26 Part I: Designing PHP Applications Minimizing User-Input Risks As previously mentioned, user input poses the most likely security risk to your Web applications. Let’s look at a few scenarios for how seemingly harmless and simple programs can be made to do malicious tasks. Running external programs with user input Listing 2-1 shows a simple PHP script called bad_whois.php (bad_ has been added so that you think twice before actually putting this script in any real Web site). Listing 2-1: bad_whois.php <?php // Set error reporting to all error_reporting(E_ALL); // Get domain name $domain = (! empty($_REQUEST[‘domain’])) ? $_REQUEST[‘domain’] : null; // The WHOIS binary path $WHOIS = ‘/usr/bin/whois’; // Execute WHOIS request exec(“$WHOIS $domain”, $output, $errors); // Initialize output buffer $buffer = null; while (list(,$line)=each($output)) { $buffer .= $line . ‘<br>’; } echo $buffer; 04 549669 ch02.qxd 4/4/03 9:24 AM Page 26 if (! empty($errors)) { echo “Error: $errors when trying to run $WHOIS<br>”; } ?> This simple script displays the whois database information for a given domain. It can be run like this: http://server/bad_whois.php?domain=evoknow.com The output is shown in Figure 2-1. Figure 2-1: Harmless output of bad_whois.php script. Now what’s wrong with this output? Nothing at all. domain=evoknow.com is used as an argument to execute the /usr/bin/whois program. The result of the script is the way it was intended by the programmer: It displays the whois database query for the given domain. But look what happens when the user runs this same script as follows: http://server/bad_whois.php?domain=evoknow.com;cat%20/etc/passwd Chapter 2: Understanding and Avoiding Security Risks 27 04 549669 ch02.qxd 4/4/03 9:24 AM Page 27 The output is shown in Figure 2-2. Figure 2-2: Dangerous output of bad_whois.php script. The user has supplied domain=evoknow.com;cat%20/etc/passswd, which is run by the script as $runext = exec(“/usr/bin/whois evoknow.com;cat /etc/passwd”, $output); The user has not only supplied a domain name for the whois program but also inserted a second command using the semicolon separator. The second command is cat /etc/passwd, which displays the /etc/passwd file. This is where this simple script becomes a tool for the malicious hackers to exploit system information or even do much more harmful activities such as running the rm -rf command to delete files and directories. Now, what went wrong with the simple script? The script programmer trusted user input and will end up paying a big price for such a misplaced trust. You should never trust user input when you have no idea who the next user is. Listing 2-2 shows an improved version of bad_whois.php script called better_whois.php. Listing 2-2: better_whois.php <?php // Set error reporting to all error_reporting(E_ALL); // Get domain name 28 Part I: Designing PHP Applications 04 549669 ch02.qxd 4/4/03 9:24 AM Page 28 $secureDomain = (! empty($_REQUEST[‘domain’])) ? escapeshellcmd($_REQUEST[‘domain’]) : null; // The WHOIS binary path $WHOIS = ‘/usr/bin/whois’; echo “Running whois for $secureDomain <br>”; // Execute WHOIS request exec(“$WHOIS $secureDomain”, $output, $errors); // Initialize output buffer $buffer = null; while (list(,$line)=each($output)) { if (! preg_match(“/Whois Server Version/i”, $line)) { $buffer .= $line . ‘<br>’; } } echo $buffer; if (! empty($errors)) { echo “Error: $errors when trying to run $WHOIS<br>”; } ?> If this script is run as http://server/bette_whois.php?domain=evoknow.com;cat%20/etc/passwd it will not run the cat /etc/passwd command, because the escaping of shell characters using the escapeshellcmd() function makes the given domain name evoknow.com\;cat /etc/passwd. Because this escaped version of the (illegal) domain name does not exist, the script doesn’t show any results, which is much better than showing the contents of /etc/passwd. So why didn’t we call this script great_whois.php? Because it still has a user- input-related problem, which is discussed in the next section. Chapter 2: Understanding and Avoiding Security Risks 29 04 549669 ch02.qxd 4/4/03 9:24 AM Page 29 Getting user input in a safe way In the preceding example, we had user input returned to us via the HTTP GET method as part of the URL, as in the following example: http://server/bette_whois.php?domain=evoknow.com When better_whois.php is called, it automatically gets a variable called $domain created by PHP itself. The value of the $domain variable is set to evo- know.com . This automatic creation of input variables is not safe. For an example, take a look at Listing 2-3. Listing 2-3: bad_autovars.php <?php error_reporting(E_ALL); // This bad example will only work // if you have register_globals = Off // in your php.ini. // This example is for educational // purpose only. It will not work in // sites with register_globals = On global $couponCode; if (is_coupon($couponCode)) { $is_customer = isCustomer(); } if ($is_customer) { echo “You are a lucky customer.<br>”; echo “You won big today!<br>”; } else { echo “Sorry you did not win!<br>”; } function is_coupon($code = null) { 30 Part I: Designing PHP Applications 04 549669 ch02.qxd 4/4/03 9:24 AM Page 30 . of bad_whois .php script called better_whois .php. Listing 2-2: better_whois .php < ?php // Set error reporting to all error_reporting(E_ALL); // Get domain name 28 Part I: Designing PHP Applications 04. shows a simple PHP script called bad_whois .php (bad_ has been added so that you think twice before actually putting this script in any real Web site). Listing 2-1: bad_whois .php < ?php // Set error. following example: http://server/bette_whois .php? domain=evoknow.com When better_whois .php is called, it automatically gets a variable called $domain created by PHP itself. The value of the $domain variable