Linde002::PHP

After flunking my Zend Framework Certification exam (d’oh!) I moved on to Stefan Essers’ talk about the lesser known security problems in PHP applications. There were a lot of problems that I’d never even heard about and that result from the way PHP works internally.

One of these was the fact that PHP_SELF is not url-encoded and the encoding of REQUEST_URI depends on the client. If your application depends on one of these variables you could be exposed to cross site scripting attacks. Another cool thing I didn’t know was that firefox 2 allowed the setting of cookies that were valid for entire TLD’s. So for example you could set a cookie with logged_in=true for *.nl and every site that would check authorization this way (which they shouldn’t) and had a .nl domain would be vulnerable.

An intersting fact that I didn’t know was the fact the $_ENV and $_SERVER are created “just-in-time” this means that if the compile sees that these arrays are referenced it will fill them with the correct values. However, if you use variable variables like this:
$a = "_ENV";
print $$a['variable'];

The compiler doesn’t detect the usage of the array and will not fill it with values. This means if you use variable variables to filter one of these arrays it won’t work because the arrays aren’t filled yet.

Other highlights were

• Sites that use SSL but allow cookies to be sent as plaintext
• Session data that is placed in /tmp by default and as such is readable by other applications that use the same path
• Incorrect implementations of userland sessionhandlers (use transactions)
• The lack of transaction usage in database queries
• Input filtering that allows overlong data to be sent to your database where it will be truncated, if it gets there at all
• The lack of error handling in database queries
• SQL Injection with multibyte encoding
• PHP not escaping multibyte characters
• The fact that you should never, ever seed your random number generator
• The fact that crashing PHP by giving it a deeply nested array allows an attacker to guess your seed

And the kicker was the revelation of a 0-day exploit in ZipArchive, this was reported to the PHP security team 85 days ago and seeing no movement whatsoever Stefan decided to unveil it.