View
223
Download
0
Category
Preview:
Citation preview
AboutIntroduction
Johannes Dahse
● Master IT Security at RUB, Germany (2006 - 2012)
● Capture The Flag (CTF) Contests
● Security Consultant
● Developer of RIPS open source security scanner (2009 - 2011)
● PhD in „Static Code Analysis“ at RUB (2013 - 2016)
● CEO & Co-Founder RIPS Technologies GmbH
Why care about PHP security?Introduction
$3.8Maverage data breach costs
#1 Choiceof cyber criminals
90%use open source libraries
22 Attacks/Dayon an average website
The Security State ofIntroduction
Top 5 PHP Applications
Top 50 PHP Applications
PHP Application Extensions
Top 6 PHP Frameworks
Top 5 PHP ApplicationsThe Security State of the
60%
7%
5%2%
1%
25%
CMS Market Share
WordPress
Joomla!
Drupal
Magento
Typo3
Other
Source: w3techs.com
Security FeaturesTop 5 PHP Applications
Application(latest version)
PreparedStatements
TemplateEngine
CSRF Protection
Password Hashing
Security Team
Auto Update*
Bug BountyProgram
WordPress vsprintf() none yes phpass yes yes yes
Joomla! MySQLi custom yes bcrypt yes no no
Drupal PDO Twig yes salted sha-512 yes no 2015
Magento PDO custom yes salted sha-256 yes no yes
Typo3 Doctrine Fluid yes pbkdf2 yes yes no
*Pro/Con Discussion: https://www.drupal.org/node/2367319
VulnerabilitiesTop 5 PHP Applications
0
5
10
15
20
25
30
35
40
45
2010 2011 2012 2013 2014 2015 2016 2017
Number of Vulnerabilities per Year
WordPress
Joomla!
Drupal
Magento
Typo3
Source: cvedetails.com
VulnerabilitiesTop 5 PHP Applications
0
1
2
3
4
5
6
7
8
2010 2011 2012 2013 2014 2015 2016 2017
Number of Critical Vulnerabilities per Year (CVSS Score > 7)
WordPress
Joomla!
Drupal
Magento
Typo3
Source: cvedetails.com
Vulnerability Example #1Top 5 PHP Applications
CVE-2015-3438 – Persistent XSS in Wordpress 4.1.2
https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/
● MySQL‘s utf8 charset only supports 3-byte characters
● Strings with 4-byte characters will be truncated when inserted into utf8 columns
● Solution: Use MySQL strict mode or latin1 charset
Insert: test𝌆123
Result: test
Vulnerability Example #1Top 5 PHP Applications
CVE-2015-3438 – Persistent XSS in Wordpress 4.1.2
https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/
Vulnerability Example #1Top 5 PHP Applications
CVE-2015-3438 – Persistent XSS in Wordpress 4.1.2
https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/
<div class="comment" id="comment-1">
<div class="comment-content">
<a title='test𝌆123'>click</a>
</div>
</div>
Vulnerability Example #1Top 5 PHP Applications
CVE-2015-3438 – Persistent XSS in Wordpress 4.1.2
https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/
<div class="comment" id="comment-1">
<div class="comment-content">
<a title='test
</div>
</div>
Vulnerability Example #1Top 5 PHP Applications
CVE-2015-3438 – Persistent XSS in Wordpress 4.1.2
https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/
<div class="comment" id="comment-1">
<div class="comment-content">
<a title='test
</div>
</div>
<div class="comment" id="comment-2">
<div class="comment-content">
hack' onmouseover='alert(1)' style='width:100%;height:100%;…'
</div>
</div>
Vulnerability Example #2Top 5 PHP Applications
CVE-2017-14596 – LDAP Injection in Joomla! 1.5 - 3.7.5
https://blog.ripstech.com/2017/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/
