About the Author

Chris Shiflett is an author and speaker who leads the web application security practice at OmniTI.

PHP Security Experiments

Mon, 01 Nov 2004 at 20:46:32 GMT
12 Comments
References

I've been conducting some experiments lately to test a few security hypotheses that I've had as well as feed my curiosity. The success rate of these experiments has been shocking. The most recent experiment is taking place on the Zend forums, although it's over now (I don't want to needlessly spam the place). You'll notice a lot of topics with a subject of PHP Security Experiment, and they're all posted from different IPs (from all over the world). In short, I'm able to send HTTP requests of my choosing from other people's Web agents.

These experiments aren't testing a single piece of software but rather a specific set of vulnerabilities, and I'm chaining them together. I think I could chain them together even more and make them spread like worms. I'll release more details once I figure out how to properly notify the developers of all vulnerable software first (and allow ample time to fix the problems).

I could use some help. If you consider yourself a pretty proficient PHP developer who has a good understanding of the Web, and you'd like to participate, please contact me or leave a comment. I think there is plenty of work and research to be done.

About This Post

PHP Security Experiments was posted on Mon, 01 Nov 2004 at 20:46:32 GMT.

12 Comments

1. Paul M Jones said:

It would be **very** helpful to know the methodology and parameters of your test.

Incidentally, your experimentation could well be perceived as a series of attacks. White-hat though you may be, the manner is still a bit black-hat.

Thanks. :-)
Tue, 02 Nov 2004 at 00:22:33 GMT Link

2. Steph Fox said:

Au contraire, it's very useful to know where these problems lie - though I have to say it'd be better if we knew in advance that this kind of experiment was taking place!

I've actually asked Chris to try this in other areas of the Zend site now...

Tue, 02 Nov 2004 at 14:08:57 GMT Link

3. Chris Shiflett said:

My experiments so far have been very benign. In fact, I have developed my own applications in most cases. This helps me determine what types of safeguards I can successfully circumvent.

I'm constantly in communication with people from Zend, so I know that a few harmless posts aren't seen as a threat in any way. Also, in case it isn't clear, the experiment isn't testing a vulnerability in Zend's forums - the vulnerability is what allows me to post from arbitrary Web agents. Zend purposely allows anonymous posts, so there's nothing to really circumvent.

I'll publish more information once I feel confident that doing so won't be harmful.
Wed, 03 Nov 2004 at 01:09:59 GMT Link

4. Ilia Alshanetsky said:

As long as there are anonymous proxies people will be always capable of "faking" their IP. Heck, AOL users due to the nature of AOL proxies will almost always have different IPs between requests.

Of course faking headers with proxy IP relay information is another easy tactic of masking the "real" source address.
Wed, 03 Nov 2004 at 18:13:11 GMT Link

5. Chris Shiflett said:

That's true, but I'm not actually faking anything. Rather, the attacks trick other people's Web agents (which includes more than browsers) into sending requests of my choosing. This makes it very easy for me to get around safeguards, regardless of what is being checked - cookies, headers, etc.
Wed, 03 Nov 2004 at 18:45:20 GMT Link

6. Chris Shiflett said:

It doesn't work against FUDforum. :-)
Fri, 05 Nov 2004 at 18:17:42 GMT Link

7. Ilia Alshanetsky said:

That's certainly good news :-).
Fri, 05 Nov 2004 at 19:53:41 GMT Link

8. Ilia Alshanetsky said:

So you are using HTTP redirects to make people unknowingly submit GET or POST (via JavaScript) to a 3rd party site and create a new forum post?
Fri, 05 Nov 2004 at 23:46:36 GMT Link

9. Chris Shiflett said:

Not HTTP redirects. It's actually a combination of XSS and CSRF, although I've used various approaches, and a few have worked.

I can email you privately if you want details. I'm just trying to be careful.
Sat, 06 Nov 2004 at 06:07:53 GMT Link

10. Ilia Alshanetsky said:

Please do, I am curious about the methodoly and would definately will try it against FUDforum to see how it handles the situation.

p.s. my e-mail is ilia @ the url :-)
Sat, 06 Nov 2004 at 14:17:05 GMT Link

11. Maxime said:

I am very interested in the way you managed this if you don't mind sending me an e-mail with the methodology to shalombi@msn.com
Wed, 24 Nov 2004 at 13:28:56 GMT Link

12. Tom said:

I have to admit, it does seem that what goes on behind the scenes never was as easy was originally thought. Think I'll restart building everything I've done ;)
Mon, 14 Feb 2005 at 15:12:42 GMT Link

Chris Shiflett wrote:: Miguel, read the post again. PHP 4.4.9 is the final release of PHP 4.; Posted in End of Life for PHP 4
Miguel Palazzo wrote:: I think you're wrong. PHP 4.4 is DEAD, that's so right, because they just released 4.4.9, and you...; Posted in End of Life for PHP 4
alikim wrote:: Hi, Thanks for the article! Tell me please if it's enough to use just session_start(); se...; Posted in
Wayne wrote:: Hi ZX, When taking in data, you should always check to see if magic_quotes is enabled. If it i...; Posted in addslashes() Versus mysql_real_escape_string()
Chris Shiflett wrote:: Thanks, Brandon. I'm glad you liked the talk. Maybe some parts of it would be interesting to some...; Posted in ZendCon

Browse Comments

Planet

Balance: From Marcus Whitney
Over 300 iPhone Apps Use Location Look-Ups: From O'Reilly Radar
Maui Vacation 2008: From Jeremiah Grossman
More McAfee Snakeoil Ranting: From Robert Hansen
Seeing political links in color: From O'Reilly Radar

Explore the Planet

Fresh Links

Explore Links

Main Menu

About the Author

PHP Security Experiments

About This Post