Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hardened PHP

Posted by michael on from the start-with-phpnuke-please dept.

Frank Kreuzbach writes "Yesterday the Hardened-PHP Project has announced its existence on the PHP-general mailinglist. It is the first public patch for PHP which adds security hardening features. It is meant as a proactive approach to protect servers against known and unknown weaknesses within PHP scripts or the engine itself. It enforces restrictions on include statements, adds canary protection to allocated memory and other internal structures and protects against internal format string vulnerabilities. It has syslog support and logs every attack together with the originating ip."

29 of 187 comments (clear)

  1. Call Me Crazy But.... by CptSparrow · · Score: 4, Insightful

    From the site:

    to protect your servers on the one hand against a number of well known problems in hastily written PHP scripts

    Wouldn't a better defense be to simply write good code?

    1. Re:Call Me Crazy But.... by Karamchand · · Score: 4, Insightful

      Think about web space providers, usually they can't really control which scripts are executed on their servers by the customers. PHP's safe mode is cute already, but this can be an additional layer of security.

    2. Re:Call Me Crazy But.... by rollingcalf · · Score: 1, Insightful

      "Wouldn't a better defense be to simply write good code?"

      Yes. But that is something that over 50% of today's coders aren't capable of.

      --
      ---------
      There is inferior bacteria on the interior of your posterior.
    3. Re:Call Me Crazy But.... by The_Mystic_For_Real · · Score: 4, Insightful

      Of course the best way to secure anything is to take the time to write good code, but the reality is that many pages have to be put together in a limited amount of time by people with very little experience. I think that it is a good thing to see people in the security community keeping this in mind.

      --

      _____

      Thank you.

  2. is this just an excuse to write sloppy code by burritoKing · · Score: 4, Insightful

    it's certainly a step in the right direction, however as most vulnerabilitiesseem to come about as a result of poorly written code shouldn't the community be trying to educate newer (and some more experienced) PHP users.

    --
    What is CSSRepublic
    1. Re:is this just an excuse to write sloppy code by mumblestheclown · · Score: 5, Insightful
      i couldn't disagree more.

      as the japanese car makers discovered (or at least the idea came to prominence) in the 1950s, ANYBODY (even people with 93 PhDs) who assembles something makes mistakes occasionally. the trick is to limit the number of modalities that allow for mistakes. a person who is asked to make a wheel fairing in three minutes using simple hand tools will make far more mistakes than one who has a dedicted stamping machine.

      in fact, the japanese cars excelled in quality, worker satisfaction, and in the competitive marketplace for many years in large part that their idea that a) errors are natural stochastic processes b) the rate of errors in an any process is more determined by the design of the process than some inherent quality of the worker and therefore c) when a mistake is made, analyze the process, don't blame the worker as this will lead to d) continuous improvement and also empower workers to speak up.

      even the most experienced PhP programmer can make an error. education helps, but fixing the system is a better idea.

    2. Re:is this just an excuse to write sloppy code by wantedman · · Score: 2, Insightful

      Not really sure I understand. Surely a better way would be to train the person, rather than build in safeguards just in case they produce something that is faulty ( a likely event)

      Ok, there's a difference between cutting a board with a handsaw and cutting something with a electric powered table saw. No matter how much training I have, a table saw will cut a board faster and straigher than a hand saw.

      Which is why education is so important, let's move away from syntax/coding and look at testing/evaluation.
      Ok, let's look at testing/evaluation. The truth is, must exploits happen because a hax0r finds a way to interact with a program that the programmer wasn't thinking about.

      How do you design a test that interacts with a program that the programmer wasn't thinking about? How do you design a test that interacts with a program where another program causes the error, such as the COM / ActiveX Exploit.

      Education is fine, but there is a time when it's not enough. You have to accept that there will be situations where people don't think. If you can design your tools to protect yourself around those, then your company will be better off.

