Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
PHP Books Media Programming Book Reviews

Essential PHP Security 132

Michael J. Ross writes "Given the remarkable popularity of PHP for developing dynamic Web sites, as well as the ever-increasing need for security on those same sites, one would think that there would be great demand for — and comparable supply of — books that explain how to create secure sites using PHP. However, such is not the case, and even the most extensive general purpose PHP books may only devote a single chapter to this critical topic, if that much. Essential PHP Security, written by PHP expert Chris Shiflett, aims to fill the gap." Read the rest of Michael's review.
Essential PHP Security
author Chris Shiflett
pages 109
publisher O'Reilly Media
rating 7
reviewer Michael J. Ross
ISBN 059600656X
summary A concise introduction to PHP security principles and practices.


O'Reilly has a Web page for the book, where they offer a sample chapter (Chapter 4: Sessions and Cookies), in PDF format, as well as the book's table of contents, index, errata, and links to the online version of the book, in O'Reilly's Safari service. As of the writing of this review, the confirmed errata is reassuringly sparse, and the unconfirmed errata is nonexistent, which speaks well of the author keeping on top of reader feedback — a worthy quality not shared by all technical writers. The author also has his own Web site dedicated to the book, where he has posted a table of contents, brief reader reviews, and two free chapters in PDF format: Chapters 2 (Forms and URLs) and 4.

In the book's forward, Andi Gutmans briefly explains how increasing Internet usage has resulted in a corresponding increase in security risks, for individuals and businesses operating online. He also notes that most of the security problems related to PHP-based applications, are not the result of weaknesses in the language itself, but rather in the way that developers have used the language in creating those applications. The intent of the book is to bring together the guidelines and lessons learned for writing secure PHP code, into a single volume. He concludes by noting that most of the principles presented in the book apply equally well to other Web development languages.

The bulk of the book's material is organized into seven chapters, focusing on the following topics: forms and URLs, databases and SQL, sessions and cookies, includes, files and commands, authentication and authorization, and shared hosting. These are preceded by an introduction, which oddly is labeled as a chapter. The true chapters are succeeded by three appendices, which cover the topics of configuration directives, functions, and cryptography. A short index rounds out the volume.

In the introduction, Shiflett presents the security-related PHP features, principles, and best practices that he uses as a foundation throughout the rest of the book, when focusing on the specific PHP topics covered by all of the subsequent chapters. The two features of PHP discussed are: register globals, of which most experienced PHP developers know the dangers, and PHP's error reporting capabilities. The four principles espoused by the author for writing secure PHP systems are: safeguard redundancy, minimum privileges, clarity through simplicity, and minimizing data exposure. The heart of the book appears to be his four recommended practices: tempering usability with security, tracking input and output data, filtering all input, and escaping or encoding output to preserve its meaning.

The seven topic chapters that follow the introduction provide fairly terse coverage of how those principles and practices are put to use, when designing and implementing forms, URLs, SQL commands, sessions, cookies, etc. Each subtopic within them is discussed briefly, and illustrated with code snippets.

If anyone is well-suited to writing such a work, it is Chris Shiflett, a well-known authority on PHP security, a respected contributor to the PHP community, founder and spokesman of the PHP Security Consortium, and founder and President of Brain Bulb, a PHP consulting firm.

In light of the author's expertise, one would presume that he would make every effort to write the definitive volume on PHP security — covering every conceivable topic, including: execution of system commands, verification of user IDs and authorization, e-mail spamming via Web forms, (the related topic of) exclusion of bots, and remote procedure calls. However, Essential PHP Security does not discuss those critical matters specifically. Moreover, the topics chosen are discussed in a rather cursory manner. The code samples throughout the book are generally quite minimal, with little to no explanation as to how they work. In addition, many of the techniques presented are but variations on the theme of "filter user input." These weaknesses may be why the book clocks in at only 109 pages. In fact, the seven core chapters comprise only 71 pages, leaving the reader to wonder how PHP security could possibly be adequately plumbed by such a short treatment.

