Category Archives: Security Misc.

Misc. security collection

SQL Injection: How To Prevent Security Flaws In PHP / MySQL

\r\n
\r\n
\r\n
\r\n
\r\n
What is SQL Injection\r\nMost new web developers have heard of SQL injection attacks, but not very many know that it is fairly easy to prevent an attacker from gaining access to your data by filtering out the vulnerabilities using MySQL extensions found in PHP. An SQL injection attack occurs when a hacker or cracker (a malicious hacker) attempts to dump the data in a database table in a database-driven web site. In an unprotected and vulnerable site, this is pretty easy to do.\r\n\r\nSQL injection is a common vulnerability that is the result of lax input validation. Unlike cross-site scripting vulnerabilities that are ultimately directed at your site’s visitors, SQL injection is an attack on the site itself, in particular its database.\r\nThe goal of SQL injection is to insert arbitrary data, most often a database query, into a string that’s eventually executed by the database. The insidious query may attempt any number of actions, from retrieving alternate data, to modifying or removing information from the database.\r\n\r\nHow does SQL injection attack works\r\nIn order for an SQL injection attack to work, the site must use an unprotected SQL query that utilizes data submitted by a user to lookup something in a database table. The data could be from a search box, a login form or any type of query used to look up data using data input by user. It also means that querystring data used to query a database can create vulnerabilities.\r\nFor example:\r\n\r\nAn very simple unprotected query might look like this:\r\n\r\n

\r\n

\r\n

\r\n
SELECT * FROM items WHERE itemID = '$itemID'

\r\n

\r\n

Normally, you would expect a user to submit a username and password, which would be used to query the database table to see if the username and password exists. But what if someone used the following instead of a password?

\r\n

‘ OR ‘1′ = ‘1

\r\n

\r\n

\r\n

That would make the query used to look for the password look like this:

\r\n

\r\n
\r\n
SELECT * FROM items WHERE itemID = '' OR '1' = '1'

\r\n

\r\n

\r\n

\r\n

This would always return a True response and could literally display the entire table as the result for the query. This is a pretty scary thought if you are trying to keep your data secure. The problem with SQL injection is that a hacker does not have to know anything about your database or table structure.\r\n\r\nWhat if an error or some other issue caused your table structure to be exposed? Hackers are very good at forcing errors to occur that expose information that allows them to penetrate a site deeper. What if the following was entered in the password field?\r\n\r\n

\r\n

‘; drop table users;

\r\n

\r\n

How to prevent your database from SQL Injection attacks\r\nThere is a method for filtering the data that is used on the right side of the WHERE clause to look up a row in a database. The trick is to escape any characters that may be in the user input portion of the query that could lead to a successful attack.\r\n\r\nUse the following function to add backslashes to suspect characters and filter any data that is input by a user.\r\n\r\n

\r\n

function cleanQuery($string)\r\n{\r\n if(get_magic_quotes_gpc()) // prevents duplicate backslashes\r\n {\r\n  $string = stripslashes($string);\r\n }\r\n  if (phpversion() >= '4.3.0')\r\n  {\r\n   $string = mysql_real_escape_string($string);\r\n  }\r\nelse\r\n{\r\n $string = mysql_escape_string($string);\r\n}\r\nreturn $string;\r\n}\r\n\r\n// if you are using form data, use the function like this:\r\nif (isset($_POST['itemID'])) $itemID = cleanQuery($_POST['itemID']);\r\n\r\n// you can also filter the data as part of your query:\r\nSELECT * FROM items WHERE itemID = '". cleanQuery($itemID)."' "

\r\n

The first part looks to see if magic quotes is turned on. if so, it may have already added backslash escapes though a POST or GET method used to pass the data. If backslashes were added, they need to be removed prior to running it through the rest of the function.\r\n\r\nThe next part checks the PHP version. The built-in function that we want to use is called mysql_real_escape_string. This MySQL function only exists in PHP version 4.3.0 or newer. If you are using an older version of PHP, another MySQL function is used called mysql_escape_string.\r\n\r\nmysql_escape_string is not as effective as the newer mysql_real_escape_string. The newer version escapes the string according to the current character set. The character set is ignored by mysql_escape_string, which can leave some vulnerabilities ope for sophisticated hackers. If you find that you are using an older version of PHP and you are trying to protect sensitive data, you really should upgrade to a current version of either PHP 4 or PHP 5.\r\n\r\nSo what does mysql_real_escape_string do?\r\n\r\nThis PHP library function prepends backslashes to the following characters: \n, \r, \, \x00, \x1a, ‘ and “. The important part is that the single and double quotes are escaped, because these are the characters most likely to open up vulnerabilities.\r\n\r\nFor those who do not know what an escape is, it is a character that is pre-pended to another character. When a character is escaped, it is ignored by the database. In other words, it makes that character ineffective in a query. In the case of PHP, an escaped character is treated differently by the PHP parser. The standard escape character used by PHP and MySQL is the backslash.\r\n\r\nIn the case of the SQL query example used above, after running it through the routine, it now looks like this, which breaks the query :\r\n\r\n

