PHP vulnerabilities

Gelato · #1 (**permalink**) 12-14-09, 12:41

I was just reading a report that stated that the vulnerability of PHP to hackers and security breaches continues to rise. Anyone have any ideas for protection?

Rocky · #2 (**permalink**) 12-19-09, 16:14

Quote:

Originally Posted by Gelato

I was just reading a report that stated that the vulnerability of PHP to hackers and security breaches continues to rise. Anyone have any ideas for protection?

Remember these 3 points in PHP security:
1) Upgrade the the latest version,
2) Keep safe_mode ON
3) Disable the dangerous PHP functions, that'd suffice

srujana29 · #3 (**permalink**) 07-29-10, 07:59

PHP supports uploading of files using the HTTP POST request method. This feature usually is not a security problem in itself, because security mechanisms have been added to protect it from abuse. However, flaws in the implementation of POST could still render it vulnerable.

regards ,
phe9oxis.

JeremyWJ · #4 (**permalink**) 09-17-10, 09:01

Quote:

Originally Posted by Gelato

I was just reading a report that stated that the vulnerability of PHP to hackers and security breaches continues to rise. Anyone have any ideas for protection?

All programming languages have vulnerabilities. PHP is no exception. However, I do not believe the risk is becoming greater. In fact, it is probably getting better and better with each release.

With that in mind, PHP is very secure against people who don't have access to a user account on your system. However, this security is easily foiled by poor programming.

The biggest mistake people make is not escaping user input that is sent to a database. If you properly escape users input before putting it into a query for a database, you eliminate 99% of the potential attacks on your site.

The other 1% or so probably falls from web hosting servers where PHP is not ran safely using suexec or suphp, or the likes. When PHP on all sites is ran as a single user, a single user who writes a bad script could open the entire server to a potential attack.

For me I use suphp.

All in all PHP is safe. PHP only becomes unsafe due to user negligence.

Other suggestions like safe_mode (now deprecated), disabling some functions, and others listed in this forum are also good.

Crazzy · #5 (**permalink**) 09-17-10, 10:30

I still think that there is no danger unless you yourself provoke the hackers somehow. Then I think, if they have enough skills, they can damage your site.

JeremyWJ · #6 (**permalink**) 09-17-10, 10:35

Quote:

Originally Posted by Crazzy

I still think that there is no danger unless you yourself provoke the hackers somehow. Then I think, if they have enough skills, they can damage your site.

Never think that. This is why hackers write bots. They pick a method of attack and then have that bot try it at hundreds of thousands of servers around the world at random (not really random to them, but random to the Internet).

Therefore, you never have to provoke anyone. Let me put it this way, everyone here who has a server with Bodhost probably has at least 3-5 hackers a day attempt to break-in somehow.

These are automated hackers (robots) usually.

I know for a fact there are robots that try to SQL inject into web forms, thus looking for poor PHP (or whatever is being used) scripting.

Crazzy · #7 (**permalink**) 09-17-10, 10:37

You are right, I forgot about that. But I was more referring to those bigger sites that usually become popular targets.

JeremyWJ · #8 (**permalink**) 09-17-10, 10:41

Quote:

Originally Posted by Crazzy

You are right, I forgot about that. But I was more referring to those bigger sites that usually become popular targets.

Yea, bigger sites are more likely to have actual people attack them. Plain reason is: bigger prize if you succeed.

Example: If I managed to break into the users database(s) of Facebook that would be

e, and I would have a lot of leverage with that data. But if someone was to break into the user database of my personal site, it would prove really useless to them.

Most people trying to break into my server would have more of a goal of using it to run a spambot or something.

Crazzy · #9 (**permalink**) 09-17-10, 10:45

Quote:

Originally Posted by JeremyWJ

Yea, bigger sites are more likely to have actual people attack them. Plain reason is: bigger prize if you succeed.

Example: If I managed to break into the users database(s) of Facebook that would be

e, and I would have a lot of leverage with that data. But if someone was to break into the user database of my personal site, it would prove really useless to them.

Most people trying to break into my server would have more of a goal of using it to run a spambot or something.

Good point! Which opens up a whole new topic... which would be most profitable site to break in?

But I don't think that would be appropriate to talk about.

annyphp · #10 (**permalink**) 12-07-10, 03:33

Thank you for sharing!Thanx

Rozanne · #11 (**permalink**) 12-08-10, 07:52

As we all know these kinds of vulnerabilities are caused due to not following the best programming rules and guidelines, and therefore hosting PHP applications on a server needs a cautious and constant attention to deal with these security flaws. However, user should opt PHP security patches such as Suhosin and Hardening-patch. These two advanced security patches are specially designed for secure web hosting environment.

Quote:

According to wikipedia the total proportion of PHP-related vulnerabilities on the database amounted to 20% in 2004, 28% in 2005, 43% in 2006, 36% in 2007, 35% in 2008, and 30% in 2009.

terrence550 · #12 (**permalink**) 12-10-10, 02:42

I also did some kind of php coding. But never thought of these kind of vulnerabilities… I think u have given most useful information, which will be helpful to many others.including me.It is possible to fix PHP vulnerabilities and make PHP applications more secure.

naomi2011 · #13 (**permalink**) 12-23-10, 14:30

You can use Ensim with both linux and windows platform. If you ready to do some little work you can export X session in linux to get a GUI. And if you are going use Windows platform and run into problems, it is quit harder to trouble shoot. In my opinion use Linux based RHCE platform for Ensim. Red Hat certified, Ensim for Linux includes all the necessary to

naomi2011 · #14 (**permalink**) 12-23-10, 14:31

Does the benefit that Ensim can be used with both linux and windows compare with the fact that cPanel is more popular and has more features?

naomi2011 · #15 (**permalink**) 12-23-10, 14:32

I thought the whole point of vps servers was their flexibility in allocating resources such as disk-space, ram etc to different customers. In fact I chose bodhost so I could tack on ram, disk space, bandwidth as the needs arose (am certain this was discussed with a sales chat client when purchasing) - now it seems I am locked into inflexible packages

naomi2011 · #16 (**permalink**) 12-23-10, 14:33

The packages on BODhost.com and BODhost.co.uk are different as the plans (servers) on BODhost.com are setup in our US data center, whereas, plans (servers) on BODhost.co.uk are setup in our UK data center. There is a difference in the pricing of the hardware, it's availability etc. in the US and in the UK.

naomi2011 · #17 (**permalink**) 12-23-10, 14:34

That's right. We have Shared, Reseller, Cloud, VPS and dedicated servers available from our UK DC.

vickey88 · #18 (**permalink**) 01-19-11, 04:51

: A vulnerability is a hole or a weakness in the application, which can be a design flaw or an implementation bug, that allows an attacker to cause harm to the stakeholders of an application. Stakeholders include the application owner, application users, and other entities that rely on the application. The term "vulnerability" is often used very loosely. However, here we need to distinguish threats, attacks, and countermeasures.

Please do not post any actual vulnerabilities in products, services, or web applications. Those disclosure reports should be posted to bugtraq or full-disclosure mailing lists.