Results 1 to 8 of 8

Thread: New Wiki Page: Remote File Inclusion Defense

  1. #1
    Join Date
    Jul 2007
    Location
    127.0.0.1
    Posts
    392

    Arrow New Wiki Page: Remote File Inclusion Defense

    Would like to see other 'security conscious' VPSlink subscribers (or VPSlink staff ) expand on this page. The syntax/formatting could also use some help...?

    Remote File Inclusion Defense - VPSLink Wiki

    Thoughts? Comments? Suggestions?

  2. #2
    Join Date
    Dec 2007
    Posts
    1,141

    Default

    Guy -

    Looks like a great start. I'll take a few passes and see what we can add over the next few days...

    Did we ever discuss my PHP Security Audit project?

    I'm still working on a v2.0, though any thoughts or suggestions there would be appreciated as well

  3. #3
    Join Date
    Jul 2007
    Location
    127.0.0.1
    Posts
    392

    Talking

    Quote Originally Posted by DanL@VPSLink View Post
    Did we ever discuss my PHP Security Audit project?
    No!? Can't believe you've been holding out on me this whole time... pff

    Quote Originally Posted by DanL@VPSLink View Post
    I'm still working on a v2.0, though any thoughts or suggestions there would be appreciated as well
    How about a php script that one could include in their pages to log XSS/RFI/CSRF attempts to a sql db or even a flat csv? The more data collected about the attack, the better. Seems simple enough to accomplish and have actually been meaning to put something together myself; however, other priorities seem to take precedence. Seems like no matter how many hours I sit in front of my workstation, nothing ever gets done... eehh..

    Site looks good (clean, simple, easy to nav. = win). I'll check out the script and report back asap.

    Regards,

    Guy

  4. #4
    Join Date
    Dec 2007
    Posts
    1,141

    Default

    Quote Originally Posted by GuyPatterson View Post
    How about a php script that one could include in their pages to log XSS/RFI/CSRF attempts to a sql db or even a flat csv? The more data collected about the attack, the better.
    I was planning to add a fuzzer to the toolkit at the site after I have a chance to play with a few existing implementations and see if there isn't already a comprehensive solution - a fuzzer would accomplish the same goal for both new and existing applications (discover if and how the application is vulnerable) with lower overhead - i.e. test every time the app or fuzzer is updated, not every time a function is called.

    Short of figuring out some way to overload PHP functions (not happening without modifying the underlying PHP interpreter) I doubt it would be possible to implement an effective means for logging exploit activity on legacy applications - and there are far too many different applications to offer integration with existing sites.

  5. #5
    Join Date
    Jul 2007
    Location
    127.0.0.1
    Posts
    392

    Question

    Quote Originally Posted by DanL@VPSLink View Post
    ... and there are far too many different applications to offer integration with existing sites.
    Good point. I'm having a hard time implementing:
    Code:
    runkit_constant_remove('PHP_VERSION');
    Where exactly should that go? I have runkit installed and working (shows up in phpinfo), but no matter where I stick that line of code, "PHP_VERSION constant set" continues to show up..

    -- edit --

    Also, despite adding "splFileObject" to the disable_classes directive, the script indicates it's still enabled. phpinfo says "splFileObject" is a local & master value for the "disable_classes" directive. The disable_functions seems to work.

    Guy
    Last edited by GuyPatterson; 11-20-2009 at 02:26 PM.

  6. #6
    Join Date
    Dec 2007
    Posts
    1,141

    Default

    Quote Originally Posted by GuyPatterson View Post
    I'm having a hard time implementing:
    Code:
    runkit_constant_remove('PHP_VERSION');
    Where exactly should that go?
    Quote Originally Posted by GuyPatterson View Post
    Also, despite adding "splFileObject" to the disable_classes directive, the script indicates it's still enabled. phpinfo says "splFileObject" is a local & master value for the "disable_classes" directive. The disable_functions seems to work.
    Hmm... Looks like I have some bugs to check out over the weekend. (And thank you for the most feedback I've received thus far beyond "Cool.")

    Which version of PHP do you have installed?

  7. #7
    Join Date
    Jul 2007
    Location
    127.0.0.1
    Posts
    392

    Default

    Quote Originally Posted by DanL@VPSLink View Post
    Which version of PHP do you have installed?
    PHP Code:
    [635][nydc ~]:# php5-cgi -v
    PHP 5.2.6-1+lenny3 with Suhosin-Patch 0.9.6.2 (cgi-fcgi) (builtApr 26 2009 22:11:16)
    Copyright (c1997-2008 The PHP Group
    Zend Engine v2.2.0
    Copyright (c1998-2008 Zend Technologies
    [636][nydc ~]:

  8. #8
    Join Date
    Dec 2007
    Posts
    1,141

    Default

    Quote Originally Posted by GuyPatterson View Post
    I'm having a hard time implementing:
    Code:
    runkit_constant_remove('PHP_VERSION');
    Where exactly should that go? I have runkit installed and working (shows up in phpinfo), but no matter where I stick that line of code, "PHP_VERSION constant set" continues to show up..
    Figured that one out (my mistake for tossing in that recommendation without following up) - runkit_constant_remove() is limited to userland constants; would need to recompile PHP to get the desired effect (I'll look into doing that, though I don't know that I would recommend it).


    Quote Originally Posted by GuyPatterson View Post
    Also, despite adding "splFileObject" to the disable_classes directive, the script indicates it's still enabled. phpinfo says "splFileObject" is a local & master value for the "disable_classes" directive. The disable_functions seems to work.
    Apparently the disable_classes directive expects lowercase letters or "splfileobject" - tested and confirmed that this is the (highly counter-intuitive) case.

    Code:
    disable_classes = splfileobject

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •