Archive

Archive for the ‘PHP Security’ Category

PHP Security – Weak salt vulnerabilities

July 17th, 2009
No comments

Salt is good; but if the salt becomes unsalty, with what will you make it salty again?

- Jesus

Salting your hashes is a good thing.  It adds another level of protection to your hash, and prevents the effectiveness of rainbow tables should your hash get out.  It’s been standard practice to use a salt when storing passwords and similar information for almost 30 years now.  Using a weak salt can significantly reduce the protection it will give you.  Also, use of a salt should just be an additional level of protection to your hashes – not your only protection.  However, the use of a salt doesn’t suddenly mean that sharing your hashes with the world is a good thing.

Read more…

PHP Security

PHP Security – Escape proof SQL injection in ORDER BY clause

May 13th, 2009
2 comments
http://xkcd.com/327/

http://xkcd.com/327/

It’s a well known, well documented, and well abused fact that SQL injection attacks can take place in the WHERE clause of a SQL statement. The commonly applied practice among professionals is to run user input through mysql(i)_real_escape_string(). However, this only protects against user variables within quoted values, and does not protect against SQL injection attacks elsewhere in the query.

One place that is commonly vulnerable is in the ORDER BY clause. Many developers either do not understand that mysql(i)_real_escape_string does not protect them from these types of attacks, or do not think that meaningful SQL injection can be done at this point in the query on a single statement engine like MySQL. As a result, this vulnerability can be found and exploited in many applications and websites, both commercial and open source, personal and corporate. Read more…

PHP Security

PHP Upload Security & The 1×1 jpeg Hack

April 4th, 2009
2 comments
Far too often, I’ve seen example PHP code, or live PHP code, where file upload checks exclusively using
$_FILES['userfile']['type'] == ‘image/jpeg’
or
getimagesize($filename)
or
strpos(‘.jpg’, $_FILES['userfile']['name'] or strstr(‘jpg’, $_FILES['userfile']['name']
followed by something like
move_uploaded_file($_FILES['userfile']['tmpname'], PUBLIC_WEB_UPLOAD_DIR.$_FILES['userfile']['name']);
All of these methods leave the server completely vulnerable to remote script uploading and execution with the 1×1 jpeg hack.
 

How this can be exploited
To execute the 1×1 jpeg hack on a PHP server:
Create a 1×1 jpeg
Put the PHP code you want executed on the server in the embedded jpeg header, surrounded by tags
Name your file some_random_name.jpg.php
Tell your browser/os that a .php file is of type image/jpeg.
Upload the file
When that file is uploaded your file against a server that uses the above method(s) as a “security” check to prevent remote file upload & execution it will pass all checks, and will be executed whenever that file is requested by a client browser, whether it’s a direct request in the browser address or an embedded request in a <img> tag.

PHP Security