<meter id="pgsoe"></meter>

<code id="pgsoe"><u id="pgsoe"></u></code>

<acronym id="pgsoe"><video id="pgsoe"></video></acronym>
    1. <label id="pgsoe"></label>
  • <acronym id="pgsoe"><legend id="pgsoe"><blockquote id="pgsoe"></blockquote></legend></acronym>
      <label id="pgsoe"></label>
    <acronym id="pgsoe"></acronym>
  • <meter id="pgsoe"><u id="pgsoe"><option id="pgsoe"></option></u></meter>
    <output id="pgsoe"></output>
  • <var id="pgsoe"><ol id="pgsoe"></ol></var>

    Error Reporting

    With PHP security, there are two sides to error reporting. One is beneficial to increasing security, the other is detrimental.

    A standard attack tactic involves profiling a system by feeding it improper data, and checking for the kinds, and contexts, of the errors which are returned. This allows the system cracker to probe for information about the server, to determine possible weaknesses. For example, if an attacker had gleaned information about a page based on a prior form submission, they may attempt to override variables, or modify them:

    Example #1 Attacking Variables with a custom HTML page

    <form method="post" action="attacktarget?username=badfoo&amp;password=badfoo">
    <input type="hidden" name="username" value="badfoo" />
    <input type="hidden" name="password" value="badfoo" />

    The PHP errors which are normally returned can be quite helpful to a developer who is trying to debug a script, indicating such things as the function or file that failed, the PHP file it failed in, and the line number which the failure occurred in. This is all information that can be exploited. It is not uncommon for a php developer to use show_source(), highlight_string(), or highlight_file() as a debugging measure, but in a live site, this can expose hidden variables, unchecked syntax, and other dangerous information. Especially dangerous is running code from known sources with built-in debugging handlers, or using common debugging techniques. If the attacker can determine what general technique you are using, they may try to brute-force a page, by sending various common debugging strings:

    Example #2 Exploiting common debugging variables

    <form method="post" action="attacktarget?errors=Y&amp;showerrors=1&amp;debug=1">
    <input type="hidden" name="errors" value="Y" />
    <input type="hidden" name="showerrors" value="1" />
    <input type="hidden" name="debug" value="1" />

    Regardless of the method of error handling, the ability to probe a system for errors leads to providing an attacker with more information.

    For example, the very style of a generic PHP error indicates a system is running PHP. If the attacker was looking at an .html page, and wanted to probe for the back-end (to look for known weaknesses in the system), by feeding it the wrong data they may be able to determine that a system was built with PHP.

    A function error can indicate whether a system may be running a specific database engine, or give clues as to how a web page or programmed or designed. This allows for deeper investigation into open database ports, or to look for specific bugs or weaknesses in a web page. By feeding different pieces of bad data, for example, an attacker can determine the order of authentication in a script, (from the line number errors) as well as probe for exploits that may be exploited in different locations in the script.

    A filesystem or general PHP error can indicate what permissions the web server has, as well as the structure and organization of files on the web server. Developer written error code can aggravate this problem, leading to easy exploitation of formerly "hidden" information.

    There are three major solutions to this issue. The first is to scrutinize all functions, and attempt to compensate for the bulk of the errors. The second is to disable error reporting entirely on the running code. The third is to use PHP's custom error handling functions to create your own error handler. Depending on your security policy, you may find all three to be applicable to your situation.

    One way of catching this issue ahead of time is to make use of PHP's own error_reporting(), to help you secure your code and find variable usage that may be dangerous. By testing your code, prior to deployment, with E_ALL, you can quickly find areas where your variables may be open to poisoning or modification in other ways. Once you are ready for deployment, you should either disable error reporting completely by setting error_reporting() to 0, or turn off the error display using the php.ini option display_errors, to insulate your code from probing. If you choose to do the latter, you should also define the path to your log file using the error_log ini directive, and turn log_errors on.

    Example #3 Finding dangerous variables with E_ALL

    if ($username) {  // Not initialized or checked before usage
    $good_login 1;
    if (
    $good_login == 1) { // If above test fails, not initialized or checked before usage
    readfile ("/highly/sensitive/data/index.html");

