Joomla CMS & PHP Security

Announcements:

• an Accessibility workshop will be held tuesday july 24th; contact: Dawn Hunziker for more information
• Future Agendaa: next month, August 8th, Leslie Johnston will give an update on the standardized banners; sept: usability presentation; oct. HR update on IT reclassification.

PHP Security: learning to thwart the 133t h4x0r

Presentor: Ed Murphy, OSCR
emurphy1@email.arizona.edu
Attachment: PHP Security
 

• turn off global variables. Turned off on the w4 server.
• dont trust user input; must be validated;
• casting on your variables is a simple way to ensure variables contain what you expect; examples:
• php comes with 'ctype' extension for validating string content; provided in php 4 & 5. ctype is preferred over regular using a expression. it is faster and easier to understand.
• XSS -- cross site scripting -- user supplied HTML is displayed as is. can lead to session take over; password theft; content modification; cross site request forgeries; XSS examples in handout Google code search. Filter all foreign data. html entities, strip_tags and utf8_decode help ensure what is displayed is what you want.
• SQL injection: (See examples in attachment) user supplied data used as in a queries; a subset of the unverified/unsanitzed user input vulnerable; gets application to run SQL code that was not intended.
• can cause arbitrary query injection, data retrieval, denial of service, data modification; Examples are in handout.
• prevention: use prepared statements; if database interface extension offers dedicated escaping functions, use them.
• session fixation: tricks the victim into using a session id chosen by the attacker to obtain a valid session id;
• regenerate the session identifier anytime the user provides authentication of any kind. WebAuth provides the auth on campus; Compare the browser signature headers; turn off global variables; use safer session storage;
• Code Injection: user can make script execute arbitrary php code. allows attacker to in include, require and eval statements;
• Use a while list with unpredictable tokens; php> 5.2 disable allow_url_fopen;usse open_basedir to restrict file access; use Fast CGI rather than apache module.
• File Security: Many PHP applications often require various utility and configuration files to operate; Because those files are used within the application, they end up being world-readable; This means that if those files are in web directories, users could download & view their contents.
• Google code searchs: www.google.com/codesearch; searchs public source code; example: lang.php(include|include_once|require|require_once).*\_$(GET|POST|COOKIE|REQUEST); and lang:php (echo|print.*\$_(GET|POST|COOKIE|SERVER);

Joomla Content Management System

Presentor: Mike Tierney, Fine Arts
tierney@email.arizona.edu
 

• An open source cms running on php/mysql
• Mike demonstrated the backend administrative portion of Joomla
• The intteface is easy to use; visual; easy to train users; updating and added fluid; not the easiest system to use; more robust than drooble; learning curve is less than typo3; provides for multisites and allows shared source; templating system is friendly; patches and updates are easy to maintain;
• user admin: not easy to set up for backend access; can't customize who has access to specific areas; comes with some default modules that can be modified or can build custom modules;
• cant automate the navigation; TinyMCE for editing; can allow you to control what features users have access tool; can allow users to edit through the frontend;
• user management and content management easy to pick up easily; it is a news orientated system; lends itself to the blog type format; provides built-in pagination;