Joomla CMS & PHP Security

Wednesday, July 11, 2007
  • an Accessibility workshop will be held tuesday july 24th; contact: Dawn Hunziker for more information
  • Future Agendaa: next month, August 8th, Leslie Johnston will give an update on the standardized banners; sept: usability presentation; oct. HR update on IT reclassification.

PHP Security: learning to thwart the 133t h4x0r

Presentor: Ed Murphy, OSCR
Attachment: PHP Security

  • turn off global variables. Turned off on the w4 server.
  • dont trust user input; must be validated;
  • casting on your variables is a simple way to ensure variables contain what you expect; examples:
  • php comes with 'ctype' extension for validating string content; provided in php 4 & 5. ctype is preferred over regular using a expression. it is faster and easier to understand.
  • XSS -- cross site scripting -- user supplied HTML is displayed as is. can lead to session take over; password theft; content modification; cross site request forgeries; XSS examples in handout Google code search. Filter all foreign data. html entities, strip_tags and utf8_decode help ensure what is displayed is what you want.
  • SQL injection: (See examples in attachment) user supplied data used as in a queries; a subset of the unverified/unsanitzed user input vulnerable; gets application to run SQL code that was not intended.
  • can cause arbitrary query injection, data retrieval, denial of service, data modification; Examples are in handout.
  • prevention: use prepared statements; if database interface extension offers dedicated escaping functions, use them.
  • session fixation: tricks the victim into using a session id chosen by the attacker to obtain a valid session id;
  • regenerate the session identifier anytime the user provides authentication of any kind. WebAuth provides the auth on campus; Compare the browser signature headers; turn off global variables; use safer session storage;
  • Code Injection: user can make script execute arbitrary php code. allows attacker to in include, require and eval statements;
  • Use a while list with unpredictable tokens; php> 5.2 disable allow_url_fopen;usse open_basedir to restrict file access; use Fast CGI rather than apache module.
  • File Security: Many PHP applications often require various utility and configuration files to operate; Because those files are used within the application, they end up being world-readable; This means that if those files are in web directories, users could download & view their contents.
  • Google code searchs:; searchs public source code; example: lang.php(include|include_once|require|require_once).*\_$(GET|POST|COOKIE|REQUEST); and lang:php (echo|print.*\$_(GET|POST|COOKIE|SERVER);

Joomla Content Management System

Presentor: Mike Tierney, Fine Arts

  • An open source cms running on php/mysql
  • Mike demonstrated the backend administrative portion of Joomla
  • The intteface is easy to use; visual; easy to train users; updating and added fluid; not the easiest system to use; more robust than drooble; learning curve is less than typo3; provides for multisites and allows shared source; templating system is friendly; patches and updates are easy to maintain;
  • user admin: not easy to set up for backend access; can't customize who has access to specific areas; comes with some default modules that can be modified or can build custom modules;
  • cant automate the navigation; TinyMCE for editing; can allow you to control what features users have access tool; can allow users to edit through the frontend;
  • user management and content management easy to pick up easily; it is a news orientated system; lends itself to the blog type format; provides built-in pagination;