Vulnerability Example #2Top 5 PHP Applications
CVE-2017-14596 – LDAP Injection in Joomla! 1.5 - 3.7.5
https://blog.ripstech.com/2017/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/
class LoginController extends JControllerLegacy
{
public function login() {
⋮$app = JFactory::getApplication();
⋮$model = $this->getModel('login');
$credentials = $model->getState('credentials');
⋮$app->login($credentials, array('action' => 'core.login.admin'));
}
Vulnerability Example #2Top 5 PHP Applications
CVE-2017-14596 – LDAP Injection in Joomla! 1.5 - 3.7.5
https://blog.ripstech.com/2017/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/
class JApplicationCms extends JApplicationWeb {
public function login($credentials, $options = array()) {
⋮$authenticate->authenticate($credentials, $options);
}
}
class JAuthentication extends Jobject {
public function authenticate($credentials, $options = array()) {
⋮$plugin->onUserAuthenticate($credentials, $options, $response);
}
Vulnerability Example #2Top 5 PHP Applications
CVE-2017-14596 – LDAP Injection in Joomla! 1.5 - 3.7.5
https://blog.ripstech.com/2017/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/
class PlgAuthenticationLdap extends JPlugin
{
public function onUserAuthenticate($credentials, $options, &$response){
⋮$userdetails = $ldap->simple_search(
str_replace(
'[search]',
$credentials['username'],
$this->params->get('search_string') // uid=[search]
)
);
}
XXX;(&(uid=Admin)(userPassword=A*))
XXX;(&(uid=Admin)(userPassword=B*))
XXX;(&(uid=Admin)(userPassword=C*))
...
XXX;(&(uid=Admin)(userPassword=s*))
...
XXX;(&(uid=Admin)(userPassword=se*))
...
XXX;(&(uid=Admin)(userPassword=sec*))
...
XXX;(&(uid=Admin)(userPassword=secretPassword))
Vulnerability Example #2Top 5 PHP Applications
CVE-2017-14596 – LDAP Injection in Joomla! 1.5 - 3.7.5
https://blog.ripstech.com/2017/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/
ConclusionTop 5 PHP Applications
● Good security features by default
● Great security teams
● Bug bounty programs
● But very attractive targets
● Average 14 security issues reported per year
● Average 1-2 critical issues reported per year
● As secure/insecure as any other popular softwarehttps://codex.wordpress.org/Hardening_WordPresshttps://docs.joomla.org/Security_Checklist/enhttps://www.drupal.org/docs/8/securityhttps://magento.com/security/best-practiceshttps://docs.typo3.org/typo3cms/SecurityGuide/
Top 50 PHP ApplicationsThe Security State of the
● PHP Applications within the list of popular CMS (w3techs.com)
● E.g. PrestaShop, phpBB, SugarCRM
● Popular PHP Applications with a similar high google trend
● E.g. phpMyAdmin, Piwik, Roundcube
● 50 Applications, 13.2 MLOC total (300 KLOC average)
● Automated code analysis
Security StateTop 50 PHP Applications
56%
44%
Security Contact Available
Yes No
58%
42%
Critical Detected by RIPS
Yes No
39%
28%
33%
Time To Fix (if)
2 weeks 6 weeks 3 month
Attack VectorsTop 50 PHP Applications
SQL Injection
PHP Object Injection
Cross-Site Scripting
Command Execution
File Upload
Path Traversal
Code Execution
File Inclusion
Critical Examples
Software Attack Vector detected by RIPS
Roundcube Command Execution via Email
FreePBX Command Execution via Cross-Site Scripting
Coppermine Command Execution via SQL Injection
osClass Command Execution via Local File Inclusion