      --
      ~~~
      Click here, you know you wanna!
    3. Re:is this just an excuse to write sloppy code by Kiryat+Malachi · · Score: 4, Insightful

      It's more than that, though. Mechanical and electrical engineers (usually) learn a concept called design for manufacturability, which encompasses things like designing such that when you try to fit tab A into slot B, it is physically impossible to fit them in the wrong way. For the non-engineer, good examples of this are keyed ATA-IDE connectors; the old ones weren't keyed, and you had to check the cable for the red wire and the board for the 1 pin, to make sure you had it in right. Now you just line the slot with the tab and its correct. That's DFM, and the idea is that you physically CANNOT fuck it up, making a 75 IQ and a 150 IQ functionally equivalent.

      Its all about the process, and very little about the worker, if you designed the process right. Similarly, if Hardened PHP can make it so that exploitable code simply can't run, you've cut down your probability of breach whether you have great programmers or George W. writing your code.

      --

      ---
      Mod me down, you fucking twits. Go ahead. I dare you.
      (I read with sigs off.)
  3. Laziness by kevmo · · Score: 5, Insightful

    From what I can see this project doesn't do much against protect lazy coders. The features listed are easily protected against by writing non-sloppy code.

    I'm not sure that this project is a good thing, as if someone gets used to it and switches to a server without it they might be in trouble.

    1. Re:Laziness by HeghmoH · · Score: 4, Insightful

      This is a common theme, the "Security problems only occur because of lazy/sloppy/stupid coders, and the solution is to become better coders" theme.

      The problem is that it's complete BS. Even the most wizardly coder will make mistakes. The only way to be secure is to have lots of code reviews, and then things still get through; look at holes in SSH or Apache. Tools like this certainly don't hurt, and they might just help. "Don't make mistakes" is not an option.

      --
      Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
    2. Re:Laziness by Anonymous Coward · · Score: 1, Insightful

      Well, you see there's a problem with your view and I think most programmers would agree they'd rather have hardened software than "better code" once presented with the alternative. You see, but "better code" you mean the code itself must compensate for security flaws such as type checking, bounds checking, etc. This turns 5 lines of straight-forward code into 100 lines of checking. This then must be duplicated or made agreeable to other code. You see how this will quickly convolute even the simplest programs. The solution is simply to get rid of the problem that requires the "better code" workaround to begin with.

      While code that does all the heavy and light lifting on its own might seem fundamentally "better" than one that is "lazy" and relies on underlying mechanisms, I invite you to try and maintain 100,000 lines of "better" code that catches all gotchas and then try out a more manageable 20,000 lines of "lazy" code that is closer to the core algorithms and functionality.

  4. Re:Phew! by hattig · · Score: 4, Insightful

    I assume this like how they used canaries to test for gas in mines? If the canary died, then it was dangerous to be in that area.

    So from that, I assume that "canary protection" is actually running a kind of honeytrap for common PHP exploits, and if one is triggered ("dies") then it does some computery equivalent of ("lets get the fuck out of this mine").

    This is all speculation based upon the name though.

  5. Bad Coding = Security Holes by wellard1981 · · Score: 5, Insightful

    I don't think the PHP engine is to blame, it's more of an issue with the PHP script developers to make sure they plug all the holes -- sure that's not always possible, however take PHPNuke as an example of poor PHP scripting, SQL injects are possible though a number of the modules. You have to add a high number of 3rd party patches to make the thing secure.

    This Hardened PHP is just hand holding the developer into a false sence of security.

    1. Re:Bad Coding = Security Holes by digitallystoned · · Score: 1, Insightful

      How is this 'hardened PHP' going to be any more secure than just PHP? I mean, yes, I can see where it has a few extra checks and built-in features that just basically transfers a few security bugs in other apps to the compiler and out of the script, but will this cause new programmers to just omit problems of the past out of their scripts?? I'm not saying that this isnt a good idea, but I just can see scripters leaving some variable checks out of the script and still leaving it vulnerable under the new 'hPHP'... Just a thought..

  6. This is a Good Thing(R) by Anonymous Coward · · Score: 4, Insightful

    Well believe it or not, in a lot of cases, PHP code just cannot be trusted. There may be vulnerabilities outside of PHP that can allow an attacker to place their own scripts on the server. When for instance, the ftp access password is cracked, someone can do just about anything if php hasn't been secured. With extra security measures, your site might be lost, but the server won't be compromised any further than that. For instance, on my server, functions like system and popen are disabled.

