Thông tin tài liệu
290 CHAPTER 14 ■ PREVENTING REMOTE EXECUTION function is not enough to sanitize input to VgR], because it leaves most PHP metacharacters intact, and it may cause unexpected errors in otherwise safe values. You can sanitize the PHP metacharacters in a string with a function that combines RUUd]RdYVd (to disarm all quotation marks) and decPcVa]RTV (to translate other meta- characters). Here is code for such a function, which can be found also as dRWV7`c6gR]aYa in the Chapter 14 folder of the downloadable archive of code for Pro PHP Security at Yeea+ hhhRacVddT`^. -0aYa fdVeYZdWf_TeZ`_e`dR_ZeZkVZ_afeW`cVgR] Wf_TeZ`_dRWV7`c6gR]decZ_Xl _Vh]Z_VTYVT\ _].TYc"!, ZWdeca`ddecZ_X_]l ViZedecZ_XZd_`eaVc^ZeeVURdZ_afe, n ^VeR.RccRjlnLNQ,, VdTRaVU.RccRj$'"#$"#&*"*$*'&*, RUUd]RdYVdW`cbf`eVdR_USRT\d]RdYVd `fe.RUUd]RdYVddecZ_X, decPcVa]RTVW`caYa^VeRTYRcRTeVcd `fe.decPcVa]RTV^VeRVdTRaVU`fe, cVefc_`fe, n 0/ You first check to see whether the input contains a newline character; if it does, you exit imme- diately with an appropriate message. Otherwise, you sanitize any PHP metacharacters you find in the input string by transforming them using decimal ASCII encoding. This technique will effectively render harmless any attempts at remote PHP execution, generating a parse error that can be caught by your application and handled appropriately. Use a custom function like dRWV7`c6gR] on any user input being passed as an argument to VgR]. Here is a deliberately simple example demonstrating the use of the function; this code can be found also as dRWV7`c6gR]EVdeaYa in the Chapter 14 folder of the downloadable archive of code for Pro PHP Security at Yeea+ hhhRacVddT`^. -5@4EJA6Ye^]AF3=:4 H$4 5E5I9E>="!EcR_dZeZ`_R] 6? Yeea+ hhhh$`cX EC iYe^]" 5E5 iYe^]"ecR_dZeZ`_R]UeU/ -Ye^]i^]_d.Yeea+ hhhh$`cX "*** iYe^]i^]+]R_X.V_/ -YVRU/ -eZe]V/dRWV7`c6gR]eVde- eZe]V/ -^VeRYeeaVbfZg.T`_eV_eejaVT`_eV_e.eVie Ye^],TYRcdVe.feW) / - YVRU/ -S`Uj/ SnyderSouthwell_5084C14.fm Page 290 Friday, August 5, 2005 12:06 PM CHAPTER 14 ■ PREVENTING REMOTE EXECUTION 291 -0aYa Wf_TeZ`_dRWV7`c6gR]decZ_Xl _Vh]Z_VTYVT\ _].TYc"!, ZWdeca`ddecZ_X_]l ViZedecZ_XZd_`eaVc^ZeeVURdZ_afe, n ^VeR.RccRjlnLNQ,, VdTRaVU.RccRj$'"#$"#&*"*$*'&*, RUUd]RdYVdW`cbf`eVdR_USRT\d]RdYVd `fe.RUUd]RdYVddecZ_X, decPcVa]RTVW`caYa^VeRTYRcRTeVcd `fe.decPcVa]RTV^VeRVdTRaVU`fe, cVefc_`fe, n dZ^a]VT]RddVd T]RddTfal afS]ZTT`_eV_ed, afS]ZTWf_TeZ`_PPT`_decfTel eYZd/T`_eV_ed.^Z]\, n n T]RddaZ_eVieV_UdTfal afS]ZTWf_TeZ`_PPT`_decfTel eYZd/T`_eV_ed.SVVc, n n T]Rdd^fXVieV_UdTfal afS]ZTWf_TeZ`_PPT`_decfTel eYZd/T`_eV_ed.T`WWVV, n n XVefdVcZ_afe UVT]RcVRUVWRf]egR]fVZ_TRdVfdVcU`Vd_eV_eVcZ_afe ejaV.aZ_e, ZWV^aejPA@DELejaVNl ejaV.PA@DELejaVN, n SnyderSouthwell_5084C14.fm Page 291 Friday, August 5, 2005 12:06 PM 292 CHAPTER 14 ■ PREVENTING REMOTE EXECUTION dR_ZeZkVfdVcZ_afe dRWVEjaV.dRWV7`c6gR]ejaV, TcVReV`S[VTehZeYRA9AT`^^R_UdV_ee`VgR] T`^^R_U.M`S[VTe._VhdRWVEjaV,, VgR]T`^^R_U, `S[VTeZd`WT]RdddRWVEjaV 0/ -Y$/J`fc_Vh-0.XVePT]Rdd`S[VTe0/YRd-0.`S[VTe/T`_eV_ed0/ Z_Ze- Y$/ -Yc / -W`c^^VeY`U.a`de/ >R\VR_Vh-Z_afeejaV.eVie_R^V.ejaVdZkV.