marklye
asked on
Alternative to extract() in PHP
Hi All
Im after an alternative to PHPs extract() function for GET variables. I recently have had my site compromised, and I think it was due to me using the extract function. I think.
It needs to be 100% secure this time as cannot face the stress of another hack!
Thanks again
Mark
Im after an alternative to PHPs extract() function for GET variables. I recently have had my site compromised, and I think it was due to me using the extract function. I think.
It needs to be 100% secure this time as cannot face the stress of another hack!
Thanks again
Mark
mr_egyptian
The best alternative is to explicitly retrieve get values, and do checks on any that are potentially dangerous.
how exactly was is compromised? SQL Injection?
You can extract the get variables then escape them all, or at least escape the ones going into a query string
You can extract the get variables then escape them all, or at least escape the ones going into a query string
ASKER
I just assumed it was using that method that got me in to trouble - so I could be wrong. Waiting for security to nail it down to specific script though.
The problem was I found a new directory within my images directory, that had a ferw hundred html files which essentially linked to a spam website. They had put redirects in .htaccess in the images directory too
Do you know could they have done this by somewhere abusing the GET extract function?
After the extract function is called, I use the variables - if Im using them for mysql I always use mysql_real_escape_string. Is there other ways to protect variables?
Thanks guys
Mark
The problem was I found a new directory within my images directory, that had a ferw hundred html files which essentially linked to a spam website. They had put redirects in .htaccess in the images directory too
Do you know could they have done this by somewhere abusing the GET extract function?
After the extract function is called, I use the variables - if Im using them for mysql I always use mysql_real_escape_string. Is there other ways to protect variables?
Thanks guys
Mark
escape string should be ok for most uses for SQL.
do you generate directories based on the GET variables? and if done correctly .htaccess should be restricted to everyone. Meaning they cannot be accessed through the httpd.. which means people would have to go around to use ssh or something to ssh into the server, and then change the file. If so that is a serious server security flaw.
Other than that I don't see how someone could use GET to exploit your script, unless you are actually using the GET variables to manipulate files.
Also if the images link to a spam site, then it is likely that these files are generated by a robot? if so then it is probably exploiting a known flaw. Make sure your apache and php are patched to the latest
do you generate directories based on the GET variables? and if done correctly .htaccess should be restricted to everyone. Meaning they cannot be accessed through the httpd.. which means people would have to go around to use ssh or something to ssh into the server, and then change the file. If so that is a serious server security flaw.
Other than that I don't see how someone could use GET to exploit your script, unless you are actually using the GET variables to manipulate files.
Also if the images link to a spam site, then it is likely that these files are generated by a robot? if so then it is probably exploiting a known flaw. Make sure your apache and php are patched to the latest
ASKER
No, I dont generate any directories or files in any of the scripts.
The server is hosted by Host Gator, and I believe they have everything patched up to latest. And if there was a vunerability, Im sure I wouldnt be the only one experiencing this, and Host Gator say this is an isolated incident.
I read this:
http://forums.macrumors.com/archive/index.php/t-61406.html
Specifically what sonofslim says with potential problem with extract:
"you're going to automatically set all variables that show up in your GET statement. what if someone starts setting additional variables from the URL? see the manual page (above) for an example wherein someone sets the remote address header to 127.0.0.1 and the script thinks the request is coming from the local host -- that's exactly why you turned off register_globals in the first place"
That couldnt produce the effects Im seeing?
sakuya_su - How would I restrict access through the httpd? Its a shared server by the way
Thank you
Mark
The server is hosted by Host Gator, and I believe they have everything patched up to latest. And if there was a vunerability, Im sure I wouldnt be the only one experiencing this, and Host Gator say this is an isolated incident.
I read this:
http://forums.macrumors.com/archive/index.php/t-61406.html
Specifically what sonofslim says with potential problem with extract:
"you're going to automatically set all variables that show up in your GET statement. what if someone starts setting additional variables from the URL? see the manual page (above) for an example wherein someone sets the remote address header to 127.0.0.1 and the script thinks the request is coming from the local host -- that's exactly why you turned off register_globals in the first place"
That couldnt produce the effects Im seeing?
sakuya_su - How would I restrict access through the httpd? Its a shared server by the way
Thank you
Mark
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks sakuya_su. will chmod asap
So the get extract() function could compromise everything then? Oh dear :(
So frustrating...invested a lot of time and effort in to the site only for some script kiddie to mess it up
Points assigned sakuya_su
So the get extract() function could compromise everything then? Oh dear :(
So frustrating...invested a lot of time and effort in to the site only for some script kiddie to mess it up
Points assigned sakuya_su
ASKER
Thanks sakuya_su
the php man page indeed states that its possible for people to use extract() to overwrite system variables, So do use explicit variable names instead of extract on ALL $_POST and $_GET
Warning
Do not use extract() on untrusted data, like user-input ($_GET, ...). If you do, for example, if you want to run old code that relies on register_globals temporarily, make sure you use one of the non-overwriting extract_type values such as EXTR_SKIP and be aware that you should extract in the same order that's defined in variables_order within the php.ini.
http://nz2.php.net/extract
Do not use extract() on untrusted data, like user-input ($_GET, ...). If you do, for example, if you want to run old code that relies on register_globals temporarily, make sure you use one of the non-overwriting extract_type values such as EXTR_SKIP and be aware that you should extract in the same order that's defined in variables_order within the php.ini.
http://nz2.php.net/extract