Expression Engine Command Execution via PHP Object Injection
KLIQQI CMS Command Execution via Cross-Site Request Forgery
Redaxo CMS Command Execution via Cross-Site Request Forgery
Precurio Command Execution via Path Traversal
Serendipity Command Execution via Logical Flaw
Top 50 PHP Applications
https://demo.ripstech.com
Vulnerability Example #1Top 50 PHP Applications
https://blog.ripstech.com/2016/roundcube-command-execution-via-email/
CVE-2016-9920 – Remote Command Execution in Roundcube 1.2.2
Vulnerability Example #1Top 50 PHP Applications
https://blog.ripstech.com/2016/roundcube-command-execution-via-email/
CVE-2016-9920 – Remote Command Execution in Roundcube 1.2.2
$from = rcube_utils::get_input_value('_from', rcube_utils::INPUT_POST);
$RCMAIL->deliver_message($MAIL, $from, $mailto, $error);
public function deliver_message(&$message, $from, $mailto, &$error) {
⋮if (filter_var(ini_get('safe_mode'), FILTER_VALIDATE_BOOLEAN))
$sent = mail($to, $subject, $msg_body, $header_str);
else
$sent = mail($to, $subject, $msg_body, $header_str, "-f$from");
Vulnerability Example #1Top 50 PHP Applications
https://blog.ripstech.com/2016/roundcube-command-execution-via-email/
CVE-2016-9920 – Remote Command Execution in Roundcube 1.2.2
$from = rcube_utils::get_input_value('_from', rcube_utils::INPUT_POST);
$RCMAIL->deliver_message($MAIL, $from, $mailto, $error);
public function deliver_message(&$message, $from, $mailto, &$error) {
⋮if (filter_var(ini_get('safe_mode'), FILTER_VALIDATE_BOOLEAN))
$sent = mail($to, $subject, $msg_body, $header_str);
else
$sent = mail($to, $subject, $msg_body, $header_str, "-f$from");
Vulnerability Example #1Top 50 PHP Applications
https://blog.ripstech.com/2016/roundcube-command-execution-via-email/
CVE-2016-9920 – Remote Command Execution in Roundcube 1.2.2
rperaglie@ripstech.com -OQueueDirectory=/tmp -X/var/www/html/rce.php
04731 <<< To: contact@ripstech.com
04731 <<< Subject: <?php phpinfo(); ?>
04731 <<< X-PHP-Originating-Script: 1000:rcube.php
04731 <<< MIME-Version: 1.0
04731 <<< Content-Type: text/plain; charset=US-ASCII;
04731 <<< Content-Transfer-Encoding: 7bit
04731 <<< Date: So, 20 Nov 2016 04:02:52 +0100
04731 <<< From: rperaglie@ripstech.com -OQueueDirectory=/tmp
04731 <<< -X/var/www/html/rce.php
…
Vulnerability DisclosureTop 50 PHP Applications
Software Affected Version CVE Patch Date
Roundcube <= 1.2.2 CVE-2016-9920 2016-11-28
MediaWiki < 1.29 2016-12-10
Zend Framework < 2.4.11 CVE-2016-10034 2016-12-20
PHPMailer <= 5.2.18 CVE-2016-10033 2016-12-28
SwiftMailer <= 5.4.5-DEV CVE-2016-10074 2016-12-29
SquirrelMail <= 1.4.23 CVE-2017-7692
I was reading https://blog.ripstech.com/2016/roundcube-command-
execution-via-email/. We don't do escaping of the fifth argument to
mail() either.https://phabricator.wikimedia.org/T152717
Vulnerability Example #2Top 50 PHP Applications
switch ($this->action) {
case 'error_plugin':
…
include( osc_plugins_path() . Params::getParam('plugin') );
Plugins::install(Params::getParam('plugin'));
Local File Inclusion in osClass 1.2.2
https://blog.ripstech.com/2016/osclass-remote-code-execution-via-image-file/
Vulnerability Example #2Top 50 PHP Applications
switch ($this->action) {
case 'error_plugin':
…
include( osc_plugins_path() . Params::getParam('plugin') );
Plugins::install(Params::getParam('plugin'));
