Tag Archives: Web Security

Protecting against Session Fixation in PHP on IBMi

After logging a user into your system you should invalidate the previous session identifier so an attacker doesn’t have the chance to steal an authenticated session id. In PHP the PHPSESSID cookie is our session identifier and it should be changed after logging in. Its as easy as running session_regenerate_id()


which will change your PHPSESSID to a different value

If you don’t change the session identifier an attacker may try to set the user’s PHPSESSID cookie to a value they know and then after the user authenticates, the attacker can now do any actions your application allows for authenticated users.

Advertisements

Protecting against SQL Injection in PHP and DB2 on IBM i

With many IBMi developers new to PHP, SQL and the web environment its important to cover a common mistake people make. The mistake is concatenating a value from $_REQUEST, $_GET or $_POST with their SQL statement string. This opens up the possibility for a SQL injection which allows someone to retrieve other data, bypass certain logic by making the statement always true, or worse (dropping a table, altering data, anything you can do in SQL). Below is how you can use a prepared SQL statement to safely execute SQL.

Cross-Site Request Forgery (CSRF) Prevention in PHP

Below is an example of how to prevent cross-site request forgery in PHP. Basically you create a form token tied to the user’s session. When the form is submitted we verify that they have a token and that its the token we issued to the user. If it’s not we don’t process the form and echo out an error message.

Defending against Click-jacking and UI redress attacks in PHP and HTML

Below is small snippet on how you can defend against click-jacking and UI redress attacks using the x-frame-options response header for browsers that support it.  It also has css and javascript that blocks the page from being shown unless it is the top page.  If you’re not familiar with Click-jacking,  they basically embed an invisible layer on top of the visible layer of a webpage.  This invisible layer will take the user’s clicks and entered information and possibly do malicious things.  They could have you enter the information into an input box that is 1 layer above the actual input box, making you follow someone on twitter, like a Facebook page, clicking a google ad, etc…

Security: Deleting files in the IFS with PHP on IBM i using unlink

So I tried deleting a file on the IFS and the only permission a user needs is *OBJEXIST.  So make sure your not granting public or QTMHHTTP *OBJEXIST permission blindly and to lock down the $filename passed to unlink to make sure you don’t have someone deleting all your files.

Description

PHP IBM i Toolkit – Security Awareness of HTTP transport – Sending UserId and Password in Clear Text

With many open source security exploits coming out (shellshock, Heartbleed and recently Ghost exploits) I decided to look into the open source PHP IBM i toolkit that many people are using to access the IBMi. The whole idea of open source is that by having many eyes looking at something that bugs and security issues would be figured out and new features can be contributed by anyone. The issue I found with the PHP toolkit is that there’s no warning about using the HTTP transport to connect to the iSeries. It’s actually sending your user id and password over the network to the web server in plain text. This is an issue with the XMLService as well. It really should not allow you to connect via HTTP and should force HTTPS connections. I looked into odbc_connect and it appears to me that its doing some type of encryption as I was not able to pick up my username with wireshark. Since IBM_DB2 is using SQLConnect in the php extension i’d assume the same goes for that transport method. Therefore, by default the toolkit appears safe, but if your project requires you to connect via HTTP make sure you refactor the transport to use HTTPS instead.  Also please don’t use the GET method as it puts the parameters (the userid and password) in the url string which is sometimes saved into access logs.

You can see this issue in the send method of httpsupp class

http

To see how to securely create a https request look at the comments from: jrubenstein at gmail dot com and louis dot huppenbauer at gmail dot com on php.net’s stream_context_create

DB2 PHP Security Exploit – Older versions of Zend Server for IBM i – Login under any user profile without a password

If you’re running an old version of Zend Server on the IBM i make sure you look at this article from Zend Support:

https://support.zend.com/hc/en-us/articles/203733853-db2-connect-may-allow-blank-password-with-user-entered

Basically you need to rename
/usr/local/zendsvr/lib/libdb400.a to /usr/local/zendsvr/lib/libdb400.a.bak

To do this Rod Flohr suggest you open a PASE shell and issue a mv command to rename the file.

5250 Terminal:

call qp2term

PASE:

mv /usr/local/zendsvr/lib/libdb400.a /usr/local/zendsvr/lib/libdb400.a.bak

If you pass in user supplied parameters to db2_connect function a person could log in as someone else with greater authorities possibly and go into pages or access data they aren’t authorized to use.