Hi Yasuo,
I read your entire post, but the OWASP Guide will be sticking to the
basic points:
a) unnecessary features which introduce unnecessary vulnerabilities
should be off by default
b) software written in PHP should be written with allow_url_fopen off
and magic_quotes_gpc (and friends) off
c) software should WARN or STOP the installation if the above are set
to on as they are insufficient, insecure and give a false sense of
security
d) in general, PHP's "safe" mode is not safe, often trivially
defeated, and is not a good substitute for a proper sandbox and a
good security architecture
I have spoken to Chris Shifflet about this, and our discussions and a
document he proofed for me, formed the basis of this year's SANS Top
20 for PHP, which will now be a separate article on the OWASP main
site as the Top 20 launched with a watered down version of it. OWASP
Guide 2.1 (which I am currently editing) provides clearer guidance on
how to program in PHP safely as it's not entirely clear from PHP's
website, and nor is it clear from many PHP "security" guides. I also
recommend Chris' new book to all and sundry as it is *correct* in its
approach to data validation and sanitization (which he calls filtering).
I would welcome any security professionals in an effort to talk to
the PHP Development Team as a unified whole:
* Deploy PHP 6.0 in a secure way by default, as many hosters never
tweak or change php.ini
* Allow scripts to *turn on* features they need by explicit use of
set_ini() instead of just having them available to all scripts on the
off-chance a script may need that functionality.
* Remove or disable features like allow_url_fopen and the PHP filters
(madness) and substitute them with functions to do the same thing for
those programs which actually need that functionality
* Since PHP 6 is Unicode by default - which will break many scripts,
I'd like to see echo and printf() changed to be XSS safe by default,
and have a echo_raw() printf_raw() for those few times you need to
output HTML directly, or even better think about a Struts style tag
language so that programmers are not tempted to write their own
templating engine yet again
* Remove safe_mode and put in place a sandbox and security
architecture a la Java VM's or .NET
Bugtraq is littered with the consequences of the PHP Development
Team's extremely poor default choices and even poorer decisions about
what constitutes "security" for PHP (see "safe" mode for an example).
PHP must become a safer language by default, or it will be banned
from hosters who cannot financially support their servers being
trojan'd frequently by insecure software.
We can and should help the PHP project if they will take our counsel.
Thoughts?
thanks,
Andrew
On 30/12/2005, at 9:43 AM, Yasuo Ohgaki wrote:
OWASP guideline may be better to be updated, since allow_url_fopen=off
is not practical and allow_url_fopen=off does not provide good
enough safe guard.
