PHP and the OWASP十大安全漏洞

The Open Web Application Security Project released a helpful document that lists what they think are the top ten security vulnerabilities in web applications.

These vulnerabilities can, of course, exist in PHP applications. Here are some tips on how to avoid them. I’ve included related links and references where relevant.

1. Unvalidated Parameters

Most importantly, turn off register_globals. This configuration setting defaults to off in PHP 4.2.0 and later. Access values from URLs, forms, and cookies through the superglobal arrays $_GET, $_POST, and $_COOKIE.

Before you use values from the superglobal arrays, validate them to make sure they don’t contain unexpected input. If you know what type of value you are expecting, make sure what you’ve got conforms to an expected format. For example, if you’re expecting a US ZIP Code, make sure your value is either five digits or five digits, a hyphen, and four more digits (ZIP+4). Often, regular expressions are the easiest way to validate data:

if (preg_match('/^d{5}(-d{4})?$/',$_GET['zip'])) {
    $zip = $_GET['zip'];
} else {
    die('Invalid ZIP Code format.');

If you’re expecting to receive data in a cookie or a hidden form field that you’ve previously sent to a client, make sure it hasn’t been tampered with by sending a hash of the data and a secret word along with the data. Put the hash in a hidden form field (or in the cookie) along with the data. When you receive the data and the hash, re-hash the data and make sure the new hash matches the old one:

// sending the cookie
$secret_word = 'gargamel';
$id = 123745323;
$hash = md5($secret_word.$id);

// receiving and verifying the cookie
list($cookie_id,$cookie_hash) = explode('-',$_COOKIE['id']);
if (md5($secret_word.$cookie_id) == $cookie_hash) {
    $id = $cookie_id;
} else {
    die('Invalid cookie.');

If a user has changed the ID value in the cookie, the hashes won’t match. The success of this method obviously depends on keeping $secret_word secret, so put it in a file that can’t be read by just anybody and change it periodically. (But remember, when you change it, old hashes that might be lying around in cookies will no longer be valid.)

See Also:

  • PHP Manual: Using Register Globals
  • PHP Cookbook: Recipe 9.7 ("Securing PHP’s Form Processing"), Recipe 14.3 ("Verifying Data with Hashes")

2. Broken Access Control

Instead of rolling your own access control solution, use PEAR modules. Auth does cookie-based authentication for you and Auth_HTTP does browser-based authentication.

See Also:

3. Broken Account and Session Management

Use PHP’s built-in session management functions for secure, standardized session management. However, be careful how your server is configured to store session information. For example, if session contents are stored as world-readable files in /tmp, then any user that logs into the server can see the contents of all the sessions. Store the sessions in a database or in a part of the file system that only trusted users can access.

To prevent network sniffers from scooping up session IDs, session-specific traffic should be sent over SSL. You don’t need to do anything special to PHP when you’re using an SSL connection, but you do need to specially configure your webserver.

See Also:

  • PHP Manual: Session handling functions
  • PHP Cookbook: Recipe 8.5 ("Using Session Tracking"), Recipe 8.6 ("Storing Sessions in a Database")

4. Cross-Site Scripting (XSS) Flaws

Never display any information coming from outside your program without filtering it first. Filter variables before including them in hidden form fields, in query strings, or just plain page output.

PHP gives you plenty of tools to filter untrusted data:

  • htmlspecialchars() turns & > " < into their HTML-entity equivalents and can also convert single quotes by passing ENT_QUOTES as a second argument.

  • strtr() filters any characters you’d like. Pass strtr() an array of characters and their replacements. To change ( and ) into their entity equivalents, which is recommended to prevent XSS attacks, do:
    $safer = strtr($untrusted, array('(' => '(', ')' => ')'));

  • strip_tags() removes HTML and PHP tags from a string.

  • utf8_decode() converts the ISO-8859-1 characters in a string encoded with the Unicode UTF-8 encoding to single-byte ASCII characters. Sometimes cross-site scripting attackers attempt to hide their attacks in Unicode encoding. You can use utf8_decode() to peel off that encoding.

See Also:

5. Buffer Overflows

You can’t allocate memory at runtime in PHP and their are no pointers like in C so your PHP code, however sloppy it may be, won’t have any buffer overflows. What you do have to watch out for, however, are buffer overflows in PHP itself (and its extensions.) Subscribe to the php-announce mailing list to keep abreast of patches and new releases.

See Also:

6. Command Injection Flaws

Cross-site scripting flaws happen when you display unfiltered, unescaped malicious content to a user’s browser. Command injection flaws happen when you pass unfiltered, unescaped malicious commands to an external process or database. To prevent command injection flaws, in addition to validating input, always escape user input before passing it to an external process or database.

If you’re passing user input to a shell (via a command like exec(), system(), or the backtick operator), first, ask yourself if you really need to. Most file operations can be performed with native PHP functions. If you absolutely, positively need to run an external program whose name or arguments come from untrusted input, escape program names with escapeshellcmd() and arguments with escapeshellarg().

