Harden Your PHP
If you have a server with PHP, be aware that you are in control of a powerful
tool. The worst oversight someone could make is to allow any parameter
that comes in from the URI to become a global variable. This is turned off
by default on PHP installs in version 4.2.0 and onward, but your
configuration may have changed. In fact, some tutorials recommend that
you turn it on for a script to work: this is a very, very bad idea.
You can easily test if globals are enabled:
- Create a new file named test.php.
- Add the following code to it:
<?php echo "".$ouch.'';?> - Upload the file to your server.
- Browse to the file, and send a parameter called ouch; for example:
http://example.com/test.php?ouch=that+hurts - If your browser shows “that hurts”, then your server has globals
registered. - Contact your server admin to get this fixed!
Why is this important? Well, in our explanation of XSS earlier, we talked
about attackers being able to add code to your page using the URI
parameters in your script. If you don’t turn off globals, any variable you use
and write out could become an attack. Even worse, consider the following
code:
1 if($_POST['username'] == 'muppet' &&(^2) $_POST['password'] == 'password1') {