777 as the file or directory permission will allow the nobody user to edit the file and execute it.
Always set the php script permission to 755 so that others cannot edit or change it.
register_globals = ON allows parameters passed with url to gets initialised as php variable.
if ( $KEY == “XXXX” ) { $check = 1; }
if ( $check == 1 ) { //show admin panel }
if values passed as password.php?check=1 then check is initialised as $check=1 and will allow you to go to the ‘admin area’ whether you entered correct KEY or not.
Solution:
Either disable register_globals or make sure to initialize variables.
In this case initialize $check = 0 at the top of the code.
3.Issues with functions like exec() , system() and backticks:
Problem:
A user input value to exec() function can make very bad results.
Like with system($input_from_user), user can enter any command as input and execute.
Even all the contents can be deleted by just giving “rm -rf *“.
Also in the exec() function user can enter any command by just using a semi-column (;) in the argument section.
Solutions:
Disable insecure functions using disable_functions in php.ini by disable_functions = system,exec
Use esacpesellcmd() – If allowing user to specify commands.
Use escapeshellarg() – If allowing user to specify arguments. It will put single quotes around the string. So it will escape any existing single quotes in the string.
4.Issues with Including Files:
Problem:
Passing page path as a variable may get you in trouble.
The user can include a remote file which may contain malicious scripts. Hacker can also include other local files also.
If a php page include.php is like
$page = $_GET[‘path’];
include $page;
Then, “include.php?path=http://hackingsite.com/hacking.php” will include the remote file hacking.php so that hacker can execute the hacking.php script in your server.
Solutions:
It can be disabled by setting allow_url_fopen = Off in php.ini.
Also set the open_basedir correctly in the php.ini.
Using open_basedir will restrict the file inclusion upto to the defined directory.
Also check the file name with a ‘switch’ or ‘if’ to make sure that it is an allowed one.
5. Issues with SQLInjection Attacks:
Problem:
consider below script
if user has entered a username as
‘ OR 1=1 #
and password as
XXXX
Then query will be
“SELECT AcctNo FROM Users WHERE Username = ” OR 1=1 #’ and Password = ‘XXXX’”
Mysql consider all after the # as comments so it will ignore it.
With the remaining query it will always select all the account numbers and will return it so the user can get the account numbers even though he does not have any correct username and pasword.
Also giving password: as some_value like ‘ OR ‘X’ = ‘X will also bypass this query.
The problem here come from the ‘ (single quotes) entered by the user.
Solution:
In order to disable it we have two ways.
First is the function addslashes(). It will add a /(slash) before all ‘ (quotes) so it will be have no effect.
So before executing the query you should pass it mysql_real_escape_string()function. That is, it should be like
$user = mysql_real_escape_string($_POST[‘username’]);
$pass = mysql_real_escape_string($_POST[‘password’]);
Another option is using the magic_quotes_gpc . You can set its value as ‘On’ in the php.ini .
If it is On then it will add a backslash before all single quotes and double quotes in the string comming from a HTML form. So we can escape it.
OR use the prepared statements.