\r\n

\r\n
SELECT * FROM items WHERE itemID = '\' OR \'1\' = \'1'

\r\n

\r\nThis method should stop the bulk of the SQL injection attacks, but crackers and hackers are very creative and are always finding new methods to break into systems. There are additional steps that can be taken to filter out certain words, such as drop, grant, union, etc., but using this method will strip these words from searches performed by you users. However, if you want to add another level of security and do not have an issue with certain words being deleted from queries, you can add the following just before if (phpversion() >= ‘4.3.0′).\r\n

$badWords = array("/delete/i", "/update/i","/union/i","/insert/i","/drop/i","/http/i","/--/i");\r\n$string = preg_replace($badWords, "", $string);

\r\nThis additional step should prevent a malicious attacker from damaging a database if they found a way to slip through. Just remember that is you take this additional step and you have a site where someone might search for a “plumbing union” or a “drop cloth”, those queries would not work as intended. If you are wondering what the trailing ‘i’ is following each word in the array, it is required to make the preg_replace replacements case insensitive. This wasn’t needed with eregi_replace, but that function has been deprecated in PHP 5.3.\r\n\r\nAnother important step that needs to be taken with any database is controlling user privileges. When setting up a MySQL user, you should never assign any more privileges than they actually need to accomplish the tasks that you allow on your site. Privileges are easily assigned and managed thought phpMyAdmin, which is found in the the control panel (cPanel, Plesk, etc.) for most hosting companies.\r\n\r\nUseful Links\r\n

http://en.wikipedia.org/wiki/SQL_injection\r\nhttp://www.learnphponline.com/securi…tion-mysql-php\r\nhttp://dev.mysql.com/tech-resources/…curity-ch3.pdf\r\nhttp://www.tizag.com/mysqlTutorial/m…-injection.php

Antivirus and anti-malware protection

\r\n
There are many different antivirus and anti-malware protection programs available, ranging in price from free, to several hundred dollars, depending upon their sophistication and scope of use. It is critically important that anyone that connects to the internet has adequate protection against possible infections by viruses, trojans, worms, and various malware that circulate so prolifically these days.\r\n\r\nThere is an adage that says, “If a little bit is good, then a lot is better”. However, in the case of virus protection, this is normally not true (in fact, in my experience, NEVER). Although it may be permissible to run more than one anti-malware protection program at a time, one should have only one antivirus program operating at any given time. There are reasons for this.\r\n\r\nTwo different AV programs will often conflict, seeing each other as a virus, because of the nature of their operation. Thus, when one program succeeds in stifling the activities of the other, a window of opportunity for an actual virus may be created. More often, each will manage to limit the effectiveness of the other, thus creating a weakness that can be exploited. “Loops” can be created, wherein two AV programs will endlessly fight each other for control of a given function, leaving that function effectively unprotected. More is NOT better!\r\n\r\nOne should select their protection carefully, giving thought to the particular sorts of risks they make themselves vulnerable to by their surfing style. As a member of many web professional forums, I prefer to make my selection, after hearing the recommendations of others. I also have found that for my purposes, there is no need to purchase such a program.\r\n\r\nThere are a number of very effective AV programs, written and maintained by reputable organizations, that can be downloaded and installed at no charge. I presently use Avast, which I feel to be on a par with Avira, in terms of effectiveness in the AV realm. Both also offer enhanced versions for purchase, and have products that specialize in other levels of protection. Kaspersky is another system that has an excellent track record for protection.\r\n\r\nMost such products offer a free evaluation period, up to a month, to see if their program does the job you want. I usually warn people away from such evaluation periods, however, simply because some such programs are difficult to remove completely (Symantec’s Norton is one that’s notoriously difficult to get rid of) from your system.\r\n\r\nThere are a few things that should be remembered, when searching for the best AV program for your system:\r\n
    \r\n
  • NO AV program is perfect! Some are better than others, but new exploits are released almost daily, and your protection is only as good as its relevancy. If it updates virus definitions weekly, then you may be vulnerable to new viruses for several days between updates.
  • \r\n

