[ale] Seven Deadly Sins - PHP

Randall Janinda rjaninda at tqlabs.com
Tue Jun 10 21:40:22 EDT 2003


I'm going to have to touch on this and then read the article later. I
have been working with PHP for roughly 4 years now. Here's my findings.

PHP makes it extremely easy for a non-programmer to whip up a script to
do some "miraculous" feat such as grab form data, track visitors,
interact with a database, etc. This is the number one security problem,
folks without any programming experience, and certainly no idea what
security is. For example, just today on the isp-linux list this script
was sent:

--- snip ----
<body>
                                        A Simple Form
                                        <br><br>
                                        <form action="reaction.php"
method="POST">
                                            <input type="text"
name="field_1" size="10"><br><br>
                                            <input type="submit"
name="submitbutton">
                                        </form>
                                    </body>
                                    </html>

  and the action script http://weberic.txbs.net/reaction.php
  is
<?php
                                        if   ($field_1)
                                        {
                                            echo "field_1: $field_1";
                                        }
                                        else
                                        {
                                            echo "no data has been
passed to this script";
                                        }
                                    ?>

---snip---

I haven't  touched it. While I hope this is just a test, this is a
common approach to PHP, just use the data that the user passes without
parsing and cleaning.

Next example, error handling. I have personally run across a site of a
large broadcasting company and played with the forms they offered. It
started spewing PHP error messages about fopen(a,.....). Long story
short, I was able to upload and run any program I wanted on their server

Now, that said, I have used PHP for some larger scale projects and have
tried very hard to be security conscience. I think that is the
key..security consciousness. I think most of PHP's major problems are
programmer error. I will admit that the core language itself had major
problems (file upload) but as with any good piece of open source, it is
fixed really quickly.

I do have some snippets of PHP at www.tqlabs.com and invite anyone to
look at them. They are the "frontdoor and keys" to www.myroads.net. Feel
free to poke around and either prove or disprove my points. I am
interested in hearing other opinions on this matter.

Thanks,

Randy Janinda
 

-----Original Message-----
From: ale-admin at ale.org [mailto:ale-admin at ale.org] On Behalf Of Frank
To: ale at ale.org
Zamenski
Sent: Tuesday, June 10, 2003 9:06 PM
To: ale at ale.org
Subject: Re: [ale] Seven Deadly Sins - PHP


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Our own Bob Toxen spoke on the seven deadly sins of Linux
> security at the Linux Forum last week in Santa Clara, Calif.
> A new story on his talk is available at:
> 
<http://searchenterpriselinux.techtarget.com/originalContent/0,289142,si
d39_gci904844,00.html>
> 
> and if that doesn't work, try this link:
> 
> <http://makeashorterlink.com/?R2FE121E4>
> 
> 
> Interesting read.
> 
> Sean
> 

Thanks for that, it was interesting. (BTW, I had to use the 
makeshorterlink). Please pardon my appending the original subject line, 
I'm hoping to generate some discussion (well, except I'll just be 
reading it).

The PHP part in "Deadly sin No. 4" caught my attention: 

"On Toxen's "don'ts" list: Don't use PHP, even though it's convenient."
 
I've read this list long enough to recognize that Bob Toxen is a pro's 
pro, and when I see statements like that coming from him, I get 
paranoid. I'm a Solaris SA responsible for several webservers, and not 
a programmer by any stretch, but we've web developers that seem to be 
embracing PHP with unbridled passion. As such, I'm beginning to feel 
like I'm sitting on the systems sidelines wondering what the heck is 
going on here? What is it's utility (or fasination?) that seems to make 
this the web dev tool of the year? Questions:

1). is PHP just bad programming practice in general? (and if so, what 
could or should be used instead?)
2). what kinds of admin headaches am I opening myself up for, anyway?
3). related... what should I be looking for in system and web portal 
logs, especially in terms of attacks?

I guess what I need is a good primer on this stuff, like a 'What Every 
SA Must Know About PHP', if you will.

4). any recommedations for a quick, yet thorough, PHP read?

I've also become acutely aware as of late that this stuff seems to be 
very buggy in general, and seems to also be causing headaches for the 
developers in no predictable manner. In short, it likes to crash, and 
I'm being enlisted more and more to assist in running Solaris 
diagnostics on this stuff (for what good it seems to be doing so far), 
and in playing with ulimits, and frankly, I don't think anyone has a 
clue (and I know I don't).

5). soliciting anybody elses experience(s)?
6). open for anything else....

I've been to the PHP website also. The issues people are having with 
this are just short of stunning.

Thanks.
fgz


_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale


_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list