On the other hand, there is something to be said for terse writing, as wizened fans of Kernighan and Richie's C language classic can attest. In agreement would be any developer who has purchased one of the many 700+ page technical tomes that turn out to be padded with excessive margins, poorly-tested code, and pointless appendices lifted from the respective products' documentation. Perhaps Shiflett intended his book to be more a primer on PHP security, rather than a comprehensive coverage — and hence the title of the book. As such, it would primarily be of value to PHP developers unfamiliar with basic security pitfalls and defenses. Regardless, any PHP developer would be wise to begin with this book as a first step towards PHP security mastery, but even wiser if they were to follow it up with more substantial works, as well as keeping current by reading security-focused Web sites and other current publications.

Michael J. Ross is a freelance writer, computer consultant, and the editor of PristinePlanet.com's free newsletter."


You can purchase Essential PHP Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
This discussion has been archived. No new comments can be posted.

Essential PHP Security

Comments Filter:
  • Rule #1 (Score:3, Insightful)

    by Spy der Mann ( 805235 ) <spydermann.slash ... com minus distro> on Monday February 13, 2006 @02:13PM (#14709315) Homepage Journal
    Don't use a shared host.

    'Nuff said.
    • WTF? Who modded this down?

      While you CAN control whether people can access your website or not, you CANNOT control what number of amateur insecure scripts reside on the same host.

      Where I work, we've had a number of problems due to using a shared host for our website. Mass site defacements is one of them.
      • Most amateur and small budget PHP coders can't afford a dedicated server though. What's your advice to them? Is there a way they can protect themselves from others on the same server?
        • Re:Huh? O.o (Score:3, Informative)

          Virtual Private Servers are probably the answer for small budget coders. You can found pretty good VPS services at $50 a month.
      • I don't think there's anything wrong if the admins just use php_suexec, (quite easy to use on debian based systems, as apache has the required support built in). This then stops the php module needed to run as the webserver, and it can run as the virtual site owner, without the privs of the apache process. Saves much trouble. If it's still open to the same problems as using plain old mod_php then please, let me know, but as yet I think it's safe. Only other alternative is to use php as a cgi, with su_exec.
    • Re:Rule #1 (Score:2, Informative)

      by Anonymous Coward
      Great, that's a good general security tip, but what does that have to do with how secure your scripts are???

      The book is about PHP script security. You could have the most secure server in the world but if your scripts allow unfiltered user input then you're still screwed. NO amount of server securitty will help that.
    • or at least if you do make sure they run it in a way that isolates your scripts from other peoples.

      virtual private servers are an option and quite handy to have arround as a general box to throw stuff other than websites on that you wan't internet accessible but are a fair bit pricer than normal webhosting.
    • Re:Rule #1 (Score:4, Informative)

      by qw(name) ( 718245 ) on Tuesday February 14, 2006 @08:48AM (#14715352) Journal


      The author specifically deals with this issue in Chapter 8 [phpsecurity.org].

  • by Dr. Photo ( 640363 ) on Monday February 13, 2006 @02:16PM (#14709350) Journal
    "Those who use essential PHP and expect security deserve neither."

    (*sniff, sniff*... mmm... do I smell karma roasting?)
  • by Anonymous Coward on Monday February 13, 2006 @02:16PM (#14709358)
    this is the first time i've already owned a book before a slashdot review of it came up. It gives me that warm and fuzzy feeling inside.

    I think the reviewer hit just about everything important about this book. The only thing I would add is I didnt feel the discussion about sessions was in depth enough. Nothing about how session data is actually stored on the server or how to secure it.

    other than that great book, because it is so short everything is easy to find.