$# / -Z_afeejaV.dfS^ZegR]fV.X` / - W`c^/ - S`Uj/ - Ye^]/ For demonstration purposes, this script uses VgR] in an admittedly questionable (and definitely not recommended) way; but this technique allows you to test the dRWV7`c6gR] function to see if it can really strip all PHP metacharacters from a string. You first define the function, and then define several (whimsical) classes to work with. When you first execute the script, it instantiates an object of the default type, which happens to be “pint,” and then displays a form allowing a user to request an object of a different type. A malicious user can enter on the provided form values for ejaV that include PHP metacharacters, or that otherwise try to foil dRWV7`c6gR] and inject other PHP commands into the object-instantiation command in the script, as is shown in Figure 14-4. Figure 14-4. The default output of dRWV7`c6gR]EVdeaYa, with a potential exploit entered into the form SnyderSouthwell_5084C14.fm Page 292 Friday, August 5, 2005 12:06 PM CHAPTER 14 ■ PREVENTING REMOTE EXECUTION 293 The attempted exploit shown in Figure 14-4, Tfa,aYaZ_W`,, could, if not sanitized, expose information about your system and prove that remote execution of even more dangerous commands is possible. But dRWV7`c6gR] causes the semicolon to be converted to its HTML entity equivalent, &*,, which will, in turn, generate the cryptic error shown in Figure 14-5 when passed to the VgR] function. Figure 14-5. The error generated when an exploit is attempted in dRWV7`c6gR]EVdeaYa This method is truly brute force, and the generated error is anything but graceful, but the dRWV7`c6gR] function is really meant to be the final, catchall protector of VgR], one that works even if all of your other input validation has failed. Do Not Include PHP Scripts from Remote Servers It is dangerous to Z_T]fUV PHP scripts fetched from a remote server, using, for example, the HTTP wrapper. You may want to do this if you distribute an application or libraries from a central repository to a number of servers you control. In such a situation, you might be tempted to use a script fragment such as this to include common uninterpreted PHP source from a central server: -0aYa Z_T]fUVYeea+ d`fcTVViR^a]V_Ve ^jRaa T`^^`_aYa, 0/ The reason this is dangerous has nothing to do with input. But if an attacker can trick your server into thinking that d`fcTVViR^a]V_Ve is at an IP address he controls, then T`^^`_aYa could turn out to be anything. If you do decide to include remote files like this (and its conve- nience makes it very attractive), use a hardcoded IP address at the very least, and think very hard about ways to prevent a spoofed response. But ultimately, we recommend that you try never to insert PHP code from remote sources into your system like this. There are other solutions, such as SOAP or XML-RPC requests (which we will discuss in Chapter 23), that are designed to safely execute scripts on remote servers. SnyderSouthwell_5084C14.fm Page 293 Friday, August 5, 2005 12:06 PM 294 CHAPTER 14 ■ PREVENTING REMOTE EXECUTION Properly Escape All Shell Commands If you do permit users to submit text that you intend to execute as a shell command, you must be careful to escape those strings properly before submitting them to a djdeV^ or dYV]]PViVT command. PHP’s VdTRaVdYV]]RcX function (information is at Yeea+ aYa_Ve VdTRaVdYV]]RcX) adds single quotation marks around the input string, and escapes any single quotation marks within it. As its name implies, this function is specialized for use with individual arguments to shell commands. This function returns