$original = pathinfo($uploader->getOriginalName());
…
$filename = uniqid("qqfile") . "." . $original['extension'];
$result = $uploader->handleUpload('uploads/temp/' . $filename);
$img = ImageResizer::fromFile('uploads/temp/' . $filename)->autoRotate();
Local File Inclusion in osClass 1.2.2
https://blog.ripstech.com/2016/osclass-remote-code-execution-via-image-file/
Vulnerability Example #2Top 50 PHP Applications
shell.jpg
include('plugins/../uploads/temp/shell.jpg');
Vulnerability Example #2Top 50 PHP Applications
switch ($this->action) {
case 'error_plugin':
…
include( osc_plugins_path() . Params::getParam('plugin') );
Plugins::install(Params::getParam('plugin'));
Local File Inclusion in osClass 1.2.2
https://blog.ripstech.com/2016/osclass-remote-code-execution-via-image-file/
Security IndicatorsTop 50 PHP Applications
40%
24%
16%
16%
Template Engine
None Smarty
Custom Twig
Other
15%
20%
Password Hash
bcrypt pbkdf2
php-crypt phpass
salted hash md5/sha
86%
14%
CSRF Protection
Yes No
59%
41%
Prepared Statements
Yes No
65%
ConclusionTop 50 PHP Applications
● Many security issues, although reviewed by the community
● 58% fail the OWASP Top 10
● 66% fail security best practices
● Use at own risk
● Less popular PHP applications than the Top 50 are considered worse
● RIPS Advent of PHP Application Vulnerabilities (APAV)
https://blog.ripstech.com/2016/apav-advent-of-php-application-vulnerabilities/
PHP Application ExtensionsThe Security State of
0
5000
10000
15000
20000
25000
30000
35000
40000
45000
50000
Number of Extensions
WordPress Joomla! Drupal Magento Typo3
Analysis ApproachWordPress Plugins
● Downloaded 41K plugins from the WordPress plugin directory with active installs
● More plugins exist but were not included into analysis (e.g. commercial)
● Analysis with RIPS
● magic_quotes_gpc enabled
● WordPress-specific configuration enabled
● No need for WordPress core analysis
https://api.wordpress.org/plugins/info/1.1/?action=query_plugins
By Size and DetectionWordPress Plugins
0
50
100
150 LOC of Top 250 plugins
1-100 101-500 501-1K 1K-5K >5K0
5000
10000
15000
20000 LOC of 41K plugins
1-100 101-500 501-1K 1K-5K >5K
By Size and DetectionWordPress Plugins
0
50
100
150 LOC of Top 250 plugins
1-100 101-500 501-1K 1K-5K >5K0
5000
10000
15000
20000 LOC of 41K plugins
1-100 101-500 501-1K 1K-5K >5K
47%
53%
Vulnerabilitydetected
Nothingdetected
32%
68%
Vulnerabilitydetected
Nothingdetected
By Size and DetectionWordPress Plugins
0
50
100
150 LOC of Top 250 plugins
1-100 101-500 501-1K 1K-5K >5K0
5000
10000
15000
20000 LOC of 41K plugins
1-100 101-500 501-1K 1K-5K >5K
45%
55%
Vulnerabilitydetected
Nothingdetected
53%
47%Vulnerabilitydetected
Nothingdetected
By Vulnerability TypeWordPress Plugins
52%
10%
3%
2%2%
1%
1%
29%
All 41K Plugins Cross-Site Scripting
SQL Injection
Resource Injection
File Create
Path Traversal
File Delete
PHP Object Injection
Other
ConclusionWordPress Plugins
● Assumption from statistics:
● Every second WP plugin has a security issue
● 18% of all WP plugins are prone to XSS
● 5% of all WP plugins are prone to SQLi
● Use actively maintained and popular plugins
● Keep your plugins up to date
Popular PHP FrameworksThe Security State of
● Laravel
● Symfony
● CodeIgniter
● CakePHP
● Yii
● Zend Framework
Source: trends.google.com
Security FeaturesPopular PHP Frameworks