    • by DavidPesta ( 673248 ) on Monday February 13, 2006 @02:35PM (#14709570)
      For sessions, I find it more practical to drop the native PHP session system and create my own session system by connecting a user cookie to a database entry. Then you can have better access to the session data and more security, even encrypting the session data inside the database if you want. You can also modify the cookie "key" every so often to hinder someone who may have compromised the user's machine and is looking for session cookies.

      Also the advantages of doing this:
      1. You are given the option to separate the user sessions database from page navigation/scripts on different servers if you anticipate massive amounts of traffic someday and want a cluster of servers.
      2. It is not less efficient than the PHP session system. The native PHP sessions are file-based and also access the disk. With the user account_id as a primary key as a part of their cookie, session data access is very fast, perhaps faster in some cases.

      It wouldn't surprise me if that is why the author doesn't talk about PHP sessions much. Extremely high-traffic applications shouldn't use them IMO.
  • Christ Shiflett (Score:5, Informative)

    by Bogtha ( 906264 ) on Monday February 13, 2006 @02:18PM (#14709367)

    What are the credentials of Chris Shiflett? He's widely touted as a "PHP security expert", but Stefan Esser [php-security.org] has a beef with him, and claims that this book contains serious flaws and misunderstandings [php-security.org].

    I understand that people in the public eye like book authors are vulnerable to any crank that comes their way, but the problems that Stefan has highlighted do seem to point to a severe credibility problem, and Stefan, while prone to flaming, certainly knows what he is talking about.

    In the interests of fairness, you should also read Chris Shiflett's response [shiflett.org].

    • Re:Christ Shiflett (Score:5, Insightful)

      by C_Kode ( 102755 ) on Monday February 13, 2006 @02:40PM (#14709631) Journal
      They both are very good PHP security guys, but Stefan Esser is quite pathetic. Reading him can be like listening to someone speaking Spanglish. (flipping back and forth between languages) One minute he is professional, the next minute he is a 12 year old. Chris Shiflett should just ignore him and do what he needs to do to get it right. Obviously he made a mistake. Fix it and move on.
    • Re:Christ Shiflett (Score:3, Insightful)

      by dasil003 ( 907363 )
      What are the credentials of Chris Shiflett? He's widely touted as a "PHP security expert", but Stefan Esser has a beef with him, and claims that this book contains serious flaws and misunderstandings.

      After reading the post I don't really give a shit what Stefan Esser has to say about the book. Yes there's a flaw, but you won't convince people with such an inflammatory blog post. It looks like he scanned everything to find some flaw so he can rip Chris a new one. I would question if, perhaps, he's envious
      • Re:Christ Shiflett (Score:3, Informative)

        by Bogtha ( 906264 )

        I think you misunderstood the point of the logging example. It doesn't work properly in the default configuration, the only circumstance in which it would work properly is if the server was set up in a really insecure way, and the reason why the mistake isn't immediately obvious is due to sheer dumb luck. Those three things are pretty damning when they come from a supposed PHP security expert, wouldn't you say?

        There are a million ways Apache could be configured that would break some example code.

    • Re:Chris Shiflett (Score:4, Informative)

      by shiflett ( 151538 ) on Monday February 13, 2006 @03:07PM (#14709909) Homepage
      You're welcome to read the reviews and the (very thorough) errata yourself:

      http://phpsecurity.org/reviews [phpsecurity.org]

      http://phpsecurity.org/errata [phpsecurity.org]

      You'll be hard-pressed to find anything beyond simple typos and unclear sentences, I think, and the reviews have been very positive. :-)
    • I hope I'm the first (and the last) person to point out he's a band member of the Foo Fighters.
    • Re:Christ Shiflett (Score:3, Interesting)

      by iamsure ( 66666 )
      Please do note that Stefan, while occasionally not the most well-spoken advocate is both well-informed, and intelligent. He is an active contributor to the internals code of PHP itself, runs the hardened PHP project, reports vulnerabilities in a wide variety of opensource applications (responsibly!).. the list goes on.

      He's also the first man to crack the Xbox using software-only exploits.

      He's got a solid set of credentials. I happen to respect both Stefan and Chris, and I've found value in the work of both
    • You're mixing up replies.

      The reply by Chris Shiflett you point to is in response to a much earlier comment [hardened-php.net] by Stefan Esser. It is not a reply to the comments Stefan made with regards to his book.
  • Two thumbs up (Score:4, Informative)

    by knightinshiningarmor ( 653332 ) on Monday February 13, 2006 @02:19PM (#14709387)
    I have read this book in the past month, and it is very good at explaining PHP security from a very general perspective. It talks about encryption theory, SQL injection in genereal, filesystem permissions, etc. Very good read/reference for web developers who aren't as familiar with system/network security.
  • by psydeshow ( 154300 ) on Monday February 13, 2006 @02:24PM (#14709437) Homepage
    If you're looking for a system-wide approach to PHP Security, one that covers everything from shell commands and service tuning up through application-level security policy implementation, you should check out Apress' Pro PHP Security [apress.com].

    Cheers!
    • I actually purchased this book as well. It was the first PHP security book I found. I've not read it from cover to cover but there has been a lot of good tips I've picked up from just browsing some of the chapters I'm interested in. Cheers, Foz
  • by Anonymous Coward on Monday February 13, 2006 @02:29PM (#14709497)
    The problem is Not PHP Security, but general Coding practice. If you code bad, you will do it in any language. There are lots of thumb up rules (like defensive programming, checking value input, never trusting anyone, etc...) - know these, and you will not need to read books like these.
    A good code on that (and a lot more) probably would be Code Complete, and Code Complete2
    • by lukewarmfusion ( 726141 ) on Monday February 13, 2006 @02:39PM (#14709619) Homepage Journal
      There are two kinds of audiences for books like these (my wild speculation to follow):

      1. Developers switching languages who need to know how to implement these security practices in a new language - when I moved from ASP to PHP and others (thank God!) I had to rebuild much of my code library in a new language. Obvious things (to me) like input validation were just a little more difficult without a resource. I've had formal programming education and plenty of real-world experience - now it's just a matter of porting the concepts from one technology to another.

      2. New developers that don't have any idea about secure programming practices - many web developers become programmers to meet their clients' needs. These developers often go from designing and building static websites to building database-driven apps. Whereas your brochure site usually doesn't need to validate input, your web app does - from SQL injection to cross-site scripting, these concepts are foreign to someone.
    • There is also a huge gap between languages (or widespread modules features or idioms of the language) helping the writing of secure code, such as Ruby's string having a taintedness flag or Python's DBAPI2, languages that don't go either way, and languages that are just stupid and hard to secure by design.

      And PHP is the latter. Globals, magic_quotes, 15 different functions to escape quotes in DB requests (14 of which don't work, or only work when the moon is green and you have red socks), retarded APIs, stu

  • by Anonymous Coward on Monday February 13, 2006 @02:37PM (#14709592)
    In the interest of completeness, here's a complete round-up of all the books dedicated to PHP security currently on the market:

  • Support the Author (Score:5, Informative)

    by shiflett ( 151538 ) on Monday February 13, 2006 @02:47PM (#14709703) Homepage
    If you want to save some money and also support the author (me), please use this link:

    http://phpsecurity.org/buy [phpsecurity.org]

    You get the book for less than $20. :-)


    • How much less support will you get if we hit AddAll [addall.com] or BookPool [bookpool.com] [1] and get the book+shipping for the price of Amazon?

      _________________________________
      [1] Although it's out of stock at BookPool.

    • I got the book for Christmas from Amazon, it's been an interesting read. I've certainly learned a few things and had a few ideas on safer future implementations because of the book. Thanks for writing it :)
  • Moreover, the topics chosen are discussed in a rather cursory manner. The code samples throughout the book are generally quite minimal, with little to no explanation as to how they work.

