Feeds

PHP apps: security's low-hanging fruit

Why PHP apps accounted for 43% of security issues in 2006

The Power of One eBook: Top reasons to choose HP BladeSystem

Applications written in every language can, will, and have had a myriad of security vulnerabilities over the years. It doesn't matter if it's C++, Perl, ASP, Visual Basic, Python, or Ruby and Ruby on Rails. Every language or rapid development framework has its strengths and weaknesses. Personally, I've tended to avoid frameworks like Ruby on Rails, for example, because it felt like I was drilling my own teeth – sometimes it's a little scary not knowing exactly what's going on inside, just in case something goes wrong.

PHP has had the greatest appeal among new web programmers eager to build database applications and support XML and Ajax. The language has welcomed thousands of new programmers to the joy of programming. The PHP Group should be proud of that. But it comes with a dark side.

I have no doubt that some PHP Group developers shake their head at the very basic security mistakes that many new programmers make. The problems are all over the web. They're user issues, so they probably don't concern themselves with them. But they should.

The same mistakes are being made over and over again, and people aren't learning. This is an opportunity for the PHP Group to provide something new. How about a new SAFE_MODE that actually makes things safer in the language, and doesn't try to do what can already be done with infrastructure?

I'd like to see new defaults that limit include() and require() to only allow local files, thereby avoiding remote file injection. It would be nice to have a global way for a script to ignore all variables in the URL, avoiding unexpected variable manipulation and XSS forgeries. Maybe there's even a way to force users to filter input and escape output every time, helping to avoid SQL injection and all sorts of other common problems. That last one would go a long way.

It's an awful lot easier to compromise a typical LAMP server (Linux/Apache/MySQL/PHP) than it is to exploit a full-patched modern Windows desktop. It's not the OS, it's the application. Part of it is the popularity of PHP itself that has put so many insecure applications on the web, and part of it is how easy it is to make security mistakes when coding PHP. Without a defense-in-depth infrastructure, which is often lacking on a typical LAMP server, a PHP programming flaw often results in a full web server compromise.

The short of it all is, PHP apps can be made secure, but far too many are not.

The bigger picture

Why should the PHP Group care more about the mistakes of inexperienced programmers? That's an easy one. Many websites being exploited today are turned into phishing sites designed to steal money and identities from people who don't even know what PHP is, and in many cases barely know how to operate their own computer. In other words, the applications are abused by the criminal element. PHP doesn't need to stand for Perfect Haven for Phishing.

There are all sorts of automated scripts out there that search for vulnerable PHP applications, exploit them when found, and then automatically download a set of phishing HTML files and images that make John's Awesome Blog suddenly look like the Bank of America's login page. This also happens with ASP and Perl applications too, as well as those written in other languages, but today PHP is far more popular a target. That website owner, John, might be held responsible too if there weren't dozens of these incidents each day.

I'm not saying the PHP Group is responsible, but they could help. As architects of the language they should consider ways of hardening the language and its defaults against some of the real basic mistakes so many people are making.

I'm also not saying they should make PHP idiot-proof – think of all the wasted cycles and extra code trying to anticipate a thousand common mistakes! But there's an opportunity to continue to grow PHP without being at the expense of the security of the Internet as a whole.

If the PHP Group decides to take a leadership role in this, by adding new features or functionality that help new programmers make fewer common security mistakes, we'll all be better off.

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.