PHP & Security: 3 Example Exploits
(Page 1 out of 3)Introduction
One of the most common aspects of programming and scripting is security. Every program or script has to think about security, and each language has certain weak points. Actually, it isn't the language that has weak points - it's the programmer who creates weak points. PHP is no exception to this, and security should be at the top when you're creating a new script, no matter how simple or small the script may be.
I'm sure you've all read many basic PHP security articles, which include things like filtering user input, beware of XSS attacks, etc. That's why I'm not going to discuss them in this article. If you haven't heard about these things, have a look on Google. Heck, maybe I'll do a basic PHP security article in the near future.
In this article we're going to look a three different security cases. In each case I will try to explain the exploit, provide a working example, and then suggest possible fixes to prevent you from making the same mistake. Let's get cracking, shall we?
Security Case #1 - E-mail Injection
This is one of the neatest PHP exploits I've ever seen, and really requires some knowledge of how e-mail works. This exploit is often used by spammers to use contact forms on your websites to send out massive amounts of spam, without you even knowing. I used to be a victim of this as well, because I didn't even have a clue this existed. There was one thing I noticed though: really weird messages coming through my contact forms, for example:
Content-Type: multipart/mixed; boundary=\"===============2145621685==\"
MIME-Version: 1.0
Subject: 9afb7555
To: [email protected]
bcc: [email protected]
From: [email protected]
This is a multi-part message in MIME format.
--===============2145621685==
Content-Type: text/plain; charset=\"us-ascii\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
wpbtizuum
--===============2145621685==--
As you can see this doesn't make much sense at all. But what it does mean is that spammers are trying to see if your contact form is open to e-mail injection.
This exploit works quite like SQL injection - untrusted users are able to inject data, because of poor input validation. When you use the mail() function you might think each argument is a separate thing, and they can't influence each other. But that's not the case, and the e-mail is actually one big long text message. For example, mail('[email protected]', 'My Subject', 'My Message', "From: [email protected]\r\n";) is actually changed into:
The exploit happens when spammers are able to insert data into the e-mail, therefore being able to change the complete e-mail. For example, if your mail() function looks like this:
$email = $_POST['email'];
mail ('[email protected]', 'My Subject', 'My Message', "From: $email\\r\\n");
?>
As you can see an attacker can inject raw data into the e-mail. This means it's now possible to send a complete different e-mail with a new subject, message, and to header. Your contact form is used as an open relay!
To test this for yourself, have a look at the interactive demo. This doesn't actually send any e-mail, but does demonstrate how it's possible to change e-mails and use this exploit. Also have a look at http://securephp.damonkohler.com/index.php/Email_Injection for more information about E-mail Injection.
How do you protect against this exploit?
Easy - validate ALL input, and insert as little as possible into the e-mail. If you make sure you only get valid data from the user, the chance of e-mail injection has already been reduced hugely, and it probably won't be possibly any longer. Also see the above link for different solutions.
November 3rd, 2005 at 2:51 am
I think you’re better off with http://www.php.net/realpath to find out if the base path is really what you want it to be..
Anyway, a lot of articles on php and security can be found at http://www.phpsec.org :)