Examples of vulnerable PHP code? [closed]

Answer 1

Allowing upload and not checking extension. Observe:

Site A allows image uploading and displays them.

Cracker guy uploads a file and tricks you to believe its an image file (via HTTP mimetypes). This file has PHP extension and contains malicious code. Then he tries to see his image file and because every PHP extesioned file is executed by PHP, the code is run. He can do anything that apache user can do.

Answer 2

XSS vulnerabilities are easy to show. Just create a page that puts the value of the GET variable "q" somewhere on the page and then hit the following URL:

http://mysite.com/vulnerable_page.php?q%3D%3Cscript%20type%3D%22javascript%22%3Ealert(document.cookie)%3B%3C%2Fscript%3E

This will cause the user's cookies to be displayed in an alert box.

Answer 3

Bobby Tables

Bobby Tables is a page devoted to detailing the ways that a script can be vulnerable via SQL injection. This is not unique to PHP, however, SQL injection is the cause of many web page vulnerabilities.

It might be someting you want to include in your presentation.

Answer 4

HTTP Response Splitting attack

If web application is storing the input from an HTTP request in cookie let's say

<?php setcookie("author",$_GET["authorName"]); ?>

It is very prone to HTTP response splitting attack if input is not validated properly for "\r\n" characters.

If an attacker submits a malicious string,such as "AuthorName\r\nHTTP/1.1 200 OK\r\n..",then the HTTP response would be split into two responses of the following form:

HTTP/1.1 200 OK
...
Set-cookie: author=AuthorName

HTTP/1.1 200 OK ...

Clearly,the second response is completely controlled by the attacker and can be constructed with any header and body content instead

Answer 5

CSRF for the win.

<?php
$newEmail = filter_input(INPUT_POST, 'email', FILTER_SANITIZE_EMAIL);
$pdoStatement = $pdoDb->prepare('UPDATE user SET email=:email WHERE ID=:id');
$pdoStatement->execute(array(':email'=>$newEmail, ':id'=>$_SESSION['userId']));

You feel safe with this kind of code. All is good your users can change their emails without injecting SQL because of your code. But, imagine you have this on your site http://siteA/, one of your users is connected. With the same browser, he goes on http://siteB/ where some AJAX does the equivalent of this code :

<form method="post" action="http://site/updateMyAccount.php">
  <p>
    <input name="email" value="badguy@siteB"/>
    <input type="submit"/>
  </p>
</form>

Your user just got his email changed without him knowing it. If you don't think this kind of attack is dangerous, ask google about it

To help against this kind of attacks, you can either :

• Check your user REFERER (far from perfect)
• Implement some tokens you had to your forms and check their presence when getting your data back.

Another one is session hijacking. One of the methods to do it is piggybacking. If your server accepts non cookie sessions, you can have URLs like http://siteA/?PHPSESSID=blabla which means your session ID is blabla.

An attacker can start a session and note his session ID, then give the link http://siteA/?PHPSESSID=attackerSessionId to other users of your website. When these users follow this link, they share the same session as your attacker : a not logged session. So they login. If the website does not do anything, your attacker and your user are still sharing the same session with the same rights. Bad thing if the user is an admin.

To mitigate this, you have to use session_regenerate_id when your users credentials change (log in and out, goes in administration section etc.).

Answer 6

I've seen code like this written in the past:

foreach ($_REQUEST as $var => $val) {
    $$var = $val;
}

It's a way to simulate the maligned register_globals option. It means you can access your variables like this:

$myPostedVar

rather than the terribly more complicated:

$_POST['myPostedVar']

The security risk pops up in situations like this:

$hasAdminAccess = get_user_access();

foreach ($_REQUEST as $var => $val) {
    $$var = $val;
}

if ($hasAdminAccess) { ... }

Since all you'd have to do is add ?hasAdminAccess=1 to the url, and you're in.