Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Do you know of a guide on how to idiot proof php for use on the public web?
6 views
Skip to first unread message
re...@mynetblog.com
Mar 1, 2017, 1:17:56 PM3/1/17
to
Do you know of a guide on how to idiot proof php for use on the public web?
I have great concerns about people XSS'ing my site or other serious stuff. My problem is that I assume everything is going to get attacked and am afraid to put any php where people can access it.
A very long time ago I had this CGI page to allow people to enter a URL they wanted to see and when they submitted the form it would display the link on a result page. I know this is very bad to do this type of thing now because of XSS vulnerabilities. However, I don't know about all the other hacks people use to exploit php.
I just recently found out about the proxy variable where people set a "proxy" variable in their request header that when sent to a CGI script turns into http_proxy environment variable. So, I blocked that. (I think.)
Attackers are actively scanning my site for vulnerabilities so I am fearful of putting anything on my site that they can attack because I know they will exploit any hole they find.
I only know how to write simple and short php scripts and some very basic SQL queries.
I have great concerns about people XSS'ing my site or other serious stuff. My problem is that I assume everything is going to get attacked and am afraid to put any php where people can access it.
A very long time ago I had this CGI page to allow people to enter a URL they wanted to see and when they submitted the form it would display the link on a result page. I know this is very bad to do this type of thing now because of XSS vulnerabilities. However, I don't know about all the other hacks people use to exploit php.
I just recently found out about the proxy variable where people set a "proxy" variable in their request header that when sent to a CGI script turns into http_proxy environment variable. So, I blocked that. (I think.)
Attackers are actively scanning my site for vulnerabilities so I am fearful of putting anything on my site that they can attack because I know they will exploit any hole they find.
I only know how to write simple and short php scripts and some very basic SQL queries.
J.O. Aho
Mar 1, 2017, 3:21:26 PM3/1/17
to
On 03/01/17 19:17, re...@mynetblog.com wrote:
> Do you know of a guide on how to idiot proof php for use on the public web?
>
> I have great concerns about people XSS'ing my site or other serious stuff.
> My problem is that I assume everything is going to get attacked and am afraid
> to put any php where people can access it.
The best source is owasp.org you, there is a page with more php specific
> Do you know of a guide on how to idiot proof php for use on the public web?
>
> I have great concerns about people XSS'ing my site or other serious stuff.
> My problem is that I assume everything is going to get attacked and am afraid
> to put any php where people can access it.
stuff (not completed): https://www.owasp.org/index.php/Category:PHP
Here is another site looking at the owasp top 10 and giving you some php
related information: http://www.sklar.com/page/article/owasp-top-ten
> I just recently found out about the proxy variable where people set a "proxy"
> variable in their request header that when sent to a CGI script turns into http_proxy
> environment variable. So, I blocked that. (I think.)
the server configuration, if you are administrator of the server.
> Attackers are actively scanning my site for vulnerabilities so I am fearful of putting
> anything on my site that they can attack because I know they will exploit any hole they find.
are expecting a numeric value be posted, then use
if(is_numeric($_POST['postedvaraible'])) {
//only now assign this value to a variable
$variableiwilluselaterinmycode = $_POST['postedvaraible'];
}
Look at the page at sklar.com for some good advices, don't forget to
read the documentation at php.net and there are many good comments to
read too on those pages.
--
//Aho
mynetblog.com
Mar 7, 2017, 3:37:24 AM3/7/17
to
On Wednesday, March 1, 2017 at 1:21:26 PM UTC-7, J.O. Aho wrote:
Thanks for the reply.
Since I wrote that, I managed to find these resources but they are not specific to PHP, but still good to review.
Common Exploits and How to Prevent Them
https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=473603
2011 CWE/SANS Top 25 Most Dangerous Software Errors
https://cwe.mitre.org/top25/
Secure Coding section from CERT
https://www.cert.org/secure-coding/index.cfm
Since I wrote that, I managed to find these resources but they are not specific to PHP, but still good to review.
Common Exploits and How to Prevent Them
https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=473603
2011 CWE/SANS Top 25 Most Dangerous Software Errors
https://cwe.mitre.org/top25/
Secure Coding section from CERT
https://www.cert.org/secure-coding/index.cfm
0 new messages