nothing, not even , when called with an empty argument, and any script using it must take account of this specific behavior. The VdTRaVdYV]]T^U function (information is at Yeea+ aYa_Ve VdTRaVdYV]]T^U) takes a different approach, dispensing with the surrounding quotation marks and instead escaping the characters O o L N M m l n , - / 0 Q and newline (Mi"!), all of which are potentially shell metacharacters. It also escapes any unbalanced quotation marks, including those that have already been escaped. Because these two shell escape functions operate so differently, it is best to use one or the other, but not both. Which one you decide to use is largely a matter of style. We illustrate the use of the VdTRaVdYV]]RcX function with the following code, which can be found also as VdTRaVDYV]]2cX5V^`aYa in the Chapter 14 folder of the downloadable archive of code for Pro PHP Security at Yeea+ hhhRacVddT`^. -5@4EJA6Ye^]AF3=:4 H$4 5E5I9E>="!EcR_dZeZ`_R] 6? Yeea+ hhhh$`cX EC iYe^]" 5E5 iYe^]"ecR_dZeZ`_R]UeU/ -Ye^]i^]_d.Yeea+ hhhh$`cX "*** iYe^]i^]+]R_X.V_/ -YVRU/ -^VeRYeeaVbfZg.T`_eV_eejaVT`_eV_e.eVie Ye^],TYRcdVe.feW) / -eZe]V/VdTRaVdYV]]RcXUV^`- eZe]V/ - YVRU/ -S`Uj/ -0aYa T`_WZXfcReZ`_+]`TReZ`_`WdVcgVcRTTVddZS]VRfUZ` RfUZ`c``e. gRc fa]`RU RfUZ` , T`_WZXfcReZ`_+]`TReZ`_`Wd`id`f_UdR^a]VecR_d]Re`c d`i. fdc SZ_ d`i, ac`TVddfdVcZ_afe ZWV^aejPA@DEl T`]]VTefdVcZ_afe TYR__V]d.PA@DELTYR__V]dN, Z_WZ]V.PA@DELZ_WZ]VN, `feWZ]V.PA@DEL`feWZ]VN, TYVT\W`cViZdeV_TV`WRcXf^V_ed ZWV^aejTYR__V]dl TYR__V]d.", n SnyderSouthwell_5084C14.fm Page 294 Friday, August 5, 2005 12:06 PM CHAPTER 14 ■ PREVENTING REMOTE EXECUTION 295 ZWV^aejZ_WZ]VmmV^aej`feWZ]Vl ViZeJ`f^fdedaVTZWjS`eYeYVZ_afeR_U`feafeWZ]Vd, n T`_WZ_Ve`RfUZ`UZcVTe`cj ZWdeca`dZ_WZ]V 72=D6mmdeca`d`feWZ]V 72=D6l ViZe:]]VXR]Z_afeUVeVTeVU, n Z_WZ]V.RfUZ`c``eZ_WZ]V, `feWZ]V.RfUZ`c``e`feWZ]V, VdTRaVRcXf^V_ed dRWVTYR__V]d.VdTRaVdYV]]RcXTYR__V]d, dRWVZ_WZ]V.VdTRaVdYV]]RcXZ_WZ]V, dRWV`feWZ]V.VdTRaVdYV]]RcX`feWZ]V, SfZ]UT`^^R_U T`^^R_U.d`iTdRWVTYR__V]ddRWVZ_WZ]VdRWV`feWZ]V, VTY`eYVT`^^R_UcReYVceYR_ViVTfeZ_XZeW`cUV^` ViZe-acV/T`^^R_U- acV/, ViVTfeV cVdf]e.dYV]]PViVTT`^^R_U, dY`hcVdf]ed acZ_e-acV/6iVTfeVUT`^^R_U+M_cVdf]eM_- acV/, n V]dVl 0/ -Y$/6_T`UV2fUZ`- Y$/ -a/EYZddTcZaefdVdd`ie`V_T`UVRfUZ`WZ]VdWc`^-0.RfUZ`c``e0/-Sc / 6_eVceYVZ_afeR_U`feafeWZ]V_R^VdR_U`aeZ`_R]]jdVeeYV_f^SVc`W TYR__V]dZ_eYVZ_afeWZ]V-Sc / @feafeWZ]VVieV_dZ`_hZ]]UVeVc^Z_VV_T`UZ_X- a/ -W`c^^VeY`U.a`de/ -a/Z_afeTYR__V]d+ -dV]VTe_R^V.TYR__V]d/ -`aeZ`_gR]fV./Rfe`- `aeZ`_/ -`aeZ`_gR]fV."/^`_`- `aeZ`_/ -`aeZ`_gR]fV.#/deVcV`- `aeZ`_/ - dV]VTe/ - a/ -a/Z_afeWZ]V+-Z_afeejaV.eVie_R^V.Z_WZ]VdZkV."' /- a/ -a/`feafeWZ]V+-Z_afeejaV.eVie_R^V.`feWZ]VdZkV."' / -Z_afeejaV.dfS^ZegR]fV.V_T`UV /- a/ - W`c^/ SnyderSouthwell_5084C14.fm Page 295 Friday, August 5, 2005 12:06 PM 296 CHAPTER 14 ■ PREVENTING REMOTE EXECUTION -0 n 0/ - S`Uj/ - Ye^]/ After some setup configuration, if the user is entering input, you accept that input, check that each exists, and exit with an appropriate error message if anything is missing. Next, you check the input file locations to make sure that none contains a double-dot entry; if either does, you exit again with an appropriate error message. Then you sanitize each argument separately with the VdTRaVdYV]]RcX function, construct the shell command, and execute it. Finally, you output the results. If the user is