Before executing an external program or opening an external file, you should also canonicalize its pathname with realpath(). This expands all symbolic links, translates . (current directory) .. (parent directory), and removes duplicate directory separators. Once a pathname is canonicalized you can test it to make sure it meets certain criteria, like being beneath the web server document root or in a user’s home directory.

If you’re passing user input to a SQL query, escape the input with addslashes() before putting it into the query. If you’re using MySQL, escape strings with mysql_real_escape_string() (or mysql_escape_string() for PHP versions before 4.3.0). If you’re using the PEAR DB database abstraction layer, you can use the DB::quote() method or use a query placeholder like ?, which automatically escapes the value that replaces the placeholder.

See Also:

7. Error Handling Problems

If users (and attackers) can see the raw error messages returned from PHP, your database, or external programs, they can make educated guesses about how your system is organized and what software you use. These educated guesses make it easier for attackers to break into your system. Error messages shouldn’t contain any descriptive system information. Tell PHP to put error messages in your server’s error log instead of displaying them to a user with these configuration directives:

log_errors = On
display_errors = Off

See Also:

8. Insecure Use of Cryptography

The mcrypt extension provides a standardized interface to many popular cryptographic algorithms. Use mcrypt instead of rolling your own encryption scheme. Also, be careful about where (if anywhere) you store encryption keys. The strongest algorithm in the world is pointless if an attacker can easily obtain a key for decryption. If you need to store keys at all, store them apart from encrypted data. Better yet, don’t store the keys and prompt users to enter them when something needs to be decrypted. (Of course, if you’re prompting a user over the web for sensitive information like an encryption key, that prompt and the user’s reply should be passed over SSL.)

See Also:

9. Remote Administration Flaws

When possible, run remote administration tools over an SSL connection to prevent sniffing of passwords and content. If you’ve installed third-party software that has a remote administration component, change the default administrative user names and passwords. Change the default administrative URL as well, if possible. Running administrative tools on a different web server than the public web server that the administrative tool administrates can be a good idea as well.

10. Web and Application Server Misconfiguration

Keep on top of PHP patches and security problems by subscribing to the php-announce mailing list. Stay away from the automatic PHP source display handler (AddType application/x-httpd-php-source .phps), since it lets attackers look at your code. Of the two sample php.ini files distributed with PHP ( php.ini-dist and php.ini-recommended), use php.ini-recommended as a base for your site configuration.

See Also:


假设你的XP操作系统上有两个用户帐号:一个每天都使用的帐号,设置为限制用户(Limited User),另一个帐号设置在管理员组(Administrator Group),用作系统维护。你的电脑放在一个安全的地方,你是唯一可以物理上接触这台机器的人。下面两种选择,哪种更安全呢?

  • 你给管理员账户设置一个空密码;
  • 你为管理员账户设置了一个15位字符的强密码,使用随即生成的字符串,数字和符号。

你相不相信,空密码在很大程度上提供了更多的保护。因为在Windows XP操作系统中引入的加强安全机制,空密码的账户只能被用作直接登陆,要么在欢迎界面或者Windows的登陆对话框。你无法通过远程桌面登陆没有密码的账户,你也无法使用Run As功能来进入账户。想要入侵你机器的攻击者也无法通过网络获取管理员访问权限。



Original Post By Ed Bott


昨天在上海的城市规划馆市府发言厅举办了Future S中国IT管理论坛R8,主题就是Control,Audit和Governance。与会的有IBM,AVOCENT,SYMANTEC,JUNIPER,BEARPOINT和DELOITTE的嘉宾,以及上海市信息中心的主任。











Cisco VPN 集中器存在IKE资源耗尽型DOS攻击威胁


NTA Monitor 在Cisco VPN 3000系列集中器产品中发现拒绝服务攻击的漏洞。这个漏洞影响IKE协议协商的第一阶段。UDP或者TCP传输的Main模式或者Aggressive模式都受到影响。

利用这个漏洞,攻击者可以发送大量IKE请求使得VPN集中器的IKE资源耗尽达,这会阻止其他正常客户无法连接VPN或者使交换密钥失败甚至无法继续使用,以达到DOS目的。这个攻击不需要高带宽,区区一个攻击者就可以攻陷多个VPN集中器。这个漏洞背后的机制和著名的TCP SYN FLOOD漏洞是类似的。


这个漏洞允许攻击者向远程的VPN集中器发起大量新的IKE session,并快于集中器队列中这些无效session超时的速度,使得VPN集中器的队列越积越多并且资源耗尽。


为了攻击这个漏洞,攻击者需要以超过VPN集中器IKE session超时的速率发送IKE数据包。测试者发现目标集中器一般在每秒2个包的速率就开始受到影响了,当速度达到每秒10个包的时候设备就不可用了。以Main模式最小的数据包来计算,单个传输112字节,每秒十个包相当于9kbps。







