Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Pádraic Brady's Blog:
XSS in PHP (Part 1): How Not to Use Htmlspecialchars
Mar 13, 2012 @ 17:44:27

Pádraic Brady has written up an exhaustive guide to using htmlspecialchars correctly and securely in your applications (though it's technically how "not to use it"). This is part one of a series looking at preventing cross-site scripting in PHP applications.

While it’s no harm poking fun at ourselves, in PHP we do have a serious problem. Cross-Site Scripting (XSS) remains one of the most significant classes of security problems afflicting PHP applications. Despite years of education, community awareness and the development of frameworks which can offer a huge boost in consistent practices – things are not getting any better.

So, I finally figured out what the core problem is: PHP programmers are completely clueless about XSS. It’s that simple. Instead of going out and studying the topic, we blindly follow some preferred herd of people offering advice with heartfelt conviction despite the fact that they are probably just as ignorant as the rest of us. Does that sound like the behaviour of something which allegedly evolved into an intelligent species? The result is a mix of ignorance and stagnant knowledge that leaves PHP in an unenviable position beset by wrongheaded zealots.

He introduces the htmlspecialchars function and how it has been generally assumed a good method for presenting XSS attacks. He talks about issues with quotes, problems that IE6 seems to have that no one else does and the all-important third parameter of the function (character set detection) and the optional fourth (decoding HTML entities automatically).

He's created this github repository with the examples from the post.

tagged: xss tutorial htmlspecialchars crosssitescripting security

Link:

Nikita Popov's Blog:
htmlspecialchars() improvements in PHP 5.4
Jan 30, 2012 @ 15:55:24

In this new post to his blog Nikita Popov looks at an update that might have gotten lost in the shuffle of new features coming in PHP 5.4 - some updates to htmlspecialchars.

One set of changes that I think is particularly important was largely overlooked: For PHP 5.4 cataphract (Artefacto on StackOverflow) heroically rewrote large parts of htmlspecialchars thus fixing various quirks and adding some really nice new features. Here a quick summary of the most important changes: UTF-8 as the default charset, improved error handling (ENT_SUBSTITUTE) and Doctype handling (ENT_HTML401,...).

He goes into each of these three main features in a bit more detail, providing code to illustrate the improved error handling and the new flags for Doctype handling (covering HTML 4.01, HTML 5, XML 1 and XHTML).

tagged: htmlspecialchars improvement release doctype error utf8

Link:

Chris Shiflett's Blog:
Character Encoding and XSS
Jun 20, 2007 @ 14:35:00

In this post to his blog, Chris Shiflett talks about some issues surrounding character encoding and the cross-site scripting issues it can open up in your application.

In the post [on Good and Bad PHP Code], he provides a few useful PHP interview questions, including some questions from Yahoo. He explains that good PHP code should be Structured, Consistent, Portable and Secure

In the comments, many additional improvements have been suggested, but there's one that has yet to be mentioned. When using htmlspecialchars() without specifying the character encoding, XSS attacks that use UTF-7 are possible.

Included in the post is an example to illustrate the point as well as a solution, a simple one involving the header() function, to help correct the problem and prevent bad things from happening.

Be sure to check out the comments for more great tips.

tagged: security crosssitescripting character encoding attack htmlspecialchars security crosssitescripting character encoding attack htmlspecialchars

Link:

Chris Shiflett's Blog:
Character Encoding and XSS
Jun 20, 2007 @ 14:35:00

In this post to his blog, Chris Shiflett talks about some issues surrounding character encoding and the cross-site scripting issues it can open up in your application.

In the post [on Good and Bad PHP Code], he provides a few useful PHP interview questions, including some questions from Yahoo. He explains that good PHP code should be Structured, Consistent, Portable and Secure

In the comments, many additional improvements have been suggested, but there's one that has yet to be mentioned. When using htmlspecialchars() without specifying the character encoding, XSS attacks that use UTF-7 are possible.

Included in the post is an example to illustrate the point as well as a solution, a simple one involving the header() function, to help correct the problem and prevent bad things from happening.

Be sure to check out the comments for more great tips.

tagged: security crosssitescripting character encoding attack htmlspecialchars security crosssitescripting character encoding attack htmlspecialchars

Link:

Secunia:
Cisco Products PHP "htmlentities()" and "htmlspecialchars()" Buffer Overflows
Apr 26, 2007 @ 12:55:00

Cicso product users should check out this latest issue Secunia has released today - a problem with the htmlentities and htmlspecialchars functions that can lead to buffer overflows.