not entering input, you provide a form for that purpose. You can test the efficacy of the VdTRaVdYV]]RcX function by passing it a string containing dangerous shell metacharacters. First, VdTRaVdYV]]RcX will wrap any string it is given in single quotation marks, which will cause the shell to ignore metacharacters. Then it will double-escape any single quotation marks it finds in the input, so that all values remain quoted. When the preceding script is given input of hRg for Z_WZ]V and (as an attempted exploit) ,TRe VeT aRddhU for `feWZ]V, the sanitized command is fdc SZ_ d`iT" gRc fa]`RU RfUZ` hRg➥ gRc fa]`RU RfUZ` MM,TRe VeT aRddhU The shell will treat both values as literal strings. The wildcard will not be expanded, and the attempt to inject another command will fail. The VdTRaVdYV]]RcX command should be called on each separate argument being passed to a shell command. The proper application of the VdTRaVdYV]]T^U function, on the other hand, is on the entire command, path, executable, and arguments, right before it is executed. We illustrate the use of the VdTRaVdYV]]T^U function with the following code, which is a frag- ment of an entire script containing an alternative to the input-checking routine contained in the VdTRaVDYV]]2cX5V^`aYa script we provided earlier in this section. This code fragment, which needs to be used with the same HTML wrapper as provided earlier, can be found also as VdTRaVDYV]]4^U5V^`aYa in the Chapter 14 folder of the downloadable archive of code for Pro PHP Security at Yeea+ hhhRacVddT`^. -0aYa T`_WZXfcReZ`_+]`TReZ`_`WdVcgVcRTTVddZS]VRfUZ` RfUZ`c``e. gRc fa]`RU RfUZ` , T`_WZXfcReZ`_+]`TReZ`_`Wd`id`f_UdR^a]VecR_d]Re`c d`i. fdc SZ_ d`i, ac`TVddfdVcZ_afe ZWV^aejPA@DEl T`]]VTefdVcZ_afe TYR__V]d.PA@DELTYR__V]dN, Z_WZ]V.PA@DELZ_WZ]VN, `feWZ]V.PA@DEL`feWZ]VN, SnyderSouthwell_5084C14.fm Page 296 Friday, August 5, 2005 12:06 PM CHAPTER 14 ■ PREVENTING REMOTE EXECUTION 297 TYVT\W`cViZdeV_TV`WRcXf^V_ed ZWV^aejTYR__V]dl TYR__V]d.", n ZWV^aejZ_WZ]VmmV^aej`feWZ]Vl ViZeJ`f^fdedaVTZWjS`eYeYVZ_afeR_U`feafeWZ]Vd, n T`_WZ_Ve`RfUZ`UZcVTe`cj ZWdeca`dZ_WZ]V 72=D6mmdeca`d`feWZ]V 72=D6l ViZe:]]VXR]Z_afeUVeVTeVU, n Z_WZ]V.RfUZ`c``eZ_WZ]V, `feWZ]V.RfUZ`c``e`feWZ]V, SfZ]UT`^^R_U T`^^R_U.d`iTTYR__V]dZ_WZ]V`feWZ]V, VdTRaVT`^^R_U T`^^R_U.VdTRaVdYV]]T^UT`^^R_U, VTY`eYVT`^^R_UcReYVceYR_ViVTfeZ_XZeW`cUV^` ViZe-acV/T`^^R_U- acV/, ViVTfeV cVdf]e.dYV]]PViVTT`^^R_U, dY`hcVdf]ed acZ_e-acV/6iVTfeVUT`^^R_U+M_cVdf]eM_- acV/, V_UZWV^aejPA@DE n 0/ This script is essentially identical to the form-processing part of VdTRaVDYV]]2cX5V^`aYa, but rather than escape each argument individually, we first construct the entire T`^^R_U string and then apply the VdTRaVdYV]]T^U function to it. Using sample testing input similar to what we used earlier, hRg for Z_WZ]V and the attempted exploit W``,TRe VeT aRddhU for `feWZ]V, the sanitized command becomes fdc SZ_ d`iT" gRc fa]`RU RfUZ` MhRg gRc fa]`RU RfUZ` W``M,TRe VeT aRddhU Since both the and the , are escaped, the shell will not treat them as metacharacters, and the attempted exploit fails. SnyderSouthwell_5084C14.fm Page 297 Friday, August 5, 2005 12:06 PM 298 CHAPTER 14 ■ PREVENTING REMOTE EXECUTION Beware of SUHJBUHSODFH Patterns with the H Modifier A little-known method of executing arbitrary code within scripts is built into PHP’s acVXPcVa]RTV function (a more powerful alternative to decPcVa]RTV, with the flexibility of regular expres- sions for the pattern and replacement parameters; see Yeea+ aYa_Ve acVXPcVa]RTV for more information). If the regular expression pattern passed into the function has the V modifier (designated by appending V to the pattern), then the replacement string is executed as PHP code as each pattern is located. The PHP Manual provides the following example, modified here for demonstration purposes: -0aYa Ye^]3`Uj.