PHP Vulnerabilities in Web Servers

Abstract:

The Internet has grown to be hugely popular and used by people of all different backgrounds and professions. Individual web pages are created by just about everyone whether or not they have any development experience or not. PHP (PHP: Hypertext Preprocessor) is one of the more popular scripting languages used by beginners and advanced users. It is an attractive alternative to Java for the novice user but little do they know there are some frightening vulnerabilities that can be exploited by clients looking to cause problems or gain access to private information or resources that cannot be tied to them. A few of these exploits include remote and local file inclusion or execution. Through these basics types of vulnerabilities a malicious client could gain complete access to a web server. To avoid these attacks a web developer needs to take care when writing PHP scripts. The most common mistake made by developers is to unknowingly expose internal variables to clients or when access is needed not properly sanitizing them to ensure the values make sense for the context in which they are being used. If un-sanitized variables are used in conjunction with certain PHP function calls private files can be accessed or remote files can be uploaded and executed. A few of the more dangerous PHP functions calls are _GET[] or passthru(). These functions need to be used with care or disabled by the system administrator to avoid problems with badly written PHP scripts. To aid in the detection of potential vulnerabilities the authors of this paper implemented a Vulnerability Detection Tool (VDT). The tool is a java based program which takes a set of user defined rules then uses these rules to parse through the contents of every file in a web development directory. If a defined rule is violated a report giving the filename, line number, and severity is displayed in the progress window of the GUI. Readers are encouraged to evaluate the tool, provide feedback to the authors, and when so motivated submit improvements to the tool.

Table of Contents:

• 1. Introduction
• 2. Background
  • 2.1 PHP
  • 2.2 Apache Web Server
• 3. Investigating PHP Vulnerabilities
  • 3.1 PHP Script Vulnerabilities
    • 3.1.1 Local Vulnerabilities
    • 3.1.2 Remote Vulnerabilities
  • 3.2 Vulnerabilities Caused by PHP Configuration
  • 3.3 Other Vulnerabilities
• 4. Vulnerability Detection Tool
  • 4.1 Basic Tool Design Considerations
    • 4.1.1 Portability
    • 4.1.2 Syntactical Differences
    • 4.1.3 Flexibility to Include New Vulnerabilities
  • 4.2 Tool Requirements, Installation, and Start-Up
  • 4.3 VDT User Manual
    • 4.3.1 Specification of HTML Directory and Configuration File
    • 4.3.2 Search Rule Settings
    • 4.3.3 Configuration Rule Settings
• 5. Summary
• 6. References
• Download VDT
• Acronyms

View the complete report online

Download the paper in Adobe Acrobat format

Download the Vulnerability Detection Tool (VDT)