  • The sort of experts that are capable of developing protection against viruses have their doppelgangers on the other side of the coin… those that develop the viruses to begin with. Both are good at what they do, and at any given moment, one will be a step ahead of the other.
  • \r\n

  • Realtime scanning is an important feature to seek in your AV protection. Scanning emails and downloads is important, but viruses and malware can be activated by the simple act of clicking on a text link, an image or opening an attachment. Just entering a page can enable an infection, without sufficient protection.
  • \r\n

  • The best AV protection available cannot do the job alone. YOU have to take an active part in protecting your system. If you frequent poor reputation sites, hang out in “bad neighborhoods”, the infection of your computer is made much more probable, regardless of the AV protection you run.
  • \r\n

\r\nAV protection is only one aspect of protection. A reliable firewall and adequate anti-spyware protection are other important protections that should be considered. I suggest you investigate what security bloggers and forum members have to say about the AV protection they have used or are using. A satisfied customer is always a good reference. Seofast

\r\n

ASP.Net Vulnerability Patch released: Microsoft Security Bulletin MS10-070

Vulnerability in ASP.NET Could Allow Information Disclosure (2418042)

\r\n

\r\n\r\nMicrosoft released ASP.net Vulnerability path through Download centre, for details please click here.\r\n
\r\n\r\nThis security update resolves a publicly disclosed vulnerability in ASP.NET. The vulnerability could allow information disclosure. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server. Microsoft .NET Framework versions prior to Microsoft .NET Framework 3.5 Service Pack 1 are not affected by the file content disclosure portion of this vulnerability.\r\n\r\nThis security update is rated Important for all supported editions of ASP.NET except Microsoft .NET Framework 1.0 Service Pack 3. For more information, see the subsection,Affected and Non-Affected Software, in this section.\r\n\r\nThe security update addresses the vulnerability by additionally signing all data that is encrypted by ASP.NET. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.\r\n\r\nThis security update also addresses the vulnerability first described in Microsoft Security Advisory 2416728.\r\n\r\nRecommendation. Microsoft recommends that customers apply the update at the earliest opportunity.\r\n\r\nSee also the section, Detection and Deployment Tools and Guidance, later in this bulletin.\r\n\r\nKnown Issues. Microsoft Knowledge Base Article 2418042 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues.\r\n\r\nThe patch is available through Microsoft download centre\r\n\r\n

\r\n

ASP.NET Security Vulnerability Workaround

Update on ASP.NET Vulnerability

\r\n Earlier this week We posted about an ASP.NET Vulnerability.\r\nMicrosoft is actively working on releasing a security update that fix the issues ready for broad distribution across all Windows platforms via Windows Update. We’ll post details about this once it is available.\r\n \r\n\r\nRevised Workaround and Additional URLScan Step\r\nIn our first community post we covered a workaround you can apply immediately on your sites and applications to prevent attackers from exploiting it. Today, we are revising it to include an additional defensive measure.\r\nThis additional step can be done at a server-wide level, and should take less than 5 minutes to implement. Importantly, this step does not replace the other steps in the original workaround, rather it should be done in addition to the steps already in it. Below are instructions on how to enable it.\r\n \r\n\r\nInstall and Enable IIS URLScan with a Custom Rule\r\n\r\nIf you do not already have the IIS URLScan module installed on your IIS web server, please download and install it:\r\n\r\n \r\n

\r\nIt takes less than a minute to install on your server.\r\n \r\n\r\nAdd an Addition URL Scan Rule\r\nOnce URLScan is installed, please open and modify the UrlScan.ini file in this location:\r\n

%windir%\system32\inetsrv\urlscan\UrlScan.ini

\r\nNear the bottom of the UrlScan.ini file you’ll find a [DenyQueryStringSequences] section. Add an additional “aspxerrorpath=” entry immediately below it and then save the file:\r\n\r\n \r\n

[DenyQueryStringSequences]\r\naspxerrorpath=

\r\nThe above entry disallows URLs that have an “aspxerrorpath=” querystring attribute from making their way to ASP.NET applications, and will instead cause the web-server to return an HTTP error. Adding this rule prevents attackers from distinguishing between the different types of errors occurring on a server – which helps block attacks using this vulnerability.\r\nAfter saving this change:\r\n\r\n

