buffer = null;
while (list(,$line)=each($output))
{
$buffer .= $line . ‘<br>’;
}
echo $buffer;
04 549669 ch02.qxd 4/4/03 9:24 AM Page 26
if (! empty($errors))
{
echo “Error: $errors when trying to run $WHOIS<br>”;
}
?>
This simple script displays the whois database information for a given domain. It
can be run like this:
http://server/bad_whois.php?domain=evoknow.com
The output is shown in Figure 2-1.
Figure 2-1: Harmless output of bad_whois.php script.
Now what’s wrong with this output? Nothing at all. domain=evoknow.com is
used as an argument to execute the /usr/bin/whois program. The result of the
script is the way it was intended by the programmer: It displays the whois database
query for the given domain.
But look what happens when the user runs this same script as follows:
http://server/bad_whois.php?domain=evoknow.com;cat%20/etc/passwd
Chapter 2: Understanding and Avoiding Security Risks 27
04 549669 ch02.qxd 4/4/03 9:24 AM Page 27
The output is shown in Figure 2-2.
Figure 2-2: Dangerous output of bad_whois.php script.
The user has supplied domain=evoknow.com;cat%20/etc/passswd, which is
run by the script as
$runext = exec(“/usr/bin/whois evoknow.com;cat /etc/passwd”, $output);
The user has not only supplied a domain name for the whois program but also
inserted a second command using the semicolon separator. The second command is
cat /etc/passwd, which displays the /etc/passwd file. This is where this simple
script becomes a tool for the malicious hackers to exploit system information or
even do much more harmful activities such as running the rm -rf command to
delete files and directories.
Now, what went wrong with the simple script? The script programmer trusted
user input and will end up paying a big price for such a misplaced trust. You should
never trust user input when you have no idea who the next user is. Listing 2-2
shows an improved version of bad_whois.php script called better_whois.php.
Listing 2-2: better_whois.php
<?php
// Set error reporting to all
error_reporting(E_ALL);
// Get domain name
28 Part I: Designing PHP Applications
04 549669 ch02.qxd 4/4/03 9:24 AM Page 28
$secureDomain = (! empty($_REQUEST[‘domain’])) ?
escapeshellcmd($_REQUEST[‘domain’]) : null;
// The WHOIS binary path
$WHOIS = ‘/usr/bin/whois’;
echo “Running whois for $secureDomain <br>”;
// Execute WHOIS request
exec(“$WHOIS $secureDomain”, $output, $errors);
// Initialize output buffer
$buffer = null;
while (list(,$line)=each($output))
{
if (! preg_match(“/Whois Server Version/i”, $line))
{
$buffer .= $line . ‘<br>’;
}
}
echo $buffer;
if (! empty($errors))
{
echo “Error: $errors when trying to run $WHOIS<br>”;
}
?>
If this script is run as
http://server/bette_whois.php?domain=evoknow.com;cat%20/etc/passwd
it will not run the cat /etc/passwd command, because the escaping of shell
characters using the escapeshellcmd() function makes the given domain name
evoknow.com\;cat /etc/passwd. Because this escaped version of the (illegal)
domain name does not exist, the script doesn’t show any results, which is much
better than showing the contents of /etc/passwd.
So why didn’t we call this script great_whois.php? Because it still has a user-
input-related problem, which is discussed in the next section.
Chapter 2: Understanding and Avoiding Security Risks 29
04 549669 ch02.qxd 4/4/03 9:24 AM Page 29
Getting user input in a safe way
In the preceding example, we had user input returned to us via the HTTP GET
method as part of the URL, as in the following example:
http://server/bette_whois.php?domain=evoknow.com
When better_whois.php is called, it automatically gets a variable called
$domain created by PHP itself. The value of the $domain variable is set to evo-
know.com
.
This automatic creation of input variables is not safe. For an example, take a
look at Listing 2-3.
Listing 2-3: bad_autovars.php
<?php
error_reporting(E_ALL);
// This bad example will only work
// if you have register_globals = Off
// in your php.ini.
// This example is for educational
// purpose only. It will not work in
// sites with register_globals = On
global $couponCode;
if (is_coupon($couponCode))
{
$is_customer = isCustomer();
}
if ($is_customer)
{
echo “You are a lucky customer.<br>”;
echo “You won big today!<br>”;
} else {
echo “Sorry you did not win!<br>”;
}
function is_coupon($code = null)
{
30 Part I: Designing PHP Applications
04 549669 ch02.qxd 4/4/03 9:24 AM Page 30
