Most web vulnerabilities are a result of bad coding habits or lack of PHP security awareness by developers. The source of probably all of them relies in the fact that user input, which plays a critical role in the security of a web application, is being trusted. This is probably the single point of failure which results in the many different attacks we have seen over the years.
Part 1 in this series on PHP Security looked at SQL Injection. We learnt that the successful exploitation of an SQL injection vulnerability could result in a data breach exposing usernames, passwords, email addresses, credit card information and other sensitive data.
In Part 2 we will be taking a look at PHP security problems associated with Directory Traversal and Code Injection, as well as giving examples of insecure PHP code.
Directory Traversal refers to the attack in which an authenticated or unauthenticated user can request and view or execute files which reside outside the root directory of a web application, or outside a directory in which they should be restricted to.
With a system vulnerable to directory traversal, an attacker can take advantage of this vulnerability to step out of the root directory and access other parts of the file system. This might give the attacker the ability to view restricted files, or even worse, execute commands on the server which can lead to a full compromise of the system. It is not uncommon to chain multiple vulnerabilities such as directory traversal and code execution in an attempt to escalate privileges.
Code Injection – In this vulnerability an attacker maliciously takes advantage of a script which contains functions that allow system/shell commands to be executed. If user input is being passed unrestricted to these functions, then it is possible to inject code which will then be executed by the system. This essentially gives an attacker a low privileged shell which opens the door to perform many otherwise restricted actions such as accessing private documents which may contain sensitive data. It can also be used to view the source code of the application which could result in exposing passwords or other sensitive information, as well as discovering other vulnerabilities. As if things couldn’t get any worse, under certain circumstances it might be possible for an attacker to perform privilege escalation and eventually grant root access, compromising the machine.
We have established that both attacks can be very dangerous. By following some simple steps however, the risk of being exposed to either can be greatly reduced.