run “iisreset”\r\nfrom a command prompt (elevated as admin\r\n

\r\nFor the above changes to take effect. To verify the change has been made, try accessing a URL on your site/application that has a querystring with an aspxerrorpath and verify that an HTTP error is sent back from IIS.\r\n URL Scan Summary\r\nIf you’ve already implemented the workaround we’ve previously published, please add the above step to help block attackers from exploiting the vulnerability.\r\nOur team is working around the clock to release an update via Windows Update that fixes the underlying product vulnerability. Until that update is available, you can use the above workaround to help prevent attackers from using the vulnerability against your applications.\r\nOnce we release the security update, you will no longer need to implement any workaround steps.\r\n\r\nThe alternative option: Using IIS request filtering:\r\nThese instructions are an alternative for the UrlScan instructions above for systems running IIS on Windows Vista Service Pack 2, Windows Server 2008 Service Pack 2, Windows 7, or Windows Server 2008 R2.\r\n1. Install the Request Filtering feature in IIS through either Add/Remove Programs or Role Manger by selecting the feature under Internet Information Services, World Wide Web Services, Security.\r\n2. Launch Internet Information Services (IIS) Manager.\r\n3. Select the server node in the left pane.\r\n4. Double-click Request Filtering.\r\n5. Select the Query Strings tab and click Deny Query String … in the Actions pane.\r\n6. Enter aspxerrorpath= in the dialog box and select OK.\r\n\r\nAlternatively, you can also use the following appcmd command to set this request querystring:\r\n

appcmd set config /section:requestfiltering /+denyQueryStringSequences.[sequence=’aspxerrorpath=’]

\r\nFor more information on using appcmd to configure IIS, see Getting Started with AppCmd.exe.\r\n\r\nConfigure ASP.Net applications to use uniform custom errors\r\nIn the root folder of each ASP.NET web application, determine if you already have a web.config file in this folder. You must have rights to create a file in the target directory to implement this workaround.\r\nIf the ASP.NET application does not have a web.config file:\r\n\r\nOn .NET Framework 3.5 and earlier\r\n1. Create a text file named web.config in the root folder of the ASP.NET application, and insert the following contents:\r\n

<configuration>\r\n<location allowOverride=”false”>\r\n<system.web>\r\n<customErrors mode=”On” defaultRedirect=”~/error.html” />\r\n</system.web>\r\n</location>\r\n</configuration>

\r\n2. Create a text file named error.html containing a generic error message and save it in the root folder of the ASP.NET application.3. Alternatively, you can rename error.html in the web.config file to point to an existing error page, but that page must display generic content, not context-specific content.\r\n\r\nOn .NET Framework 3.5 Service Pack 1 and later\r\n1. Create a text file named web.config in the root folder of the ASP.NET application, and insert the following contents:\r\n

<configuration>\r\n<location allowOverride=”false”>\r\n<system.web>\r\n<customErrors mode=”On” redirectMode=”ResponseRewrite” defaultRedirect=”~/ErrorPage.aspx” />\r\n</system.web>\r\n</location>\r\n</configuration>

\r\n2. If you are comfortable using C#, we recommend using the following ErrorPage.aspx\r\n\r\nfile:\r\n

<%@ Page Language=”C#” AutoEventWireup=”true” %>\r\n<%@ Import Namespace=”System.Security.Cryptography” %>\r\n<%@ Import Namespace=”System.Threading” %>\r\n<script runat=”server”>\r\nvoid Page_Load()\r\n{\r\nbyte[] delay = new byte[1];\r\nRandomNumberGenerator prng = new RNGCryptoServiceProvider();\r\nprng.GetBytes(delay);\r\nThread.Sleep((int)delay[0]);\r\nIDisposable disposable = prng as IDisposable;\r\nif (disposable != null)\r\n{\r\ndisposable.Dispose();\r\n}\r\n}</script>\r\n<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>\r\n<html xmlns=”http://www.w3.org/1999/xhtml”>\r\n<head runat=”server”>\r\n<title> </title>\r\n</head>\r\n<body>\r\n<div> An error occurred while processing your request.     </div>\r\n</body>\r\n</html>

\r\n3. If you are comfortable using Visual Basic .NET, we recommend using the following ErrorPage.aspx file:\r\n

<%@ Page Language=”VB” AutoEventWireup=”true” %>\r\n<%@ Import Namespace=”System.Security.Cryptography” %>\r\n<%@ Import Namespace=”System.Threading” %>\r\n<script runat=”server”>\r\nSub Page_Load()\r\nDim delay As Byte() = New Byte(0)\r\n{\r\n}\r\nDim prng As RandomNumberGenerator = New RNGCryptoServiceProvider()\r\nprng.GetBytes(delay)\r\nThread.Sleep(CType(delay(0), Integer))\r\nDim disposable As IDisposable = TryCast(prng, IDisposable)\r\nIf\r\nNot disposable Is Nothing\r\nThen\r\ndisposable.Dispose()\r\nEnd IfEnd Sub\r\n</script>\r\n<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>\r\n<html xmlns=”http://www.w3.org/1999/xhtml”>\r\n<head runat=”server”>\r\n<title></title>\r\n</head>\r\n<body>\r\n<div>  An error occurred while processing your request.  </div>\r\n</body>\r\n</html>