    add a note add a note

    User Contributed Notes 1 note

    earlz- -NO SPAM-- at earlz dot biz DOT tm
    11 years ago
    Note for those of you using OpenBSD and PHP.  The default php.ini has display_errors=off . This is contrary to the PHP default of display_errors=on . If your having trouble seeing errors on OpenBSD make sure to edit your php.ini to have display_errors=on. (I had this problem on OpenBSD 4.4)
    To Top
    镇雄| 滨海| 抚宁| 太原| 泊头| 甘洛| 沙河| 焦作| 万州龙宝| 德安| 聊城| 鹰潭| 华蓥山| 霍山| 南华| 灌云| 平阴| 惠阳| 华亭| 临江| 上虞| 蛟河| 民丰| 宿州| 吐鲁番| 沛县| 揭阳| 涪陵| 佳木斯| 潞西| 龙胜| 凌海| 梅州| 涡阳| 沙湾| 邕宁| 萧山| 法库| 八宿| 德江| 怀安| 郑州| 江永| 霞云岭| 兰坪| 绥棱| 鸡东| 富民| 安仁| 砀山| 湟中| 土默特右旗| 科尔沁右翼中旗| 隆化| 琼山| 庆元| 乾安| 博爱| 陆良| 丰南| 铁干里克| 西丰| 察隅| 黄山站| 荣县| 平谷| 平原| 胡尔勒| 南宁| 鹿寨| 阜阳| 灌南| 栖霞| 克山| 徐州农试站| 苍山| 拐子湖| 安阳| 双江| 涞水| 阜南| 巴盟农试站| 溧水| 江安| 曲靖| 永福| 赤峰| 通辽| 闵行| 盘县| 新蔡| 芮城| 汤河口| 栖霞| 江津| 蔡家湖| 安定| 东吉屿| 苏尼特左旗| 洛宁| 德格| 珲春| 禹州| 泗洪| 利辛| 余庆| 资溪| 临湘| 洪湖| 阜康| 拐子湖| 延津| 赞皇| 峨眉山| 巴彦| 绍兴| 苍梧| 黎城| 南康| 汕尾| 七台河| 庆安| 额济纳旗| 五道梁| 兴和| 北安| 巴南| 独山| 理塘| 湘阴| 邹城| 蒙山| 石嘴山| 万载| 尼勒克| 景泰| 云澳| 安康| 宜阳| 汶川| 硕龙| 丰台| 宝过图| 炉山| 南丰| 涟源| 淮阴县| 盘锦| 连平| 丹阳| 昌乐| 天河| 柘城| 穆棱| 周口| 永仁| 河曲| 江阴| 深圳| 林甸| 洋县| 喀什| 阳信| 岐山| 昔阳| 羊山| 龙川| 通渭| 交口| 金山| 睢宁| 呼伦贝尔| 当涂| 神池| 新晃| 昌平| 定襄| 高台| 丰县| 衡南| 万载| 夷陵| 清丰| 枣庄| 曹县| 通辽钱家店| 余江| 吐鲁番东坎| 德阳| 昭苏| 兰坪| 旬邑| 武宁| 镇安| 南安| 大勐龙| 德庆| 正镶白旗| 涿鹿| 乌鲁木齐| 太原| 莎车| 平利| 双辽| 牟定| 当阳| 峰峰| 宁河| 泌阳| 蛟河| 吕泗| 新港| 诺木洪| 平度| 芜湖| 南江| 上思| 图里河| 临沧| 昌图| 普兰店| 黄陂| 石嘴山| 灵山| 丹棱| 夷陵| 礼泉| 南宁城区| 汶上| 木兰| 天台| 台南| 韦州| 华宁| 西乌珠穆沁旗| 霍林郭勒| 长治| 彭泽| 连南| 马龙| 鹿寨| 香港| 肇源| 上海| 水城| 吴忠| 曹县| 怒江| 当涂| 沙河| 巴中| 菏泽| 赣州| 南华| 伊通| 霸州| 阿图什| 绥中| 高阳| 枣强| 阿鲁科尔沁旗| 黄梅| 咸丰| 乌什| 馆陶| 潼南| 嘉禾| 郏县| 东胜| 华坪| 聂拉木| 南皮| 乐安| 西丰| 阿克苏| 葫芦岛| 义乌| 闽清| 盐亭| 岳池| 硇洲| 昭觉| 庐山| 岳西| 华亭| 林甸| 桃江| 和硕| 方正| 政和| 鄂托克前旗| 石楼| 洪江| 康平| 山南| 三门| 东川| 秀山| 商都| 华山| 宜川| 肃宁| 伊春| 石棉| 建阳| 英山| 吕梁| 防城港| 象州| 焦作| 讷河| 华亭| 弥渡| 偏关| 吴江| 融安| 新巴尔虎左旗| 深圳| 玉山| 兰西| 突泉| 石楼| 鸡泽| 海拉尔| 陵县| 白城| 乐山| 阿克陶| 海西| 灯塔| 宿迁| 朱日和| 揭阳| 神池| 济源| 南昌| 澄江| 代县| 托托河| 甘孜| 峨边| 赣州| 井冈山| 顺德| 仪陇| 磐安| 东平| 巴林右旗| 休宁| 蓬莱| 信宜| 澄城| 青川| 嘉黎| 华蓥山| 香日德| 畹町镇| 白水| 内乡| 张家港| 河口| 海林| 宝山| 双鸭山| 高力板| 四平| 乐至| 灵武| 蔡家湖| 策勒| 门头沟| 平昌| 府谷| 天台| 同江| 潞城| 伊川| 桥口| 南涧| 通辽钱家店| 吉水| 会昌| 当阳| 金昌| 霍城| 商南| 桦川| 清镇| 博湖| 弥勒| 白银| 凭祥| 林州| 鲁甸| 富县| 南丰| 三都| 沅江| 茶陵| 泾县