Tips That Every PHP Developer Should NOT Know

Saturday, August 13. 2005

Saturday, August 13. 2005



Tobias Schlitt gave me a link to the article 10 Tips That Every PHP Developer Should Know, Part 2 by Jeffery Vaska that recently appeared on phpbuilder.com. I was kinda shocked when I saw Tip #5, that describes howto deal with $_GET and $_POST. It mentions that a developer can use extract($_POST) to eliminate the need of assigning every single entry manually. It also mentions:

This is a matter of
convenience and is not always a best practice.

It completely fails to mention, that using extract() without using prefixes or the parameter EXTR_SKIP is usually a very big security hole, because it allows an external attacker to overwrite every variable, including the superglobals (unless you use the Hardening-Patch) and this can lead in many cases to SQL injection or even Remote Code Execution Vulnerabilities.


Gulftech has recently released an advisory for Squirrelmail, that describes exactly such an extract($_POST) flaw.


As advertisement for my own project, I have to mention, that the Hardening-Patch does not only protect against the fact that superglobals can be overwritten with import_request_variables() or extract(), but also protects scripts that do this globalising themself, by looping through the arrays. Unfortunately it is not possible to completely forbid EXTR_OVERWRITE or similiar things, because this will break too many scripts.


Let us just hope, that not too many read the extract() tip.


Posted by Stefan Esser in Security, PHP at 12:13
Comments (6)
Link to this post


Comments
Display comments as (Linear | Threaded)

#1 elias wrote (Link) ()
I've commented your link to the article. Tip #9 is also not really uber cool, he missed to mention escaping. Maybe he he rely on magic_quotes :-)
posted on Saturday, August 13. 2005
#2 Gijs ()
How can this be exploitedn then? Some overflow string?
posted on Saturday, August 13. 2005
#2.1 Stefan wrote (Link) ()
Well imagine the following code

$path_to_files = dirname(__FILE__);
...
include $path_to_files . "/header.php";
...
extract($_POST);
...
include $path_to_files . "/footer.php";

This is a common structure of source code. And in this case one just needs to send a POST request that contains the key 'path_to_files' and the extract() will overwrite the global variable $path_to_files, with whatever the attacker supplied. A classical Remote URL Include Vulnerability. (This kind of Vulnerability is found VERY often, but often they don't use extract() but unpack the $_POST with their own foreach construct)

And the SQL Injection example would be f.e. an SQL query like

SELECT field1, field2, field FROM {$table_prefix}_table ...

Here one could simply overwrite the $table_prefix. (This is an actual vulnerabilitiy that was fixed some time ago in an application I audited).

-Stefan
posted on Saturday, August 13. 2005
#3 Gijs ()
Wow, that is indeed a security bug.
Thanks for the explanation.
posted on Saturday, August 13. 2005
#4 Matthean ()
FYI. This tip has been removed from the article.
posted on Monday, August 15. 2005
#5 NetNerd85 ()
I recently read about extract in Beginning PHP5, Apache, MySQL Web Development by several members of phpbuilder.com. Now I read all about the security holes they forgot to mention. I must say I have not read more garbage in my life. I am still learning PHP but I know enough to know what not to do. Never read the above book it is full of security holes and badly written lessons.
posted on Friday, August 19. 2005

Add Comment

Standard emoticons like :-) and ;-) are converted to images.
 

 
Calendar
Back July '09
Mon Tue Wed Thu Fri Sat Sun
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    
Archives
July 2009
June 2009
May 2009
Recent...
Older...
Categories

All categories
Syndicate This Blog
Protected By

Hardening-Patch for PHP