While it's no harm poking fun at ourselves, in PHP we do have a serious problem. Cross-Site Scripting (XSS) remains one of the most significant classes of security problems afflicting PHP applications. Despite years of education, community awareness and the development of frameworks which can offer a huge boost in consistent practices - things are not getting any better.

So, I finally figured out what the core problem is: PHP programmers are completely clueless about XSS. It's that simple. Instead of going out and studying the topic, we blindly follow some preferred herd of people offering advice with heartfelt conviction despite the fact that they are probably just as ignorant as the rest of us. Does that sound like the behaviour of something which allegedly evolved into an intelligent species? The result is a mix of ignorance and stagnant knowledge that leaves PHP in an unenviable position beset by wrongheaded zealots.

He introduces the htmlspecialchars function and how it has been generally assumed a good method for presenting XSS attacks. He talks about issues with quotes, problems that IE6 seems to have that no one else does and the all-important third parameter of the function (character set detection) and the optional fourth (decoding HTML entities automatically).

He's created this github repository with the examples from the post.

One set of changes that I think is particularly important was largely overlooked: For PHP 5.4 cataphract (Artefacto on StackOverflow) heroically rewrote large parts of htmlspecialchars thus fixing various quirks and adding some really nice new features. Here a quick summary of the most important changes: UTF-8 as the default charset, improved error handling (ENT_SUBSTITUTE) and Doctype handling (ENT_HTML401,...).

He goes into each of these three main features in a bit more detail, providing code to illustrate the improved error handling and the new flags for Doctype handling (covering HTML 4.01, HTML 5, XML 1 and XHTML).

In the post [on Good and Bad PHP Code], he provides a few useful PHP interview questions, including some questions from Yahoo. He explains that good PHP code should be Structured, Consistent, Portable and Secure

In the comments, many additional improvements have been suggested, but there's one that has yet to be mentioned. When using htmlspecialchars() without specifying the character encoding, XSS attacks that use UTF-7 are possible.

Included in the post is an example to illustrate the point as well as a solution, a simple one involving the header() function, to help correct the problem and prevent bad things from happening.

Be sure to check out the comments for more great tips.]]> Wed, 20 Jun 2007 09:35:00 -0500 http://www.phpdeveloper.org/news/7711 http://www.phpdeveloper.org/news/7711 Cicso product users should check out this latest issue Secunia has released today - a problem with the htmlentities and htmlspecialchars functions that can lead to buffer overflows.

The vulnerabilities are caused due to boundary errors within the "htmlentities()" and "htmlspecialchars()" functions. If a PHP application uses these functions to process user-supplied input, this can be exploited to cause a heap-based buffer overflow by passing specially crafted data to the affected application.

Successful exploitation may allow execution of arbitrary code, but requires that the UTF-8 character set is selected.

Products affected include the Network Analysis Modules (NAM) for Cisco 6500 switch, Cisco 7600 router/Branch Routers and the CiscoWorks Wireless LAN Solution Engine (WLSE) and CiscoWorks Wireless LAN Solution (among others, check out the advisory for a more complete list).

There are some patches that have been released to correct this issue (like the one for the Cisco Unified Application Environment) but others are still yet to come. They recommend limiting access to only trusted IPs and devices only to reduce the risk of the problem being exploited.

There's another round of "Is PHP Secure?" debate happening right now. Chris drew attention to it, pointing to a post by Andrew van der Stock (who's a contributor to OWASP): PHP Insecurity: Failure of Leadership.

So the usual denials have been made (see replies to Chris's entry) - "Damn newbies", "Holes in PHP-based app != PHP insecure", etc., all of which I agree with. But...

He also mentions that this kind of talk could do more harm than good, making people that were on the edge lean back and take another look somewhere else. He also gives an example, a short bit of PHP and HTML that shines light on a typical XSS example - and asks if it's the developer's fault for not knowing, or the language's fault for not handling it right? Other topics he touches on as well are short tags and the use of filtering for all user input...]]> Wed, 25 Jan 2006 07:06:37 -0600