The vulnerabilities are caused due to boundary errors within the "htmlentities()" and "htmlspecialchars()" functions. If a PHP application uses these functions to process user-supplied input, this can be exploited to cause a heap-based buffer overflow by passing specially crafted data to the affected application.

Successful exploitation may allow execution of arbitrary code, but requires that the UTF-8 character set is selected.

Products affected include the Network Analysis Modules (NAM) for Cisco 6500 switch, Cisco 7600 router/Branch Routers and the CiscoWorks Wireless LAN Solution Engine (WLSE) and CiscoWorks Wireless LAN Solution (among others, check out the advisory for a more complete list).

There are some patches that have been released to correct this issue (like the one for the Cisco Unified Application Environment) but others are still yet to come. They recommend limiting access to only trusted IPs and devices only to reduce the risk of the problem being exploited.

tagged: cisco buffer overflow htmlspecialchars htmlentities advisory cisco buffer overflow htmlspecialchars htmlentities advisory

Link:

Secunia:
Cisco Products PHP "htmlentities()" and "htmlspecialchars()" Buffer Overflows
Apr 26, 2007 @ 12:55:00

Cicso product users should check out this latest issue Secunia has released today - a problem with the htmlentities and htmlspecialchars functions that can lead to buffer overflows.

The vulnerabilities are caused due to boundary errors within the "htmlentities()" and "htmlspecialchars()" functions. If a PHP application uses these functions to process user-supplied input, this can be exploited to cause a heap-based buffer overflow by passing specially crafted data to the affected application.

Successful exploitation may allow execution of arbitrary code, but requires that the UTF-8 character set is selected.

Products affected include the Network Analysis Modules (NAM) for Cisco 6500 switch, Cisco 7600 router/Branch Routers and the CiscoWorks Wireless LAN Solution Engine (WLSE) and CiscoWorks Wireless LAN Solution (among others, check out the advisory for a more complete list).

There are some patches that have been released to correct this issue (like the one for the Cisco Unified Application Environment) but others are still yet to come. They recommend limiting access to only trusted IPs and devices only to reduce the risk of the problem being exploited.

tagged: cisco buffer overflow htmlspecialchars htmlentities advisory cisco buffer overflow htmlspecialchars htmlentities advisory

Link:

SitePoint PHP Blog:
PHP Security - Dumb Users or Dumb APIs?
Jan 25, 2006 @ 13:06:37

On the SitePoint PHP Blog today, there's a new post from Harry Fuecks with his take on the whole "PHP security" issue that's being tossed around lately.

There's another round of "Is PHP Secure?" debate happening right now. Chris drew attention to it, pointing to a post by Andrew van der Stock (who’s a contributor to OWASP): PHP Insecurity: Failure of Leadership.

So the usual denials have been made (see replies to Chris’s entry) - "Damn newbies", "Holes in PHP-based app != PHP insecure", etc., all of which I agree with. But...

He also mentions that this kind of talk could do more harm than good, making people that were on the edge lean back and take another look somewhere else. He also gives an example, a short bit of PHP and HTML that shines light on a typical XSS example - and asks if it's the developer's fault for not knowing, or the language's fault for not handling it right? Other topics he touches on as well are short tags and the use of filtering for all user input...

tagged: security dumb user api xss short tag htmlspecialchars security dumb user api xss short tag htmlspecialchars

Link:

SitePoint PHP Blog:
PHP Security - Dumb Users or Dumb APIs?
Jan 25, 2006 @ 13:06:37

On the SitePoint PHP Blog today, there's a new post from Harry Fuecks with his take on the whole "PHP security" issue that's being tossed around lately.

There's another round of "Is PHP Secure?" debate happening right now. Chris drew attention to it, pointing to a post by Andrew van der Stock (who’s a contributor to OWASP): PHP Insecurity: Failure of Leadership.

So the usual denials have been made (see replies to Chris’s entry) - "Damn newbies", "Holes in PHP-based app != PHP insecure", etc., all of which I agree with. But...

He also mentions that this kind of talk could do more harm than good, making people that were on the edge lean back and take another look somewhere else. He also gives an example, a short bit of PHP and HTML that shines light on a typical XSS example - and asks if it's the developer's fault for not knowing, or the language's fault for not handling it right? Other topics he touches on as well are short tags and the use of filtering for all user input...

tagged: security dumb user api xss short tag htmlspecialchars security dumb user api xss short tag htmlspecialchars

Link:


Trending Topics: