Quicksearch
Calendar
|
Saturday, January 6. 2007
Cross-Domain POST Redirection Posted by Ilia Alshanetsky
in PHP, Security at
13:07
Comments (12) Trackbacks (0) Cross-Domain POST Redirection
Every web developer knows how to make a GET redirect, in fact they've probably done it numerous times. However very few people know the same can be done for POST requests, in some instances completely transparently to the user. This by itself make not seem like an issue, but when you combine it with XSS it can be a very powerful to used to scam users.
Consider the following scenario. A user goes to a trusted site where XSS had modified the action field of the login POST form, pointing it to http://p0wn3d.com/post.php. When user submits a request it goes to a 3rd party site, which captures the login credentials and then redirects the POST data to the original site. In the end to the user has no clue something sinister had happened because they never see p0wn3d.com. In fact the everything appears to have worked as intended. So how does this work. Ability to redirect POST comes as a courtesy of the little known 307 redirect code. Which in PHP can be forced in the following manner: PHP:
Now, according to the RFC "If the 307 status code is received in response to a request other than GET or HEAD, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued." Alas, unlike the Opera and FireFox developers, the IE developers have never read the spec, and even the latest, most secure IE7 will redirect the POST request from domain A to domain B without any warnings or confirmation dialogs! Safari also acts in an interesting manner, while it does not raise a confirmation dialog and performs the redirect, it throws away the POST data, effectively changing 307 redirect into the more common 302. Thursday, January 4. 2007
5.2.1RC2 Available for Testing Posted by Ilia Alshanetsky
in PHP at
19:22
Comments (8) Trackback (1) 5.2.1RC2 Available for Testing
The 2nd release candidate for PHP 5.2.1 is now available for download. The tarballs can be found here:
http://downloads.php.net/ilia/php-5.2.1RC2.tar.bz2 (cc6024531e3d4058e32cf740e2fe535f) http://downloads.php.net/ilia/php-5.2.1RC2.tar.gz (3f89c31687762a39f1360b380dd315b4) Since the last release over 30 different bug fixes were made and the two pending patches relating to is_numeric_string() optimization and internal heap protection for the Zend Engine allocator were added. Another important change was the fact that the memory limit is now always enabled and to accommodate this change the default limit value was raised to 128 megabytes to avoid script breakage. We do not anticipate any regressions to be introduced by this RC, but I would still like to ask everyone to take a few minutes and test it against their code base. If you come across any issues report them via http://bugs.php.net/ or reply to this blog post. Friday, December 15. 2006
PHP 5.2.1 RC1 Available for testing Posted by Ilia Alshanetsky
in PHP at
11:38
Comments (4) Trackbacks (0) PHP 5.2.1 RC1 Available for testing
The first release candidate of PHP 5.2.1 scheduled for late January is now available for download. The tarballs can be found here:
php-5.2.1RC1.tar.bz2 (md5sum: cc6024531e3d4058e32cf740e2fe535f) php-5.2.1RC1.tar.gz (md5sum: bafcdff32bcaa564f65293c1c42d117e) For win32 users binaries are available courtesy of Edin php-5.2.1RC1-Win32.zip (md5sum: 00d6833308931fa58581574b8d364e12) php-debug-pack-5.2.1RC1-Win32.zip (md5sum: ac86975945193455658d85921d835e60) This release is primarily aimed at improving the stability of the language and finalization of features introduced in 5.2.0. There are over 70 different bug fixes, a great deal of performance improvements for Windows users, corrections to the memory manager and the improvement in the filter functionality. I'd like to ask everyone to try this release out and let us know if you come across any issues and/or regressions. Wednesday, December 13. 2006mail() logging for PHP
One of the common problems faced by web hosting companies offering PHP is the abuse of the mail() function to send spam. This problem has became further exasperated lately due to use of automated tools that seek sites vulnerable to PHP code execution and use the security hole to inject mailer code that then proceeds to send tons of spam.
This of course causes a series problem for a web host such as increased server load, possibility of getting blacklisted and thus having all mail generated by the server rejected and even problems with an up-stream provider. One of the problems with solving the mail() abuse is figuring out who is doing it or perhaps what script was exploited to do it, since the mail() function does not offer any logging mechanism. The uid identifier is generally useless because when PHP is ran as an Apache modules all script share the web server's uid, which yet another reason to use FastCGI. To address this problem one my client's had asked me to write a mail() logging and tracking facility that can be used to quickly identify the offending scripts and was kind enough to permit me to share the code with with the community. The mailing logging patch, which you can download here, offers two features which can be controlled via INI settings for the entire PHP setup or on a per-virtual-host level. The first option, mail.add_x_header (boolean) allows you to enable the addition of the X-PHP-Originating-Script header to each mail sent by mail(), which will include the uid of the script and its name. The combination of the two should be sufficient to identify the user to whom the script belongs and via a simple find command locate the actual script. This option is intended primarily for instances where you have a bounced e-mail or a forwarded mail with a spam complaint, allowing you to quickly identify the offender. The second option, mail.log (takes a filename) allows you to enable logging of every single mail() call, each log line will include the fullpath of the file and the line where the mail() was called from in addition to the "To" address and any headers (to keep track of CC, BCC) that were part of the function call. To ensure that each log line is 1 line long, \r and \n are replaced with spaces. Wednesday, December 13. 20062007 PHP Conferences
It looks like my first two conferences for 2007 are finalized.
