Posts Tagged ‘security’

I recently came across this article:

"Apple, Microsoft, PHP headline IBM's list of most vulnerable software"

This article once again demonstrates the cluelessness that some people have regarding what PHP is. First of all, PHP is not a vendor, so "Apple, Microsoft & PHP" does not make much sense. Furthermore, the only reason PHP even is mentioned in this context is that Joomla, Drupal and WordPress appear in the list. So PHP, a programming language, gets blamed for the security flaws that are in these packages.

With the same data, I might conclude that C is more insecure than PHP, after all there are more C-based vendors/product in the list than PHP products.

But they're not just clueless about PHP, they also list Linux as a Vendor in their top 10 list. Linux is an operating system, not a vendor.

Sometimes I wish these reporters would talk to people that know what their talking about before they write such an article.

On a regular basis, I still encounter the following conversation:

"What do you do against SQL injection?"
"I escape the data."
"How?"
"addslashes"

This is not the best way to escape data. The most important reason is security. addslashes can lure you into a false sense of security. As Chris Shiflett points out, there are situations that addslashes doesn't escape.

Use mysql_real_escape_string instead.

When using a different database, such as Oracle, addslashes won't help either: the single quote escape for MySQL is ', but for oracle it's '' (a double single quote). For each database there is an alternative to mysql_real_escape_string.

An even better way to handle this problem is to use prepared statements, for example with PDO. PDO uses prepared statement capabilities of the database if supported, or emulates it when it isn't supported. In a prepared statement, it is a lot harder to exploit SQL injections.

Many people know about the disadvantages of addslashes, and it's even covered in the ZCE exam, but still a lot of people use addslashes. Probably one of the main reasons is that the documentation at php.net still states this:

An example use of addslashes() is when you're entering data into a database. For example, to insert the name O'reilly into a database, you will need to escape it. Most databases do this with a which would mean O'reilly."

The comments in the manual mention the problems, but many developers will not read those.

So even if this is old news, it's good to draw attention to it every once in a while.

I just released ATK 6.1; It contains several new features such as Ajax based dialogs, a new language file (Indonesian), and several bug fixes.

The most important however is that it fixes an XSS vulnerability based on the usage of $_SERVER["PHP_SELF"] that we had overlooked.

It is recommended to upgrade ATK applications to ATK 6.1.

The release can be found on http://www.achievo.org/atk/download

The changelog is included in the release, and at http://www.achievo.org/atkdemo/atk/doc/CHANGES

Yesterday someone reported a security issue in bugtraq:

http://www.securityfocus.com/bid/23992/info

Although the issue was reported directly to SecurityFocus and not to us, I want to stress that this is a bug in an old version of Achievo. Version 1.2 that was released over a year ago already had a fix for this issue. (The report originally didn't mention this but I had them include the info on 1.2 when I discovered the report.)

Those of you still running Achievo 1.1 are advised to upgrade to the latest stable version of Achievo, 1.2.1.

If that is not an option, the issue can be fixed in two ways:

• Make sure that register_globals is turned off in php.ini. The problem is not present when this setting is turned off.
• Edit index.php, and add the line $config_atkroot = "./"; right in front of the include of atk.inc

When in doubt, or if you have questions according to this issue, please consult the Achievo forum or contact me directly.

I know my way around PHP. I've been working on frameworks, web applications and CMS'es for almost 6 years now. I'm even a Zend Certified Engineer.

Still, last week I amazed myself in how stupid I can be.

ATK can be downloaded with a demo application. To aid the developer, most pages in the demo application have a 'view source' link. What was I thinking when I used __FILE__ to determine the source file and pass that to a viewer through the url, not checking the validity of the filename? I created a 'Local File Include Vulnerability': any logged in user was able to tamper with the URL, and for example use ?file=/etc/passwd to view any file that the webserver has read access to.

I've read numerous blogs about the subject, read slides and articles from security experts such as Chris Shiflett, but still, one unguarded moment of late night, sleep-deprived hacking and bang, there you have it.

Luckily, it was only the demo application, which is usually not installed in public places, and also, you still have to log in to actually be able to exploit anything, but still, given how relatively easy it is to make such mistakes is discomforting.

(A fix was immediately released of course, at http://www.achievo.org/atk/download you can find the 5.2.2 version which fixes this issue).

There is also some positive news about ATK. Boy wrote a new howto on custom record actions. This shows how to do a lot more with your app than the usual CRUD operations.

Guido did some excellent work last week on an Open Office template engine. It is now possible to generate Open Office documents right from an atkNode. As usual, documentation comes second, so it's undocumented right now, but it is already available in the nightly build. If you want to experiment with it, we can help you on IRC or in the forum. We will give a demonstration of this new functionality at our booth at the PHP Conference in Frankfurt next week.

Finally, Sandy created a new CRM module for Achievo. It's far from finished (it only works with Achievo 1.1, not yet with the development version), but it's a start. This one is available from Achievo's nightly build page.