-V^/9V]]`- V^/, aReeVc_. -M 0MhLO/N/ V, cVa]RTV^V_e.MM"dece`faaVcMM#MM$, _Vh9E>=.acVXPcVa]RTVaReeVc_cVa]RTV^V_eYe^]3`Uj, VTY`_Vh9E>=, 0/ The pattern here defines three contiguous elements to look for, each delimited by parentheses. Each of these will be addressed as a backreference in the replacement. The first is - (the left angle bracket character, which opens a tag, optionally followed by the slash used in closing tags); the second is whatever comes next (the contents of the tag); the third is / (the right angle bracket, which closes the tag). The entire pattern specification therefore is intended to find every tag and closing tag. The whole pattern is delimited by a (slash) at beginning and end. After the ending slash appears the V modifier. In the replacement string, the first and third backreferences (designated by MM" and MM$) are - (or - ) and / respectively, while the second backreference (designated by MM#) is whatever value is found in between each - and / as the acVXPcVa]RTV steps through the subject (in this case, Ye^]3`Uj). The PHP instruction that is executed is therefore dece`faaVc for the content of each different tag, and the replacement value for each tag found is the same tag but with its content in uppercase. Notice that the backreference designations (MM", MM#, and MM$; in alternative notation ", #, and $) must be enclosed in single quotation marks to avoid being interpreted as PHP code. When we store the value of the output from the acVXPcVa]RTV in a new variable, echo that, and view source for the output, we find that source to be -6>/9V]]`- 6>/. The acVXPcVa]RTV function has executed the dece`faaVc function on the content of each tag that the pattern found. This simple example should show how powerful the V modifier can be. But power is danger when it comes to attacks, as we’ll demonstrate with a simple acVXPcVa]RTV-based template system. A Vulnerable Template System Templating systems are useful because they allow a user with no knowledge of PHP (an order clerk, for example) to generate a message by simply entering replacement values for the embedded variables. Let’s imagine that your Sales department has created the following template for an order acknowledgment letter: SnyderSouthwell_5084C14.fm Page 298 Friday, August 5, 2005 12:06 PM CHAPTER 14 ■ PREVENTING REMOTE EXECUTION 299 5VRcLWZcde_R^VN EYR_\j`fW`cj`fccVTV_e`cUVc`WLac`UfTe_R^VN HVhZ]]SVUV]ZXYeVUe`dV_Uj`fLe`eR]TRdVdNTRdVd`_LdYZaaZ_XUReVN This template could constitute the basis for a form into which the clerk enters appropriate values. Your receiving script could replace all of those bracketed items with real values at run-time, and thus generate a message ready to be sent to the customer. The code could look something like this: -0aYa cVecZVgVeYVWZcde_R^VV_eVcVUSjeYVT]Vc\ WZcde_R^V.3VeY, aRceZR]eV^a]ReVW`cUV^`_decReZ`_ eV^a]ReV.5VRcLWZcde_R^VN, eV^a]ReVV_XZ_V+ aReeVc_+WZ_Ud`^VeYZ_XZ_ScRT\VedR_UfdVVW`cVgR] H2C?:?8+eYZdaReeVc_T`_eRZ_dRgf]_VcRSZ]ZejW`cUV^`_decReZ`_afca`dVd aReeVc_. MLMN V, cVa]RTV^V_e+acVaV_URe`eYVSRT\cVWVcV_TVTcVReZ_XRA9AgRcZRS]V cVa]RTV.MMM", `feafe.acVXPcVa]RTVaReeVc_cVa]RTVeV^a]ReV, `feafe acZ_e`feafe, 0/ When acVXPcVa]RTV is called, it matches the string [firstname] in the template (here, for demonstration purposes, just one short line). Since the firstname part of the search pattern (but not the brackets) is in parentheses, it is available as a backreference, specifically MM" (alter- natively "), the first and with this demonstration template only one. The replacement string then becomes WZcde_R^V. The V modifier on the end of aReeVc_ causes the replacement value to be handed over to the VgR] function (so that it is evaluated as PHP code; in this case, simply a variable), with the result that the string WZcde_R^V becomes Beth. The output of this script, then, is Dear Beth, the first line of the form letter. But this kind of templating system, because it relies on the VgR] function to carry out its work, contains potential for danger. That danger resides not in what the clerk enters as the value for templated variable, but rather in the template itself. If an attacker (perhaps a disgrun- tled employee in a large corporation) could modify that template, she could make the template engine target not a simple variable name but rather some actual PHP code. Then, when that engine evaluates the template, it executes that code rather than simply substituting a variable’s value for its name. Let’s walk through an example: 1. We imagine that a malicious user gains access to the template and modifies it to be not 5VRcLWZcde_R^VN but rather this: 5VRcLlacZ_ePc8=@32=DnN. SnyderSouthwell_5084C14.fm Page 299 Friday, August 5, 2005 12:06 PM [...]... thousands of other programmers who wrote the code you run, did at preventing such behavior: how many layers are there to your security onion? At any rate, the assumption has certainly proven true for many servers that have been compromised in the past We know how to provide iron-clad protection against remote execution exploits: just make it absolutely impossible for unexpected PHP code or shell commands... storage for files in the process of being transferred These are the files named by PHP s superglobal $_FILES['userfile']['tmp_name'] variable • System files being used to store session properties (or other temporary data) in between HTTP requests For session properties, these are the files named for the session ID (typically something like sess _74 83ae44d51fe21353afb 671 d13f7199) • Interim storage for... SnyderSouthwell_5084.book Page 309 Saturday, July 16, 2005 6:14 AM CHAPTER 15 ■ ENFORCING SECURITY FOR TEMPORARY FILES Putting together these bits and pieces results in the following script fragment, which can be found also as createUniqidTempfile .php in the Chapter 15 folder of the downloadable archive of code for Pro PHP Security at http://www.apress.com < ?php // define the parts of the filename define ('TMP_DIR','/tmp/');... createSHA1Tempfile .php in the Chapter 15 folder of the downloadable archive of code for Pro PHP Security at http://www.apress.com 309 SnyderSouthwell_5084.book Page 310 Saturday, July 16, 2005 6:14 AM 310 CHAPTER 15 ■ ENFORCING