ASPit - Totally ASP JSit - Totally JavaScript
Search PHPit

Use this textbox to search for articles on PHPit. Seperate keywords with a space.

Advertisements

PHP & Security: 3 Example Exploits

(Page 1 out of 3)

Introduction

One of the most common aspects of programming and scripting is security. Every program or script has to think about security, and each language has certain weak points. Actually, it isn't the language that has weak points - it's the programmer who creates weak points. PHP is no exception to this, and security should be at the top when you're creating a new script, no matter how simple or small the script may be.

I'm sure you've all read many basic PHP security articles, which include things like filtering user input, beware of XSS attacks, etc. That's why I'm not going to discuss them in this article. If you haven't heard about these things, have a look on Google. Heck, maybe I'll do a basic PHP security article in the near future.

In this article we're going to look a three different security cases. In each case I will try to explain the exploit, provide a working example, and then suggest possible fixes to prevent you from making the same mistake. Let's get cracking, shall we?

Security Case #1 - E-mail Injection

This is one of the neatest PHP exploits I've ever seen, and really requires some knowledge of how e-mail works. This exploit is often used by spammers to use contact forms on your websites to send out massive amounts of spam, without you even knowing. I used to be a victim of this as well, because I didn't even have a clue this existed. There was one thing I noticed though: really weird messages coming through my contact forms, for example:

[email protected]
Content-Type: multipart/mixed; boundary=\"===============2145621685==\"
MIME-Version: 1.0
Subject: 9afb7555
To: [email protected]
bcc: [email protected]
From: [email protected]

This is a multi-part message in MIME format.

--===============2145621685==
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

wpbtizuum
--===============2145621685==--

As you can see this doesn't make much sense at all. But what it does mean is that spammers are trying to see if your contact form is open to e-mail injection.

This exploit works quite like SQL injection - untrusted users are able to inject data, because of poor input validation. When you use the mail() function you might think each argument is a separate thing, and they can't influence each other. But that's not the case, and the e-mail is actually one big long text message. For example, mail('[email protected]', 'My Subject', 'My Message', "From: [email protected]\r\n";) is actually changed into:

To: [email protected]
Subject: My Subject
From: [email protected]

My Message

The exploit happens when spammers are able to insert data into the e-mail, therefore being able to change the complete e-mail. For example, if your mail() function looks like this:


$email = $_POST['email'];
mail ('[email protected]', 'My Subject', 'My Message', "From: $email\\r\\n");
?>

As you can see an attacker can inject raw data into the e-mail. This means it's now possible to send a complete different e-mail with a new subject, message, and to header. Your contact form is used as an open relay!

To test this for yourself, have a look at the interactive demo. This doesn't actually send any e-mail, but does demonstrate how it's possible to change e-mails and use this exploit. Also have a look at http://securephp.damonkohler.com/index.php/Email_Injection for more information about E-mail Injection.

How do you protect against this exploit?
Easy - validate ALL input, and insert as little as possible into the e-mail. If you make sure you only get valid data from the user, the chance of e-mail injection has already been reduced hugely, and it probably won't be possibly any longer. Also see the above link for different solutions.

Next: Security Case #2 - View Source Scripts »



One Response to “PHP & Security: 3 Example Exploits”

  1. timvw Says:

    I think you’re better off with http://www.php.net/realpath to find out if the base path is really what you want it to be..

    Anyway, a lot of articles on php and security can be found at http://www.phpsec.org :)

Leave a Reply

About the author
Dennis Pallett is the main contributor to PHPit. He owns several websites, including ASPit and Chill2Music. He is currently still studying.
Article Index
  1. Introduction
  2. Security Case #2 - View Source Scripts
  3. Security Case #3 - CSRF Attacks
Bookmark Article
Download Article
PDF
Download this article as a PDF file