Securing the PHP Environment with PHPSecInfo - OSCON 2008
-
Upload
funkatron -
Category
Technology
-
view
2.512 -
download
0
Transcript of Securing the PHP Environment with PHPSecInfo - OSCON 2008
![Page 1: Securing the PHP Environment with PHPSecInfo - OSCON 2008](https://reader036.fdocuments.net/reader036/viewer/2022081403/5553557fb4c9059e688b53c6/html5/thumbnails/1.jpg)
Securing thePHP Environmentwith PHPSecInfoEd Finkler
[email protected] / @funkatron
www.cerias.purdue.edu / @cerias
20080724
![Page 2: Securing the PHP Environment with PHPSecInfo - OSCON 2008](https://reader036.fdocuments.net/reader036/viewer/2022081403/5553557fb4c9059e688b53c6/html5/thumbnails/2.jpg)
Me and WeI'm a big dork
PHP dev since 1999
Secure PHP dev since 2003
Work for The Center for Education and Research in Information Assurance and Security (CERIAS) @ Purdue University - www.cerias.purdue.edu
![Page 3: Securing the PHP Environment with PHPSecInfo - OSCON 2008](https://reader036.fdocuments.net/reader036/viewer/2022081403/5553557fb4c9059e688b53c6/html5/thumbnails/3.jpg)
The ubiquity of PHP
PHP is very, very popular
Nearly impossible to find a hosting service that doesn’t support PHP in some form
About 34% of all domains report using PHP
PHP is very easy to learn
PHP provides results quickly
Time between setup and seeing results is very short
![Page 4: Securing the PHP Environment with PHPSecInfo - OSCON 2008](https://reader036.fdocuments.net/reader036/viewer/2022081403/5553557fb4c9059e688b53c6/html5/thumbnails/4.jpg)
The ubiquity of PHP
PHP powers many busy, high-profile sites
Wikipedia
Wordpress.com
Digg
Flickr
Yahoo!
![Page 5: Securing the PHP Environment with PHPSecInfo - OSCON 2008](https://reader036.fdocuments.net/reader036/viewer/2022081403/5553557fb4c9059e688b53c6/html5/thumbnails/5.jpg)
NIST NVD: 2006 data
6604 total entries
2803 PHP applications
895 PHP app remote file inclusion
Almost all blocked by disabling allow_url_fopen (allow_url_include in 5.2+)
PHP LanguagePHP Apps: remote file inclusionPHP Apps: otherOther
![Page 6: Securing the PHP Environment with PHPSecInfo - OSCON 2008](https://reader036.fdocuments.net/reader036/viewer/2022081403/5553557fb4c9059e688b53c6/html5/thumbnails/6.jpg)
Last 3 Years
0
1,750
3,500
5,250
7,000
2006 2007 2008
895 721
122
2,8032,346
1,124
6,604 6,516
3,183
Total Vulns PHP vulnsPHP RFIs
![Page 7: Securing the PHP Environment with PHPSecInfo - OSCON 2008](https://reader036.fdocuments.net/reader036/viewer/2022081403/5553557fb4c9059e688b53c6/html5/thumbnails/7.jpg)
What does this tell us?
How popular PHP is
How much a target web apps are
How many PHP developers are incapable of writing secure apps
How many sysadmins don’t secure their PHP environments
![Page 8: Securing the PHP Environment with PHPSecInfo - OSCON 2008](https://reader036.fdocuments.net/reader036/viewer/2022081403/5553557fb4c9059e688b53c6/html5/thumbnails/8.jpg)
The parties involved
The System Administrator
Directly responsible for PHP environment security
Tendency to lower security of environment to reduce application compatibility complaints
![Page 9: Securing the PHP Environment with PHPSecInfo - OSCON 2008](https://reader036.fdocuments.net/reader036/viewer/2022081403/5553557fb4c9059e688b53c6/html5/thumbnails/9.jpg)
The parties involved
•The PHP Developer
• Must be aware of the environment and how it impacts app development
• Will write apps assuming certain features are enabled, despite security risks
![Page 10: Securing the PHP Environment with PHPSecInfo - OSCON 2008](https://reader036.fdocuments.net/reader036/viewer/2022081403/5553557fb4c9059e688b53c6/html5/thumbnails/10.jpg)
The parties involved
The PHP “Deployer”
By far the largest portion of the audience
Uses PHP apps on a web site, but not a coder
Not capable of assessing security of an app
At the mercy of the SysAdmin and Developer
![Page 11: Securing the PHP Environment with PHPSecInfo - OSCON 2008](https://reader036.fdocuments.net/reader036/viewer/2022081403/5553557fb4c9059e688b53c6/html5/thumbnails/11.jpg)
"phpinfo() for security"
![Page 12: Securing the PHP Environment with PHPSecInfo - OSCON 2008](https://reader036.fdocuments.net/reader036/viewer/2022081403/5553557fb4c9059e688b53c6/html5/thumbnails/12.jpg)
Requirements of PHPSecInfo
A security auditing tool accessible to the “Deployer”
Compatible
Support PHP4 (63%) and PHP5 (37%)
Easy to install
Unzip and Upload
Easy to execute (little or no config)
Runs upon upload; single function call
![Page 13: Securing the PHP Environment with PHPSecInfo - OSCON 2008](https://reader036.fdocuments.net/reader036/viewer/2022081403/5553557fb4c9059e688b53c6/html5/thumbnails/13.jpg)
Requirements of PHPSecInfo
Easy to understand
Clear, unambiguous results; color coding
Encourage further exploration
Offer extended explanations with links to more info
![Page 14: Securing the PHP Environment with PHPSecInfo - OSCON 2008](https://reader036.fdocuments.net/reader036/viewer/2022081403/5553557fb4c9059e688b53c6/html5/thumbnails/14.jpg)
Executing PHPSecInfo
1.Unzip
2.Upload
3.View in Browser
![Page 15: Securing the PHP Environment with PHPSecInfo - OSCON 2008](https://reader036.fdocuments.net/reader036/viewer/2022081403/5553557fb4c9059e688b53c6/html5/thumbnails/15.jpg)
![Page 16: Securing the PHP Environment with PHPSecInfo - OSCON 2008](https://reader036.fdocuments.net/reader036/viewer/2022081403/5553557fb4c9059e688b53c6/html5/thumbnails/16.jpg)
Test Suite17 tests for commonly exploited security vulnerabilities in PHP environment
Each test result shows:
Current Setting
Recommended Setting
Result (color-coded)
Explanation
Link to further info
Simple metrics output
![Page 17: Securing the PHP Environment with PHPSecInfo - OSCON 2008](https://reader036.fdocuments.net/reader036/viewer/2022081403/5553557fb4c9059e688b53c6/html5/thumbnails/17.jpg)
![Page 18: Securing the PHP Environment with PHPSecInfo - OSCON 2008](https://reader036.fdocuments.net/reader036/viewer/2022081403/5553557fb4c9059e688b53c6/html5/thumbnails/18.jpg)
![Page 19: Securing the PHP Environment with PHPSecInfo - OSCON 2008](https://reader036.fdocuments.net/reader036/viewer/2022081403/5553557fb4c9059e688b53c6/html5/thumbnails/19.jpg)
PHPSecInfo encourages accountability
Sorry, we can’t support your app because it requires an
insecure config!
Sysadmins
Our hosting is secure – PHPSecInfo says so!
Why does your application require an insecure
configuration?
Developers
Why doesn’t your hosting service provide a secure PHP
environment?
Deployers
Here’s what’s wrong with your PHP setup – fix it before you
run our app!
![Page 20: Securing the PHP Environment with PHPSecInfo - OSCON 2008](https://reader036.fdocuments.net/reader036/viewer/2022081403/5553557fb4c9059e688b53c6/html5/thumbnails/20.jpg)
For advanced users
Still a useful tool for evaluating PHP environments
Part of an auditing toolkit for web app security experts
Extensible test framework
Create custom tests specific to an environment
Full generated documentation available
![Page 21: Securing the PHP Environment with PHPSecInfo - OSCON 2008](https://reader036.fdocuments.net/reader036/viewer/2022081403/5553557fb4c9059e688b53c6/html5/thumbnails/21.jpg)
Zend_Environment Sec. Mod
Part of Zend Framework
PHP5-only
Zend_Environment offers programatic access to PHP environment information
Z_E security module based on PHPSecInfo
Offers better (for now) programatic access to test results
Part of a full-featured development framework
![Page 22: Securing the PHP Environment with PHPSecInfo - OSCON 2008](https://reader036.fdocuments.net/reader036/viewer/2022081403/5553557fb4c9059e688b53c6/html5/thumbnails/22.jpg)
![Page 23: Securing the PHP Environment with PHPSecInfo - OSCON 2008](https://reader036.fdocuments.net/reader036/viewer/2022081403/5553557fb4c9059e688b53c6/html5/thumbnails/23.jpg)
Upcoming features
Phar & PEAR installs
Better IIS support (need help here)
Instantiate and obtain results programatically for embedding in apps
Security testing during installation process, et al
![Page 24: Securing the PHP Environment with PHPSecInfo - OSCON 2008](https://reader036.fdocuments.net/reader036/viewer/2022081403/5553557fb4c9059e688b53c6/html5/thumbnails/24.jpg)
HELP!
Developers and Documenters
Zend_Environment
http://is.gd/12Jq
![Page 25: Securing the PHP Environment with PHPSecInfo - OSCON 2008](https://reader036.fdocuments.net/reader036/viewer/2022081403/5553557fb4c9059e688b53c6/html5/thumbnails/25.jpg)
More Informationphpsecinfo.comphpsecinfo.googlecode.comphpsec.orgcerias.purdue.eduframework.zend.com