SECURITY FOR TEMPORARY FILES < ?php // for demonstration, reuse data from createUniqidTempfile .php $pathPrefix = '/tmp/skiResort'; // for demonstration, construct a secret here $secret... for Pro PHP Security at http://www.apress.com < ?php // create a temporary file $tempname = '/tmp/mytestfile'; $tempfile = fopen( $tempname, 'w+' ); fwrite( $tempfile, 'hello\n' ); fclose( $tempfile ); // attempt to protect from hijacking by hashing the file contents $hash = sha1_file( $tempname ); 313 SnyderSouthwell_5084.book Page 314 Saturday, July 16, 2005 6:14 AM 314 CHAPTER 15 ■ ENFORCING SECURITY. .. sniffable by anyone else listening on the same network, whether those packets are protected by the Wired Equivalent Privacy (WEP) security protocol or not (because, as we discussed in Chapter 5, WEP uses the porous RC4 stream-encryption algorithm, and provides security against only casual attacks) Unwitting Exposure PHP s transparent session ID feature, which appends the current session ID to all relative... unqualified person’s gaining such access.) But if such an attacker were to get in, a file named 20 07_ Confidential_Sales_Strategies.tmp would probably be of great interest to him, especially if he worked for your employer’s biggest competitor Similarly, a file named something like sess_95 971 078 f4822605e7a18c612054f658 could be interesting to someone looking to hijack a session containing a user’s login... Page 318 Wednesday, July 27, 2005 12:24 PM 318 CHAPTER 16 ■ PREVENTING SESSION HIJACKING We next create the script which we are linking to, in order to demonstrate the ability of PHP s session mechanism to maintain values across the two scripts The following code can be found also as dVddZ`_5V^`#�aYa in the Chapter 16 folder of the downloadable archive of code for Pro PHP Security at Yeea+ hhh�RacVdd�T`^... $tempFilename ); ?> This script generates a filename something like /tmp/skiResort91c8247fb32eebc639d27ef148➥ 02 976 d624a20ee using the hashed secret, creates the file, and sets its permissions to 600 The name of this file would never need to be passed to another process, because it can be generated whenever it is needed by any process that knows how to construct the secret Make Permissions Restrictive We have... only mildly effective Use Secure Sockets Layer Our primary recommendation for preventing session abuse is this: if a connection is worth protecting with a password, then it is worth protecting with SSL or TLS (which we discussed in Chapter 7) SSL provides the following protection: • By encrypting the value of the session cookie as it passes back and forth from client to server, SSL keeps the session ID . dRWV7`c6gR]aYa in the Chapter 14 folder of the downloadable archive of code for Pro PHP Security at Yeea+ hhhRacVddT`^. -0aYa fdVeYZdWf_TeZ`_e`dR_ZeZkVZ_afeW`cVgR] Wf_TeZ`_dRWV7`c6gR]decZ_Xl . process might look something like the following script fragment, which can be found also as createSHA1Tempfile .php in the Chapter 15 folder of the downloadable archive of code for Pro PHP Security. malicious user can enter on the provided form values for ejaV that include PHP metacharacters, or that otherwise try to foil dRWV7`c6gR] and inject other PHP commands into the object-instantiation
Ngày đăng: 12/08/2014, 13:21
Xem thêm: Pro PHP Security phần 7 pdf, Pro PHP Security phần 7 pdf