    Besides, if everyone writed only really nice code, why would there be RSBAC and PaX?
    Trust is a weakness.

  7. A patch? by mabu · · Score: 4, Insightful

    After going over the site, Hardened PHP appears to be a patch to the existing PHP. Why don't the authors just petition the folks developing PHP to include these patches in an upcoming version?

    The problem I have with this project is that it's likely PHP-version dependent, and once you implement it, you have two different sources you have to synchronize code for (not unlike Apache+Mod_SSL). I'd rather not have twice as much work to incorporate these features if necessary.

  8. Re:Really Now.. by grazzy · · Score: 2, Insightful

    Well, whoever came up with the idea that include and require could take an URL as argument should be slapped ...

  9. Re:Dynamic Porn by Anonymous Coward · · Score: 2, Insightful

    Am I the only that disagrees with your technique?

    I understand that the galleries of pics have to be filtered from a single database for each site, but there is a better way to do this.

    Instead of writing dynamic pages, write an application that produces static pages based on the database. Whenever your content changes, re-run the applications to get fresh static pages.

    Dynamic pages are just way too much overhead for what you're trying to accomplish.

  10. Re:Already in use by Karamchand · · Score: 2, Insightful

    Unfortunately mmcache isn't developed anymore, isn't it? :-/

  11. Perspective by cnf · · Score: 5, Insightful

    I think it is funny how most /. readers demonstrate how they think from a user perspective, and not from an admin perspective.

    Now don't get me wrong, I understand, it's *hard* to think as an admin if you have never *been* one. But when you are an admin on a machine, you don't think "My users will just have to learn how to code secure, then there is no problem."
    Sorry folks, just ain't gonna happen!
    Joe home who wrote a site just to show off his holliday pictures thinks its swell how easy php is, and he doesn't really care about becoming fluent in php, as long as his little enviroment runs!

    Sure, you can try and educate your user, but if you maintain a 500+ user server, security is in YOUR hands. only ONE of your users need make an error, and the whole machine might go down. And the "poor coding is the only reason for security holes" just doesnt cut it there.

    Harden your servers, admins. Make the internet a fun place to be.

  12. Re:Already in use by onlyjoking · · Score: 5, Insightful
    Case in point. I started with Perl, learnt mod_perl then had to switch to PHP for most of my client work because most of them were using hosts which didn't provide mod_perl. This is the biggest drawback with Perl. Great language but brain-dead in the marketing department. Perl has lost ground in the web development sphere because it depends on mod_perl to compete with mod_php for performance. Perl templating engines (Mason, Apache Template, Embperl) allow you to do what PHP can do (and much more) but you're saddled with finding a host who will "risk" offering mod_perl. The authors of O'Reilly's "Practical mod_perl" even went so far as to advise explicitly against offering mod_perl in a shared hosting environment. Hence PHP replaces Perl in shared hosting environments.

    Mention this on comp.lang.perl.misc and you get flamed for referring to Perl as a web developmnent tool. Well, if the Perl community only sees Perl as a tool for large web projects then so be it but they're making a big mistake. There should be a decent Perl templating engine which can run as an Apache module without exposing the Apache API, so that it would just do the one job well. Until this happens PHP will simply wipe Perl off the map in shared hosting environments.

    Hopefully Perl 6//Parrot/Ponie will come up with something to break the inertia as bog-standard Perl CGI is irrelevant these days. Hell, many hosts don't even allow you free reign with installing CPAN modules.

  13. Re:Already in use by billysara · · Score: 2, Insightful

    Mine does too - yay for us :-)

    I use PHP all the time. I know perl/mod-perl too but it doesn't have the install-base that php does - especially selling to people on shared hosting packages..

    It's also kind of unusual to find cheapo shared hosting sites (on the adult side of things) who will let you run cron jobs or the like. Understandably :-)

  14. Re:Already in use by Lando · · Score: 2, Insightful

    Speaking as someone who is familiar with both mod-perl and php and still does primary work in php, perhaps I can enlighten you.