    Here! This is what I mean! YOU figure out the rest!!

    [html]
    [head]
    [title]
    PHP Code sample etc. etc. etc.
  • by shiflett ( 151538 ) on Monday February 13, 2006 @02:55PM (#14709785) Homepage

    I wanted to reply to one thing, because it's a very valid point:

    In light of the author's expertise, one would presume that he would make every effort to write the definitive volume on PHP security -- covering every conceivable topic, including: execution of system commands, verification of user IDs and authorization, e-mail spamming via Web forms, (the related topic of) exclusion of bots, and remote procedure calls.

    I deliberately chose to focus this book on the 80%, and I'm actually happy that I did. PHP's reputation suffers because of security concerns, and I'm sure you'll see some of that expressed here. I want PHP developers who read this book to focus on what's most important, and the principles and practices that they learn along the way should prepare them to deal with more minor concerns.

    The execution of system commands is covered, but you're right that email injection is missing. HTTP response splitting is another. The second edition might include these, but they really boil down to the same thing as so many other vulnerabilities. If you filter input and escape output, neither are a concern. (After a recent change to header(), HTTP response splitting is no longer a concern, but we'll have to work with older versions of PHP for quite some time.)

    Thanks for reading, and I hope it helps!

    • Hi Chris:
      I'd like to invite you and encourage you to master the ten domains of the Common Body of Knowledge (www.isc2.org) and to take the CISSP exam. Obviously you have a lot to contribute and are eager to do so. One of the major benefits of the CISSP exam is that it shows that you're well-rounded and can converse, at least on a basic level, about all parts of security. The challenge faced by all security professionals is to be comprehensive, which involves, among other things, realizing the limitatio
      • To much study not enough practice... get a grip man, this guy has written a book on general PHP security holes.. if you cloud it with all the other garbage it defeats the purpose of his book, which is to provide a fast and simple reference to common php security issues.
  • #!/usr/bin/perl -w
    • Of course, this is if you're ignorant of things like running php as a cgi, using mod_suphp, etc, to get the php environment as close to perl as possible. And this is further ignorant of things like open_basedir and safe_mode, which allow you to jail your php code to a pretty decent degree and stop a lot of the kiddy problems that people think about when they think of php.
    • #!/usr/bin/perl -w
      s/-w/-t/
  • The real problem with PHP and security is that it's perceived as insecure. There are countless stories of people losing their forums, blogs, websites etc to hackers, defacers and script kiddies.

    This book might address how to code in PHP more securely, but that is not going to address the much more perceivable problem of "THIS SITE HAS BEEN H4X0RZED".

    What's needed is for some *real* professionals to sit down and go through all the popular open source packages - phpbb, nuke etc - and identify and remove as m
    • The last I heard on this subject from the phpBB guys is that they're doing precisely this sort of code audit to make sure the new version of the software isn't plagued by so many vulnerabilities as the 2.0 line has been... but only time will tell whether it's manageable.

      Trouble with this sort of job is that the real professionals also happen to charge a fortune for their services, and that's something that most open-source projects can't afford.
      • The last I heard on this subject from the phpBB guys is that they're doing precisely this sort of code audit to make sure the new version of the software isn't plagued by so many vulnerabilities as the 2.0 line has been... but only time will tell whether it's manageable.

        That's a great start, but it needs to be done on all of the massively popular packages.

        Trouble with this sort of job is that the real professionals also happen to charge a fortune for their services, and that's something that most open-sourc
      • The problem with phpBB is their plugin system... it's got loads of plugins (good) but you have to hand-edit the source files to install them (bad) which means you can't keep track of the security updates without scrapping your site and reloading all the plugins manually again (really bad).

