[REVS] PHP 4.1.0 Integrates Much Needed Security Features
From: support@securiteam.comDate: 12/19/01
- Previous message: support@securiteam.com: "[NEWS] SpiDynamics WebInspect Keeps Track of Its Users (Trial License)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Wed, 19 Dec 2001 02:26:42 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
PHP 4.1.0 Integrates Much Needed Security Features
------------------------------------------------------------------------
SUMMARY
PHP 4.1.0 has been released, and one of its major improvements involves a
new interface to user provided data. The interface will "on-the-fly" clean
the user provided input from any malicious content, allowing secure PHP
coding with little hassle.
DETAILS
PHP 4.1.0 includes several other key improvements:
* A new input interface for improved security (read below)
* Highly improved performance in general
* Revolutionary performance and stability improvements under Windows. The
multithreaded server modules under Windows (ISAPI, Apache, etc.) perform
as much as 30 times faster under load!
* Versioning support for extensions. Right now, it is barely being used,
but the infrastructure was put in place to support separate version
numbers for different extensions. The negative side effect is that loading
extensions that were built against old versions of PHP will now result in
a crash, instead of in a nice clear message. Make sure you only use
extensions built with PHP 4.1.0.
* Turn-key output compression support
* LOTS of fixes and new functions
Security feature:
New Input Mechanism
First and foremost, it's important to stress that PHP 4.1.0 still supports
the old input mechanisms from older versions. Old applications should go
on working fine without modification!
For various reasons, PHP setups which rely on register_globals being on
(i.e., on form, server and environment variables becoming a part of the
global namespace, automatically) are very often exploitable to various
degrees. For example, the piece of code:
<?php
if (authenticate_user()) {
$authenticated = true;
}
..
?>
May be exploitable, as remote users can simply pass on 'authenticated' as
a form variable, and then even if authenticate_user() returns false,
$authenticated will actually be set to true. While this looks like a
simple example, in reality, quite a few PHP applications ended up being
exploitable by things related to this feature.
While it is quite possible to write secure code in PHP, PHP's developers
felt that the fact that PHP makes it too easy to write insecure code was
bad, and PHP's developers have decided to attempt a far-reaching change,
and deprecate register_globals. Obviously, because the vast majority of
the PHP code in the world relies on the existence of this feature, the
PHP's developers have no plans to actually remove it from PHP anytime in
the near future, but they have decided to encourage people to shut it off
whenever possible.
To help users build PHP applications with register_globals being off, the
have added several new special variables that can be used instead of the
old global variables. There are 7 new special arrays:
* $_GET - contains form variables sent through GET
* $_POST - contains form variables sent through POST
* $_COOKIE - contains HTTP cookie variables
* $_SERVER - contains server variables (e.g., REMOTE_ADDR)
* $_ENV - contains the environment variables
* $_REQUEST - a merge of the GET variables, POST variables and Cookie
variables. In other words - all the information that is coming from the
user, and that from a security point of view, cannot be trusted.
* $_SESSION - contains HTTP variables registered by the session module
Now, other than the fact that these variables contain this special
information, they are also special in another way - they are automatically
global in any scope. This means that you can access them anywhere, without
having to 'global' them first. For example:
<?php
function example1()
{
print $_GET["name"]; // works, 'global $_GET;' is not necessary!
}
?>
Will work fine! Hopefully this fact would ease the pain in migrating old
code to new code a bit, and the PHP developers are confident it is going
to make writing new code easier. Another neat trick is that creating new
entries in the $_SESSION array will automatically register them as session
variables, as if you called session_register(). This trick is limited to
the session module only - for example, setting new entries in $_ENV will
not perform an implicit putenv().
PHP 4.1.0 still defaults to have register_globals set to on. It is a
transitional version, and the PHP developers encourage application
authors, especially public ones that are used by a wide audience, to
change their applications to work in an environment where register_globals
is set to off. Of course, they should take advantage of the new features
supplied in PHP 4.1.0 that make this transition much easier.
As of the next semi-major version of PHP, new installations of PHP will
default to having register_globals set to off. No worries! Existing
installations, which already have a php.ini file that has register_globals
set to on, will not be affected. Only when you install PHP on a new
machine (typically, if you are a brand new user), will this affect you,
and then too - you can turn it on if you choose to.
Note: Some of these arrays had old names, e.g. $HTTP_GET_VARS. These names
still work, but the PHP's developer encourages users to switch to the new
shorter and auto-global versions.
ADDITIONAL INFORMATION
The information has been provided by <mailto:zeev@zend.com> Zeev Suraski.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] SpiDynamics WebInspect Keeps Track of Its Users (Trial License)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
