On an education site I maintain, the powers that be (region wide) have put out a notice about the vulnerability of PHP files to such things as ‘injection header attacks’. they have identified two scripts that I am using (Cutenews and form-2-mail) as being possibly vulnerable.
The local educational authority IT server maintenance wallah is saying to my client contact that she’ll just have to ditch these files and find alternatives. Sounds like making his own life easy to me!
I would have though you could just monitor the situation and if you do get an attack respond appropriately. Would you know of such an attack?
The alternative seems to be new PHP scripts which they won’t get round to checking for a while (!) or moving to Perl/CGI…and that could cost, as I have to find suitable scripts and rework them into the site.
Hmmm. anyone know how to secure PHP files against vulnerability?
Cutenews could be secured (I think) by putting the admin pages in a folder and restricting access to that folder with htaccess or similar.
Form2mail can be “hardened” by running all inputs to it through a chain of steps:
Use rawurldecode to expand any encoded nasties.
Use preg_replace to convert anything that isn’t ASCII[1] to a question mark.
Use strip_tags to remove code.
I do this on the Freewaytalk site, and get about three messages a week on the public content form that are filled with question marks. Naturally, the members don’t get up to these sorts of hijinks.
Walter
Where by ASCII I mean the characters you want to allow.