        Looking around for a replacement I found SMF... which inisists as part of its install you make all your files and directories chmod 777.. an curiously the author has no problem with this (and even tries to say this is not
    • The perception that PHP is insecure is based on the fact that it was in the past incredibly insecure, not just because of bad programmers, but by design as a language/deployment environment. Perhaps it was too long ago for you top recall, but it used to be that register_globals was on by default. register_globals was inherently insecure, and including it in the language at all was a huge security compromise, and pathetically enough since there are still PHP packages out there that depend on it, it has not
  • by loconet ( 415875 ) on Monday February 13, 2006 @03:17PM (#14710015) Homepage
    As an experienced PHP developer who has been involved in many small and large projects, usually involving several other programmers, I can say that the problem with PHP's security is not PHP itself but rather the inability of exploits to punch the programmer in the face.

  • by SmallFurryCreature ( 593017 ) on Monday February 13, 2006 @03:49PM (#14710323) Journal
    Two students developed a new website for a volunteer organisation as part of their education. Something like an internship, anyway for them it was a temp job. They didn't finish it and since I volunteerd in the past for doing work for them I am now putting the finisching touches on it.

    Yuck.

    To look at the code I am once again reminded why I always feel sick when someone tells me that I am going to have to work together with a person with a degree. As far as I know they passed with this project yet it is totally and utterly crap. Oh of course it does not work cross-browser. Yes it has many bits of codes wich don't actually doesn't do shit. A 100 line switch statement that always does the same thing for instance but that ain't the worst of it.

    The worst of it is that security is non-existent. They use the old '?page=page1' in the url to switch content. I like this approach in itself as it leaves you with only 1 code file wich is accessible from the outside. I also like to make fucking sure that 'page' is filled only with values that I expect. They just insert it in an sql statement and execute it.

    Shudder.

    Could a book teach guys like this about security? NO.

    It is not the first time I see shit like this. To many IT students just are to young and naive to think about security. Or rather to not think about security but just do it. Nobody had to teach me that trusting userinput is bad. I know it is. How?

    Well, I don't know I just do. Perhaps it is all the years of low level cracking of games where you alter a string somewhere to give you more health/money whatever. Perhaps it is just being a suspicious bastard.

    Security is not a set of easy to follow rules, security is not trusting people.

    PHP is a usefull enough language that unfortunally in its basic install comes with some features that can really bite you in the ass. I always disable them on any server I control and then have to spend a lot of time correcting everyone elses code to work on a secured server. Oh and if I see one more person use PHP native sessions I am going to kill that motherfucker. Especially when it is used to store 1 value. Just use a fucking cookie instead of glogging the HD in resource eating insecure way.

    ANyway, the review of the book? Well it covers the very basics. If you still need to be told this, just stay away from the web. This is akin to a cooking book telling you not to have a boiling pot of water on the first burners of your stove when a little kid is around. What I read of it all falls into the 'duh' category.

    • That's no surprise... I personally wouldn't touch code written by someone just out of school without (a) extra money, and (b) the option to scrap and rewrite it.

      Like any other job, it takes a while to actually get good. It's not unique to the computer industry.
      • Don't discount someone right out of school. A person with a two-year technical degree may not understand the concepts of security; but a person with a masters in computer science or engineering most likely would. It doesn't take an engineer to program PHP, but it does take some common programming knowledge to create well-structured applications.
        • That may or may not be true. A CS student may have a solid foundation in security, but they might have no foundation at all in security. If your doing "pure" CS such as queue theory, or algorithm analysis, then security, let alone things like exception handling and even logging, are irrelevent. One could argue that the two year diploma types know only about all that irrelevent fluff, except in the real world that irrelevent fluff takes up 80% of the project. Consider the distinction between physics and engi
    • by Anonymous Coward
      I disagree with the last part of your post the whole everything in this book is under the 'duh' category. myself for example my current job is the first time i've worked with php and also with databases in any substantial way. so describing sql injection and xss attacks doesnt tell me not to trust user input it tells me what type of input to look for as malicious. and yes yes i know you should not try to exclude what a user cant do you should find the minimun subset of input that the user requires to do w
    • The worst of it is that security is non-existent. They use the old '?page=page1' in the url to switch content.

      Oh and if I see one more person use PHP native sessions I am going to kill that motherfucker.

      Do you have any examples of the alternatives? On the whole these methods seem very straightforward (and I use the first method myself) but I'd very much like to learn alternate, more secure ways of doing this kind of thing, especially as they are the most common ways to access and deliver content.
      • Judging from his comment (which was a bit hard to read at times), he doesn't mind the ?page=page1 technique. What he objects to is then doing something like "SELECT * FROM Pages WHERE $_REQUEST['QUERY_STRING']". Which is perfectly understandable.

        As for native sessions, I don't know why he's so vehement against them, but implementing session stuff yourself isn't to hard. When a user logs in, generate a unique ID, give it to them in a cookie and store it in a database table. At the top of every page, have a
      • He is pretty accurate. the ?page=page1 is itself not the problem, I like it and use it myself but as the other guy points out the way they use it is wrong. Why? "select * from pages where page = '$page'" is a HUGE security risk.

        What happens when someone alters the url by hand, to say something like ?page=fuckofyoufuckingfucker.

        Well nothing, except it won't load a page (probably I don't know what you called your pages) but what if they actually make it more complex and insert a complete sql statement with

        • As for PHP native sessions, the other post again answers it very accurate but not why I dislike them. A it is not enabled on all servers. This is bad because PHP code should be portable. B it is blocking, only 1 thread can work on a sessions data at a time. This is bad on high performance servers. C. it uses the filesystem for something wich it is not meant to do. D. it is a bitch to admin. E. the alternatives are just so much better.

          A) It's enabled on nearly all servers running PHP, except for some which m
  • Save yourself some money by buying the book here: Essential PHP Security [amazon.com]. And if you use the "secret" A9.com Instant Reward discount [amazon.com], you can save an extra 1.57%!
  • So, I guess HTS [hackthissite.org] will have to update some of their hacking challenges.
  • Shared server admin (Score:1, Interesting)

    by Anonymous Coward
    What about administrator perspective? I administer a LAMP site with lots of daily hammering in the style of "index.php?wget; chmod 755; ./script;blah...". Some of it actually got through, and it launched a DOS attack on some other site. Although server is grsecurityised, apache runs under nobody, there are still problems. How can I contain each virtual host in its own environment, cpu time limiting, stuff like that? Any keywords for google?
  • by tinkertim ( 918832 ) on Monday February 13, 2006 @10:54PM (#14713525)
    I can't but get a little sick when I see a whole book written on something so incredibly simple.

    The reason you see PHP being exploited is not the security of the host OS, not the security of PHP (well almost never) , its the lack of knowledge by the person owning the computer hosting the sites and companies like The Planet [theplanet.com] who hand them out to literally anyone with a Paypal account or credit card number.

    I can in 20 minutes show any experienced Linux system administrator how to run PHP completely wide open as far as functionality is concerned on a shared hosting environment and how to do it relatively safely.

    Your average web hosting company is a business person who has money to buy servers with idiot proof (nearly) control panels such as C-Panel / WHM [cpanel.net].

    They're also likely to come with RHEL, Centos 3 or 4 or Fedora. Very rarely do I see a Debian server used in a shared hosting situation (That should also tell you something).

    These boxes are not secure yet they go immediately into production.

    SO! To anyone who cares, (and reads this far) here is Tinkertim's checklist :

    1 - Egress filtering (firewall the damn box),

    2 - Get rid of that fat, bloated leaky modular kernel. Monolithic kernels are too easy to build not to do it. Don't forget to keep iptables, test with your firewall when done.

    3 - Seek and loop world writeable directories, or mount them as noexec. Even doing that is not going to save you all of your trouble. As nobody I can run /bin/sh -x /tmp/mybot.sh just fine on most linux distros even if /tmp is noexec. So dammit go toss the 3 lines of code in /bin/sh that keps uid/gid 99 from doing that.