\r\nIf the ASP.NET application already has a web.config file:\r\n\r\nOn .NET Framework 3.5 RTM and earlier\r\n1. Insert the bracketed text in the sample below into your existing web.config file:\r\n

<?xml version=”1.0″?>\r\n<configuration>\r\n<configSections> …  </configSections>\r\n<appSettings> … </appSettings>\r\n<connectionStrings> … </connectionStrings>\r\n[\r\n<location allowOverride=”false”>\r\n<system.web>\r\n<customErrors mode=”On” defaultRedirect=”~/error.html” />\r\n</system.web>\r\n</location>\r\n]\r\n<system.web> … </system.web>\r\n<system.codedom> … </system.codedom>\r\n</configuration>

\r\n2. Create a text file named error.html containing a generic error message and save it in the root folder of the ASP.NET application.\r\n3. Alternatively, you can rename error.html in the web.config file to point to an existing error page, but that page must display generic content, not context-specific content.\r\n\r\nOn .NET Framework 3.5 Service Pack 1 and later\r\n1. Insert the bracketed text in the sample below into your existing web.config file:\r\n

<?xml version=”1.0″?>\r\n<configuration>\r\n<configSections> … </configSections>\r\n<appSettings> … </appSettings>\r\n<connectionStrings> … </connectionStrings>\r\n[\r\n<location allowOverride=”false”>\r\n<system.web>\r\n<customErrors mode=”On” redirectMode=”ResponseRewrite” defaultRedirect=”~/ErrorPage.aspx” />\r\n</system.web>\r\n</location>]\r\n</configuration>\r\n<system.web> … </system.web>\r\n<system.codedom> … </system.codedom>\r\n</configuration>

\r\n2. If you are comfortable using C#, we recommend using the following ErrorPage.aspx file:\r\n

<%@ Page Language=”C#” AutoEventWireup=”true” %>\r\n<%@ Import Namespace=”System.Security.Cryptography” %>\r\n<%@ Import Namespace=”System.Threading” %>\r\n<script runat=”server”>\r\nvoid Page_Load()\r\n{\r\nbyte[] delay = new byte[1];\r\nRandomNumberGenerator prng = new RNGCryptoServiceProvider();\r\nprng.GetBytes(delay);\r\nThread.Sleep((int)delay[0]);\r\nIDisposable disposable = prng as IDisposable;\r\nif\r\n(disposable != null)\r\n{\r\ndisposable.Dispose();\r\n}\r\n}\r\n</script>\r\n<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>\r\n<html xmlns=”http://www.w3.org/1999/xhtml”>\r\n<head runat=”server”>\r\n<title></title>\r\n</head>\r\n<body>\r\n<div> An error occurred while processing your request. </div>\r\n</body>\r\n</html>

\r\n3. If you are comfortable using Visual Basic .NET, we recommend using the following ErrorPage.aspx file:\r\n

<%@ Page Language=”VB” AutoEventWireup=”true” %>\r\n<%@ Import Namespace=”System.Security.Cryptography” %>\r\n<%@ Import Namespace=”System.Threading” %>\r\n<script runat=”server”>\r\nSub Page_Load()\r\nDim delay As Byte() = New Byte(0)\r\n{\r\n}\r\nDim prng As RandomNumberGenerator = New  RNGCryptoServiceProvider()       prng.GetBytes(delay)\r\nThread.Sleep(CType(delay(0), Integer))\r\nDim disposable As IDisposable = TryCast(prng, IDisposable)\r\nIf\r\nNot disposable Is Nothing\r\nThen\r\ndisposable.Dispose()\r\nEnd If\r\nEnd Sub\r\n</script>\r\n<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>\r\n<html xmlns=”http://www.w3.org/1999/xhtml”>\r\n<head runat=”server”>\r\n<title></title>\r\n</head>\r\n<body>\r\n<div> An error occurred while processing your request. </div>\r\n</body>\r\n</html>

\r\nImpact of Workaround:\r\nIf an error occurs during a Web transaction, the Web clients will see the same generic error message on the server, regardless of what error actually occurs. Additionally, any requests for Web pages which contain the string aspxerrropath= in the querystring portion of the URL will be blocked, and an HTTP error message returned to the client.\r\n\r\nYou can learn more about this vulnerability and the workaround from:\r\n\r\n