2. OBJETIVOS
4.5 ESCUELA NUEVA O AULAS MULTIGRADO
Since we discussed a number of vulnerabilities in the popular PHP scripting platform, here are a few tips on making sure you avoid them:
• Apply strict input validation to all user input.
• Use eval(),passthru(),system(), and other functions sparingly and without user input.
• Turn register_globals off.
Common Security Options for PHP
The following configuration options are security related and can be set in the php.ini file. Using these settings ensures that the PHP configuration you have running is securely set by default.
open_basedir
This setting will restrict any file access to a specified directory. Any file operations are then limited to what is specified here. A good recommendation is that any file operations being performed should be located within a certain set of directories. This way, the standard old “../../../../etc/passwd” won’t go anywhere.
disable_functions
This allows a set of functions to be disabled in PHP. Disabling functions is considered a great way to practice defense in depth. If the applications don’t make use of security- risky functions such as eval(), passthru(), system(), etc., then add these as functions that should never be allowed. If an attacker does find a security issue in PHP code, it will cause you some headaches.
expose_php
Setting this configuration to off will remove the PHP banner that displays in the server headers on an HTTP response. If your concern is to hide the version of PHP or the fact that it is running on the application, setting this will help.
display_errors
This setting is a simple but important configuration that enables detailed error information to be displayed to the user on an exception. This setting should always be turned off in any production environment.
safe_mode
Turning safe_mode on in PHP allows very strict file access permissions. It does this by checking the permissions of the owner of the PHP script that is running and any file access that the script attempts. If the permissions do not match, then PHP throws a security exception. Safe_mode is mostly used by ISPs, so that in virtual-hosted
environments, multiple users can develop their own PHP scripts without risking the integrity of the server.
allow_url_fopen
This configuration option will disable the ability to do file operations on remote files. This is a nice overall setting to prevent remote file inclusion vulnerabilities from working. An example of this would be if the $absolute_path variable in the following code sample was set to a value of http://www.site.com/; the exploit would fail because
allow_url_ fopen was set.
include($absolute_path.'inc/adodb/adodb.inc.php');
SUMMARY
In this chapter, you learned that the best defense for many major web platform vulnerabilities includes keeping up with vendor security patches, disabling unnecessary functionality on the web server, and diligently scanning for the inevitable offender that sneaks past your predeployment validation processes. Remember, no application can be secured if it’s built on a web platform that’s full of security holes.
REFERENCES & FURTHER READING
Reference Link
Relevant Security Advisories
WebLogic Node Manager Command Execution
http://www.oracle.com/technology/deploy/security/ alerts.htm
Apache Tomcat Default Blank Admin Password
http://cve.mitre.org/cgi-bin/cvename .cgi?name=CVE-2009-3548
“Multiple Vulnerabilities in Sun-One Application Server,” includes a log evasion issue
http://archives.neohapsis.com/archives/ bugtraq/2003-05/0300.html
“Preventing Log Evasion in IIS,” by Robert Auger
http://www.webappsec.org/projects/articles/082905 .shtml
TRACK Log Bypass http://secunia.com/advisories/10506/
Apache Mailing Lists— recommend subscription to announcements to receive security bulletin information
Reference Link
PHPXMLRPC Remote PHP Code Injection Vulnerability
http://www.hardened-php.net/advisory_ 152005.67 .html PEAR XML_RPC Remote PHP Code Injection Vulnerability http://www.hardened-php.net/advisory_ 142005.66 .html phpAdsNew XML-RPC PHP Code Execution Vulnerability
http://secunia.com/advisories/15883/ A Study in Scarlet, Exploiting
Common Vulnerabilities in PHP Applications
http://www.securereality.com.au/studyinscarlet.txt
PEAR XML-RPC patch http://pear.php.net/package/XML_RPC/
XML-RPC for PHP patch http://phpxmlrpc.sourceforge.net
WebInsta patch http://www.webinsta.com/downloadm.html
Free Tools
jad, the Java disassembler http://www.varaneckas.com/jad
Apache ModSecurity http://www.modsecurity.org
mod_chroot http://core.segfault.pl/~hobbit/mod_chroot/
Apache chroot(2) patch by Arjan De Vet
http://www.devet.org/apache/chroot/ Apache SuExec
documentation
http://httpd.apache.org/docs/ The Center for Internet
Security (CIS) Apache Benchmark tool and documentation
http://www.cisecurity.org/bench_apache.html
SysInternals Process Monitor http://technet.microsoft.com/en-us/sysinternals/ bb896645.aspx
Microsoft Update Service
Microsoft UrlScan tool http://learn.iis.net/page.aspx/726/urlscan-overview/
Cygwin http://www.cygwin.com/
Commercial Tools
CORE IMPACT, a penetration testing suite from Core Security Technologies
Reference Link
CANVAS Professional, an exploit development framework from Immunity
http://www.immunitysec.com
Metasploit Express http://www.metasploit.com/express/
General References
IIS Security Checklist http://www.microsoft.com/security “Securing Apache: Step By
Step,” by Ryan C. Barnett
http://www.cgisecurity.com/lib/ryan_barnett_gcux_ practical.html
Bastille Linux Hardening Program
http://www.bastille-linux.org Apache Security by Ivan Ristic
(O’Reilly)