Things will start in March with the annual PHP Quebec conference where I'll be giving a tutorial on Securing PHP Applications and a session on Migration to PHP 5.2. The conference has an excellent selection of speakers, which includes Rasmus, Derick, Andrei, Marcus and many others and a slew of interesting topics. I'd definitely recommend attending it, especially to Canadians for whom this is probably going to be the closest conference this year. The next conference, PHP|Tek is about two month later in Chicago, organized by PHP|Architect, who are trying a new city every year . I have a fairly full agenda, courtesy of Sean, with two tutorials and a session, so I fully expect to lose my voice after the first day. The tutorials will be on High Performance PHP & Securing PHP Applications and will be followed by a quick session on PHP Security Pitfalls two days later. A lot of great speakers during this conference as well, with Sara, Marcus, Derick, Chris, Wez and others making an appearance. While the location is not particularly exciting, it is easy to travel to and should simpler to convince the boss to go to then the previous PHP|Tek's outings. For US folk, it does not even require crossing the border, which if the rumors are to believed is a BIG motivator Monday, December 11. 2006Why are you not using PHP 5?
Damien has published the November stats for PHP usage and the year to date summary and a few interesting trends emerge.
It would seem that despite a 300% growth (from <4% to >12%) in PHP 5.X usage in 2006, it still only commands about 12% of the entire PHP user base. Majority of people still use PHP 4 and when it comes to upgrading (as you can see from a drop in <4.3 usage and the rise if 4.4 usage) upgrade to latest 4 version. So, the question emerges, why are people not upgrading to PHP 5 and what can be done to help ease the migration? Some of the old complains about speed have already been addressed, and in our tests 5.2 shows to be faster then any prior version of PHP to date. There have also been an enormous amount of work done to make things stable, if you look at the open PHP 4 bugs, you'll note that most of them include notes indicating that the issue was resolved in PHP 5. The migration pains are also nearly non-exists as you can see from this talk, vast majority of PHP 4 code will work without changes on PHP 5. As a 5.X release master, I am very interested in hearing what's holding back 5.X adoption and what can we, as the developers do in 2007 to help speed of 5.X adoption. Friday, December 1. 2006
IE6 and IE7 Testing Simplified Posted by Ilia Alshanetsky
in PHP, Stuff at
10:15
Comments (10) Trackbacks (0) IE6 and IE7 Testing Simplified
With the release of IE7 many web developers were faced with a need to test their applications on the different versions of IE, but had no means to do so since only one IE can run on Windows. Now there were different hacks available around it, but in most instances you ended up using portion of IE7 libs for IE6 emulation and thereby not getting quite the same behavior.
Today on IE blog a much better solution was offered by Microsoft (kudos guys). Basically they've allowed Windows owners (after genuine advantage check, which now can be done via Firefox as well) to download WinXP SP2 image with IE6 and run via a free download of "Virtual PC 2004". This means you can safely upgrade you WinXP box to IE7 and run IE6 via an image, thus giving you 2 versions of IE on the same machine this minimum amount of hassle. Wednesday, November 29. 2006
Network Scanning with HTTP without ... Posted by Ilia Alshanetsky
in PHP, Stuff at
19:50
Comments (4) Trackbacks (0) Network Scanning with HTTP without JavaScript
The concept of doing network scanning via JavaScript is hardly new and is quite easy for anyone with even cursory knowledge of JavaScript. However, the assumption was that as long as you browse the web with JavaScript disabled you are safe from hostile sites from scanning your network. Alas, this was not to be, in a very interesting post Jeremiah Grossman shows how can this be done with plain HTML using no JavaScript what so ever.
His methodology relies on Firefox's quirk, whereby the page loading would wait for the <link> tag to be processed before rendering the rest of the page. This means you could use the link tag to reference local IPs and use a subsequent image to see how long did it take for the IP to respond. If the response was very quick, then you know the host has something listening on a given port and if it does not, well then the port is being blocked or filtered. The problem with his approach is that to scan an entire network would be rather slow and require multiple iframes to perform the scan. Not to mention very noticeable, I decided to see if something can be done about this limitation. Continue reading "Network Scanning with HTTP without JavaScript" Friday, November 24. 2006Search Engine Hacking & more
There was a very interesting article posted on the Securiteam blog which talks about anonimizing code injection attacks. The approach is quite simple and yet rather ingenious, simply submit to Google the vulnerable application URL with the attack payload passed via the GET parameters. And within a short period of time Googlebot will dutifuly trying to index the URL, effectively executing the attack. Stefan had also explored this issue on his blog with some examples showing how to ensure more rapid indexing, so you wouldn't have to wait weeks for exploit to be triggered.
However, everybody seemed to have focus on Google, which maybe a bit unfair to them since other search engines suffer the same kind of problems. For example if we take MSN (Microsoft's Search) and run the "inurl:cmd.gif" query that SecuriTeam folks used to test Google, we find a fair number of results. Which tells us that hackers believe in equal opportunity and use MSN as much as Google to propagate their attacks. But there are other ways too. For example an attack could post an anonymous message on a blog or a forum with an image embedded into where the image url is not an image but rather a URL vulnerable site with embed payload. Which means that when other people read their message their browsers in most cases will make requests to the given URL thus triggering the attack. This is hardly new though, this scam has been used for ages to inflate hit counter stats, etc... Another vector of attack could be to use application that retrieve content from a URL automatically, such as the w3c validator, that will instantly make a request to any given URL and more over return you the resulting HTML at the time obscuring the actual attacker's IP address. It be interesting to know what other sites allow this kind of behavior where a user supplied URL is instantly retrieved hiding the original user's IP. Monday, November 20. 2006
PHP Extension & Configuration ... Posted by Ilia Alshanetsky
in PHP at
14:56
Comments (0) Trackbacks (0) PHP Extension & Configuration Information
Damien is continuing his very handy phpinfo() research work, this time focusing on the popularity of the different PHP extensions people utilize with PHP and some interesting configuration directives such as disable_functions. You can find the graphs and summaries here and here.
A very interesting read to anyone writing or considering writing distributable applications that need to work in different PHP environments. Friday, November 3. 2006PHP 5.2.0 is finally out!
After an extremely long (IMO) release cycle the final version of PHP 5.2.0 was finally released yesterday morning. There are many new features, speed improvements and a fair number of security changes. You can read the official release announcement for a quick summary of the major changes and the specifics can be found in a very long and somewhat boring to read changelog
The bottom line is that all users of PHP 5.x should definitely upgrade and for 4.x users need to seriously start thinking about migrating as well, since we've finally got a 5 release that not only is feature complete but is also faster or at the minimum performs at the same speed as PHP 4.4. Big thanks to all the contributors who made patches, reported bugs and ran tests to hopefully make a solid release. Wednesday, November 1. 2006
ZendCon. Caching System Slides Posted by Ilia Alshanetsky
in PHP, Talks at
18:13
Comments (6) Trackbacks (0) ZendCon. Caching System Slides
The slides for the Caching Systems talk are now available online, they can be downloaded here.
Wednesday, November 1. 2006
ZendCon PHP Security Slides Posted by Ilia Alshanetsky
in PHP, Talks at
12:29
Comments (0) Trackbacks (0) ZendCon PHP Security Slides
The slides from my talk on PHP Security are now up and can be found in PDF form at the bottom on my talks page. The talk was unfortunately rather short and I had to rush through a number of things, so my apologies if things felt a bit rushed, but I think the key points were hit and as far as an overall overview it was pretty good. Those interested in hearing more about security can review my slides from previous conferences that go into a bit more detail as far as the various security issues.
Monday, October 30. 2006
Zend Con. PHP & Performance ... Posted by Ilia Alshanetsky
in PHP, Talks at
16:12
Comments (2) Trackbacks (0) Zend Con. PHP & Performance Slides are up!
The slides from the PHP & Performance tutorial I've given during the Zend's PHP Conference are now up, you can find them at the bottom of my talks page here. To all the people who have gotten up really early in the morning, thanks for attending and hopefully you've found something interesting for yourself during the talk.
Update: Rasmus has kindly pointed out that stripping while drastically reducing the size (basic binary is about 3x smaller), does not actually impact the startup speed in any measurable speed. A quick test with php-cgi from latest CVS appears to confirm this, so unless you want to save disk space at expense of debug symbols, do not strip! Thanks Rasmus. Wednesday, October 25. 2006
Taking suggestions for the filter ... Posted by Ilia Alshanetsky
in PHP at
10:18
Comments (36) Trackbacks (0) Taking suggestions for the filter extension
As you may know PHP 5.2.0 will feature a very capable filtering extension that can be used to easily validate your input via a number of rules which you can find here. What I am interested in hearing is are there any other common types of data collected by PHP forms that would be worth while adding filters for into the extension. My own suggestions would be the phone (US/EU formats) and postal/zip code validators.
So let's hear what you have to say Brief Disclaimer: Consider this an RFC of sorts, the suggestions if widely supported may not get integrated and any additions will need to have the implicit agreement of all the filter extension developers before being added. |
Categories
|