    4 - Don't even THINK about using apache/proxy on a shared hosting setup. Thats just incredibly stupid and self destructive.

    5 - Look around in /dev ... make sure you took ALL the tools away that helps people get bad code onto your box in the first place. /dev/tcp is just as lethal as leaving wget available on a fedora / RHEL installation. Use mknod and make them safe. Same with /dev/udp .. remake them.

    6 - Get rid of what you don't need. Rename what you do and use scripts to help govern them. Lynx / wget / POST / GET (and everything else RHEL/Centos comes with) can be used to do dastardly things. Take advantage of user / group ownership that is found in Unix.

    7 - lsof is your friend. Write a script to check for open accepting inet sockets that don't belong.

    8 - (finally) VERIFY YOUR ORDERS ... stop making instant setup hosting accounts. Use fraud screening services. Remember a security hole is only a problem if you sell space to someone who's intention is to exploit it.

    Web hosts are the scurge of the planet. I know , I am one :) But I do things a bit differently than most. There's things you (yourself) can do if your stuck on shared hosting to ensure and nudge your host into securing their boxes.

    I may just re-post later or re submit with that list too. I'm off the soap box now. My point is this. We (shared web hosts) made this problem. We have a responsibility to admit it and stop it. I'll work on some checklists and scripts to do it for the lazy bastards and GPL them. Tired of people getting rich writing books making hype about what (should be) a very trivial issue.

    • Very rarely do I see a Debian server used in a shared hosting situation (That should also tell you something).

      it tells me that the majority of the people running these things want paid support for their OS (fair enough), nothing more. I don't know what that has to do with 'Essential PHP Security'
      • Because by default installation (which is what many run with, out of the box), Debian does not suffer from many of the issues that the more popular (and sometimes commercial) Linux distributions suffer from. Most people install, update and figure that their system is secure. This is not the case on ANY distribution of Linux. The security issues you see surrounding PHP are not the fault of PHP. 90% of the time a properly secured server would have prevented the issue. The issue is this : people demand host
      • it tells me that the majority of the people running these things want paid support for their OS (fair enough), nothing more.

        Then the voices in your head are wrong.

        The most common webhost linux flavour is Fedora Core, which is not to be confused with the commercially supported Red Hat Enterprise Linux.

  • by garyli ( 954345 ) on Monday February 13, 2006 @10:58PM (#14713545)
    Chris Shiflett has definitely created a masterpiece that I personally believe only he is capable of. His experience and precise, easy-to-read manner of writing are unparalleled when it comes to PHP security.

    One of the things I liked about this book is that you don't need to be sat next to your PC to read it. Though it has many nice and clear code examples, it's mainly about principles and theory. Excellent to have on the bedside table.

    It isn't a very thick book, but is written in a clear and accessible style, and I found myself going 'aha' all the way through. I read it quickly but have a feeling that I'll return to it often until all those best practices are memorised and I'm 'doing' them.

    What is most useful about this book is the aggregation in one place of descriptions of all of these security attacks and vulnerabilities in PHP code, along with suggestions on dealing with them.

    The only specific attack missing which I would like to have seen information about is email spamming through website forms. However the general principles described in the book will help prevent these attacks as well.

    This book will definitely be a long-term desktop reference for me and mandatory reading for all the PHP developers in my work place. I would definitely reccomend this book to aspiring PHP developers and think it would also benefit some of the more experienced folks out there.

    --
    Webmaster of Spy [e-spy-software.com]

  • ... other fine books like the Amish Phone Book or List of Human Rights in Comunist China
     
      Laugh, it's funny....
  • hah (Score:1, Flamebait)

    by Heembo ( 916647 )
    I'm sorry - with all the PHP holes over the last year - PHP and Security seems like a contradiction in terms!

"The following is not for the weak of heart or Fundamentalists." -- Dave Barry

Working...