    The fact of the matter is that before mod-perl, getting perl to run as a scripting language required spawning perl processes for each request made to the server. This causes significant problems. PHP as a compiled in resource could be handled by the apache children themselves and did not suck up extra resources.

    Now, that's not the case with perl any longer, but with any system that you have significant ammounts of time and other investments in, it's kinda hard to drop current production and switch back to perl.

    Currently, since the new core for perl has been underway for a while and that will likely require a reworking of the code the decision has been made to hold off so that we don't have to rework the engine twice.

    --
    /* TODO: Spawn child process, interest child in technology, have child write a new sig */
  15. Re:There are many better alternatives to PHP by sbermunk · · Score: 2, Insightful

    I'm sorry, but I think you're nuts. Not to specifically knock the other choices you mention, but I think plenty of people feel that PHP has a far less annoying and convoluted syntax than say Perl or Lisp, which you seem to be advocating instead of PHP. And you say you have a "superficial familiarity" with PHP, yet knock PHP for a lack of Speed... Try it, you might be surprised (especially if you use a compilation cache like Turck MMCache). Why do you think every other random interpreted language is going to be way faster than PHP?
    The only point I won't argue strongly is the security aspect. I don't think PHP is as bad as everyone is claiming if it is set up properly, but it isn't perfect - in particular too many ease-of-use features have been added that can chuck any semblance of security right out the window...

  16. Probably a few reasons: by Phil+John · · Score: 2, Insightful

    1) Some of these patches may introduce subtle bugs into interactions with 3rd party libraries (that covers pretty much most of the major function()s in PHP)

    2) Some of these patches may introduce performance hits which would not be acceptable for some uses.

    3) If you are running a large hosting company these patches may subtly break scripts being used by customers, tech supportality ensues.

    4) Since this is a fairly new project, not even to a 1.0 release the pace of change may be so fast that it's more trouble than it's worth for the PHP and HPHP guys to keep making patch after patch as api's and such change. This way, the HPHP guys can toil away, making whatever internal changes they need to to achieve the securing of PHP.

    I'm not saying this isn't a good idea, just I don't think it's the right time for this to happen, when the codebase has settled down maybe, but with the imminent move to the Zend Engine 2 and PHP 5 they may have to start from scratch (don't quote me on that however, it could be trivial for all I know!).

    --
    I am NaN
  17. Re:Not quite by snillfisk · · Score: 2, Insightful

    While all aspiring PHP-programmers should take the time to read the paper mentioned to understand why and how -- and to guard themselves against doing the same mistakes that we've all grown accustomed to over the years, it should be mentioned that almost all these default attack vectors has been taken care of during the years.

    the default installation of PHP today makes people write a lot more robust code than it used to do. New applications has been able to move away from the 'ugly' things and a general understanding of what not to do has been developed by almost all active developers. If you've done serious PHP developement during the last years, you know how much further things has come.

    --
    mats
    One man's ceiling is another man's floor.
  18. Re:Really Now.. by Doppleganger · · Score: 2, Insightful

    That depends on whether the remote server is set up to execute the file.

    If the remote server is set up to simply send the file as text, then the *local* server will execute the text. As a PHP script. As the local user. And your remote attacker has the ability to run any commands on the server that a local script could run (usually, "wget a rootkit from this other server, unzip it, and execute it...")

  19. Re:Really Now.. by Monkeyman334 · · Score: 2, Insightful

    Believe it or not PHP-Nuke had that exact behaviour about a year ago. The problem wasn't including ordinary files. The problem is with PHP you can include http files. So just make a request action=http://myserver/phpscript.php that had system() calls and you basically had a non interactive shell that could upload and execute files as the httpd user. Which is much closer to an exploit than including a /etc/passwd (which doesn't work in PHP either btw, unless the httpd user has read permissions on that file).

  20. Re:Already in use by onlyjoking · · Score: 4, Insightful

    Regardless of Apache versions mod_perl is still a much bigger risk because it exposes the Apache API. By contrast mod_php exists, it seems, merely to give PHP its speed boost. This is what Perl needs.