Tag Archives: ibmi php toolkit

PHP IBM i Toolkit – Security Awareness of HTTP transport – Sending UserId and Password in Clear Text

With many open source security exploits coming out (shellshock, Heartbleed and recently Ghost exploits) I decided to look into the open source PHP IBM i toolkit that many people are using to access the IBMi. The whole idea of open source is that by having many eyes looking at something that bugs and security issues would be figured out and new features can be contributed by anyone. The issue I found with the PHP toolkit is that there’s no warning about using the HTTP transport to connect to the iSeries. It’s actually sending your user id and password over the network to the web server in plain text. This is an issue with the XMLService as well. It really should not allow you to connect via HTTP and should force HTTPS connections. I looked into odbc_connect and it appears to me that its doing some type of encryption as I was not able to pick up my username with wireshark. Since IBM_DB2 is using SQLConnect in the php extension i’d assume the same goes for that transport method. Therefore, by default the toolkit appears safe, but if your project requires you to connect via HTTP make sure you refactor the transport to use HTTPS instead.  Also please don’t use the GET method as it puts the parameters (the userid and password) in the url string which is sometimes saved into access logs.

You can see this issue in the send method of httpsupp class

http

To see how to securely create a https request look at the comments from: jrubenstein at gmail dot com and louis dot huppenbauer at gmail dot com on php.net’s stream_context_create

Advertisements