SitePoint Sponsor

User Tag List

Results 1 to 3 of 3

Thread: Suggested Security Feature for PHP - reaally simple solution to shell attacks et al

  1. Jun 26, 2007 21:38 #1
    clickbuild
    clickbuild is offline
    SitePoint Member
    Join Date
    Mar 2006
    Posts
    0
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Suggested Security Feature for PHP - reaally simple solution to shell attacks et al

    Hey All,

    Like every sysadmin I am concerned about php shell attacks - I have many layers of security in place for mail and web but it occurred to me that there is an incredibly simple way to thwart almost all php injection - but it requires a modification to the PHP library.

    The concept? "validation tokens".

    A token can be placed in the PHP.INI file, http.conf container or htaccess, can be in one or all of those places and might look like this:

    validation_token=AABBCCDDEEFF

    Without this token at the head of a PHP script, the script would not run. Again an example might be:

    <?
    #token:AABBCCDDEEFF

    If this were in place you could choose to secure any or all servers, files, directories etc against "foreign" scripts.

    Would this be a PITA to switch to - probably
    Would it cause some problems along the way - almost certainly
    Would it prevent anyone but authorized users from executing PHP scripts and provide an almost infinite layer of protection for all servers / clients / folders / files... I think so.


    Please feel free to shoot holes in this idea - if it stands up to a bit of scrutiny I'd love to suggest it as a feature to the PHP team - or maybe someone can come up with a patch or mod.


    Steve
  2. Jun 26, 2007 21:58 #2
    cranial-bore
    cranial-bore is offline
    SitePoint Wizard cranial-bore's Avatar
    Join Date
    Jan 2002
    Location
    Australia
    Posts
    2,633
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Consider this code
    PHP Code:
    <?php
    #token:AABBCCDDEEFF

    require($_GET['page']);
    ?>
    Normally this would be a big security hole if the $_GET value isn't checked...someone could easily include a remote script.

    Unless I misunderstand your idea I don't think the token would solve anything (if remote includes are still enabled). The local script has provided a valid token, and now the dangerous, remote code is just getting executed in the global scope.

    include et al are pretty much like copying and pasting the code directly.
    mikehealy.com.au
    diigital.com art, design . Latest WorkSaturday Morning
  3. Jun 27, 2007 02:31 #3
    earl-grey
    earl-grey is offline
    An average geek earl-grey's Avatar
    Join Date
    Mar 2005
    Location
    Ukraine
    Posts
    1,403
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    cranial-bore, I think clickbuild meant that all scripts (so the ones which aren't requested directly, but included as well) should have the token

    Idea is nice, but it's not very practical: would you edit all script files to contain the required token? Sure, this could be automated to some extent, like to auto-add token for all local scripts on the server level, but remote would still have to be edited manually.

    I still think that the best way to protect from "PHP injection" is to make sure that you include the right thing
    My weblog
« Previous Thread | Next Thread »

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules