Joomla CMS & PHP Security
Wednesday, July 11, 2007
- an Accessibility workshop will be held tuesday july 24th; contact: Dawn Hunziker for more information
- Future Agendaa: next month, August 8th, Leslie Johnston will give an update on the standardized banners; sept: usability presentation; oct. HR update on IT reclassification.
PHP Security: learning to thwart the 133t h4x0r
Presentor: Ed Murphy, OSCR
Attachment: PHP Security
- turn off global variables. Turned off on the w4 server.
- dont trust user input; must be validated;
- casting on your variables is a simple way to ensure variables contain what you expect; examples:
- php comes with 'ctype' extension for validating string content; provided in php 4 & 5. ctype is preferred over regular using a expression. it is faster and easier to understand.
- XSS -- cross site scripting -- user supplied HTML is displayed as is. can lead to session take over; password theft; content modification; cross site request forgeries; XSS examples in handout Google code search. Filter all foreign data. html entities, strip_tags and utf8_decode help ensure what is displayed is what you want.
- SQL injection: (See examples in attachment) user supplied data used as in a queries; a subset of the unverified/unsanitzed user input vulnerable; gets application to run SQL code that was not intended.
- can cause arbitrary query injection, data retrieval, denial of service, data modification; Examples are in handout.
- prevention: use prepared statements; if database interface extension offers dedicated escaping functions, use them.
- session fixation: tricks the victim into using a session id chosen by the attacker to obtain a valid session id;
- regenerate the session identifier anytime the user provides authentication of any kind. WebAuth provides the auth on campus; Compare the browser signature headers; turn off global variables; use safer session storage;
- Code Injection: user can make script execute arbitrary php code. allows attacker to in include, require and eval statements;
- Use a while list with unpredictable tokens; php> 5.2 disable allow_url_fopen;usse open_basedir to restrict file access; use Fast CGI rather than apache module.
- File Security: Many PHP applications often require various utility and configuration files to operate; Because those files are used within the application, they end up being world-readable; This means that if those files are in web directories, users could download & view their contents.
- Google code searchs: www.google.com/codesearch; searchs public source code; example: lang.php(include|include_once|require|require_once).*\_$(GET|POST|COOKIE|REQUEST); and lang:php (echo|print.*\$_(GET|POST|COOKIE|SERVER);
Joomla Content Management System
Presentor: Mike Tierney, Fine Arts
- An open source cms running on php/mysql
- Mike demonstrated the backend administrative portion of Joomla
- The intteface is easy to use; visual; easy to train users; updating and added fluid; not the easiest system to use; more robust than drooble; learning curve is less than typo3; provides for multisites and allows shared source; templating system is friendly; patches and updates are easy to maintain;
- user admin: not easy to set up for backend access; can't customize who has access to specific areas; comes with some default modules that can be modified or can build custom modules;
- cant automate the navigation; TinyMCE for editing; can allow you to control what features users have access tool; can allow users to edit through the frontend;
- user management and content management easy to pick up easily; it is a news orientated system; lends itself to the blog type format; provides built-in pagination;