这个漏洞不仅仅是Cisco VPN设备一家的产品问题,这个漏洞很可能影响到所有使用IKE version1标准的所有VPN产品。这个漏洞是属于协议类型的缺陷,类似于TCP的SYN Flood弱点一样。但是这个攻击这个漏洞比SYN flood更容易实现,而不像SYN Flood需要大量的数据包和带宽占用,仅用一点点流量就可以对提供VPN服务的设备造成致命性的DOS攻击。在目前没有什么很好的解决办法的情况下,是不是各VPN解决提供商能够考虑将使用的IKE协议升级到高版本?也许DOS和DDOS将一直伴随着互联网发展下去,永远是个让所有人头疼的问题,也是让安全业界得以生存的因素吧。

Blog程序WordPress v2.03及以下版本存在严重安全漏洞



如果你在用Wordpress的话,建议立即在option菜单中禁用“Anyone Can Register”选项。



Leaving it open and letting people sign-up for guest accounts on your WordPress blog could lead to incredibly nasty stuff happening if anybody so desired. And trust me I am not exaggerating this. So don’t wait a second to disable this option and please relay the message.

WordPress dev team has been notified a while back and I dare hope they will soon start acting on it, if only by relaying a similar announcement through the official channel (as well as, of course, releasing a proper patch).

消息来源:Dr Dave


利用Google,我们或许会找到一些并没有安全保护的网络节点,利用它们,我们可以控制许多不同的设备,比如网络打印机、PBX、企业电话系统、路由器、网络摄像头,当然还有网站本身。这些都可以被Google找到。但是把Google作为有效的黑客工具的好处并不仅限于此,它还可以被黑客作为某种代理服务。 虽然常见的一些安全工具软件可以帮助攻击者来扫描并分析出一个公司的网络结构,但是有了Google,攻击者就可以完全让Google来完成这些工作。这样不仅避开了探路的风险,而且这些信息搜集的过程很难被系统管理员发现和阻止。用Google可以查询一些网站的站点拓扑结构,并通过一些附加信息的补充,黑客们是很容易勾勒出公司网络的真实拓扑的。



Cisco MARS发现多处漏洞

上周五还去参加cisco的MARS(Cisco Security Monitoring, Analysis and Response System (CS-MARS))产品培训,今天就报出发现多处漏洞,同时我对此产品也不太看好,一是收购别人的软件、二是cisco做安全还太嫩了。
Cisco released earlier today an advisory pointing out vulnerabilities in one of their security managment products: Cisco Security Monitoring, Analysis and Response System (CS-MARS).

  • The included Oracle database has default passwords
  • The included JBoss webserver allows remote code execution
  • A privilege escalation problem that allows administrators to gain root access to the machine


  • MARS搭载的Oracle数据库使用了Oracle的许多默认帐号,同时也使用了默认的密码,这就造成了一旦用户可以访问数据库的时候就可以直接得到敏感数据信息。
  • MARS搭载的JBoss web应用服务器软件,其中含有的一个组件会允许远程访问,这样导致未经授权的用户可以以MARS管理员的权限级别远程执行随意指令。
  • MARS的命令行包含许多漏洞,可以让经过授权的管理员以root权限来执行任意指令。



  • 公钥体系的大规模的应用,身份证书、个人签名、加密、双向认证等手段来保护网站信息,保护邮件内容和重要文档的安全。
  • 到处都可以见到的SSL技术。不仅仅再局限在电子商务上的应用,SSL更多的被植入企业应用和网络设备中。
  • 即插即用数据层面的保护。要采取数据加密往往意味着改写软件应用、编写客户化的代码、改变业务流程,而如今最新的解决方案可以对数据、文件系统、存储介质进行透明化的加密。
  • 密码学的瓶颈。担心加密会严重影响系统的吞吐率已经没有什么必要了,这都要感谢快速的加解密装置。
  • 不贵但是可以实现强身份认证的动态令牌。企业都不希望仅仅依赖于简单的口令作为访问保密系统的安全保障,但是要强加这些安全保护,投资非常大。如今,在竞争下的产物--动态令牌,使用USB棒等小设备就完成了复杂的功能,同时大大降低了成本。
  • 可升级的密钥管理。对于密码的生命周期来说,密钥管理变得越来越重要。这同样驱使了升级的需求。许多类似的产品可以实现在大的企业环境中进行密钥的管理和自动分发。
  • 针对设备和人员的身份识别管理系统。早期的身份识别管理系统也负责权限和是否可以进入业务系统的管理,但是渐渐的这些系统也覆盖了对设备和自动系统的身份识别和授权功能,而不仅仅针对人员了。


这个木马,利用微软的PPT漏洞,注入系统几个木马病毒文件,用来进行远程控制调用。信件可能是从gmail发送过来的,邮件的主题和附件常见为中文名称,附件为[中文名].ppt,一旦运行该ppt文件,就会执行此恶意代码并释放木马至操作系统目录%System%regvrt.exe( Backdoor.Bifrose.E的一种变种,symantec命名),并在EXPLORER.EXE中插入进程并重新生成一个干净的ppt文档,同时显示ppt内容。