Framework AnalyzedVersion
Template Engine
Database Abstraction
CSRF Protection
Password Hash
Security Contact
Laravel 5.5.0 Blade Eloquent ORM yes bcrypt yes
Symfony 3.3.10 PHP, Twig, … Doctrine ORM yes bcrypt yes
CodeIgniter 3.1.6 custom Query Builder yes bcrypt yes
CakePHP 3.5.3 PHP Cake ORM yes bcrypt no
Yii 2.0.12 PHP Query Builder Yes bcrypt yes
Zend Framework 3.0.1 PHP Query Builder Yes bcrypt yes
Security VulnerabilitiesPopular PHP Frameworks
0
1
2
3
4
5
6
7
2010 2011 2012 2013 2014 2015 2016 2017
Number of Vulnerabilities per YearLaravel
Symfony
CodeIgniter
CakePHP
Yii
Zend
Pitfall Example #1Popular PHP Frameworks
Doctrine Query Builder
$qb = $em->createQueryBuilder();
$qb->select('u')->from('User', 'u')->where("u.id = $id");
Pitfall Example #1Popular PHP Frameworks
Doctrine Query Builder
$qb = $em->createQueryBuilder();
$qb->select('u')->from('User', 'u')->where("u.id = $id");
Pitfall Example #1Popular PHP Frameworks
Doctrine Query Builder
$qb = $em->createQueryBuilder();
$qb->select('u')->from('User', 'u')->where("u.id = $id");
/** @var \Doctrine\DBAL\Connection $con */
$connection = $doctrine->getConnection();
$connection->update('users', array('name'=>$_GET['name']), array('id'=>1));
Pitfall Example #1Popular PHP Frameworks
Doctrine Query Builder
$qb = $em->createQueryBuilder();
$qb->select('u')->from('User', 'u')->where("u.id = $id");
/** @var \Doctrine\DBAL\Connection $con */
$connection = $doctrine->getConnection();
$connection->update('users', array('name'=>$_GET['name']), array('id'=>1));
$connection = $doctrine->getConnection();
$connection->update('users', array($_GET['name']=>'rips'), array('id'=>1));
$connection->update('users', $_POST, array('id'=>1));
Pitfall Example #2Popular PHP Frameworks
Html::secureLink($_GET['url']);
https://laravel.com/api/5.5/Illuminate/Html/HtmlBuilder.html
Pitfall Example #2Popular PHP Frameworks
Html::secureLink($_GET['url']);
https://laravel.com/api/5.5/Illuminate/Html/HtmlBuilder.html
class HtmlBuilder
{
public function secureLink($url, $title=null) {
return $this->link($url, $title, true);
}
public function link($url, $title=null, $secure=null) {
$url = $this->url->to($url, array(), $secure);
return '<a href="'.$url.'">'.$this->entities($title).'</a>‘;
}
}
Pitfall Example #2Popular PHP Frameworks
Html::secureLink( mailto:"><script>alert(1)</script> );
https://laravel.com/api/5.5/Illuminate/Html/HtmlBuilder.html<a href="mailto:"><script>alert(1)</script>
class HtmlBuilder
{
public function secureLink($url, $title=null) {
return $this->link($url, $title, true);
}
public function link($url, $title=null, $secure=null) {
$url = $this->url->to($url, array(), $secure);
return '<a href="'.$url.'">'.$this->entities($title).'</a>‘;
}
}
ConclusionPopular PHP Frameworks
● Separation of concerns
● Enforce security best practices
● Help to build secure applications from the ground up
● Use them
● But be careful how you use them
PHP Application SecurityWhat can I do for my
● The more third-party code you deploy, the greater the attack surface
● Remove unnecessary libraries
● Avoid/Protect unpopular open source applications
● Keep all dependencies up-to-date (composer)
● Train developers for security best practices
● Join our Advent Calendar 2017: blog.ripstech.com
● Integrate automated code analysis into your SDLC
Recommended