SDA India is an online resource for Software, Development,IT, Architecture, Open Source, Mobile, Security, Databases, Delphi, C, OS, Asp, .Net, Php, Xml, Java
From the News Desk
Thursday, 16. August 2007
PHP Not Guilty in Facebook Code Leakage
Recently, the Facebook home page displayed the source code for the web site instead of the result of the execution of that source code. Omnidrive's Nik Cubrilovic, who reported the leak, said PHP was responsible for the leakage. "PHP has always been notorious for sometimes not processing requests poorly and sending back the source code for pages to the client. Because of the way mod_php works with apache, if mod_php fails in intercepting and processing the request, then apache will just serve it back to the client as an ordinary text file." He also posted four tips to prevent PHP leakage PHP:
The post invited strong reactions from the community. Clay Loveless said, "PHP doesn’t cause website problems and inadvertent code leaks. People making mistakes while using PHP and other powerful tools do. It’s infinitely more likely that Facebook’s problems were caused by a system administrator breaking some web server configuration (possibly not even PHP-specific configuration), or a new installation of a mod_php build that hadn’t been tested propertly in a non-production environment."
Vidyut Luther also noted following some key industry practices:
- Use mod_security to filter output and prevent leakage: write mod_security rules that will detect if the output is PHP source code and prevent it instead giving the user an error page. System administrators can also detect other information leakage, and prevent it from escaping.
- Code should live outside of the web root: keep all logic and sensitive code outside the web root. Logic files can be included using include() function. This can be done for all files that store database information or passwords, and also maintain only a single index.php inside the webroot, which will include a fileo outside the webroot where the rest of the work occurs.
- Change the default file type: Apache treats files as text/plain, by default. It is recommended to all PHP files treat as PHP (and then have certain types handled as plain text)
- Deny all outside of the webroot: assuming the webroot is ‘www’, you can set up every other directory and file to note be served.
The post invited strong reactions from the community. Clay Loveless said, "PHP doesn’t cause website problems and inadvertent code leaks. People making mistakes while using PHP and other powerful tools do. It’s infinitely more likely that Facebook’s problems were caused by a system administrator breaking some web server configuration (possibly not even PHP-specific configuration), or a new installation of a mod_php build that hadn’t been tested propertly in a non-production environment."
Vidyut Luther also noted following some key industry practices:
- Use firewalls: firewalls can help prevent unauthorized access to your web servers. If you use PHP, more than likely your server will just give out the root password under high load.
- Enable SSH on a different port: all PHP hackers know that SSH runs on port 22, trick them all by using port 4222.. they’ll never be able to guess it. For more fun, write a script that will change the SSHD listen port randomly by the hour..
- Test: there is thing that you absolutely need to do with PHP code, and that is called testing. See, PHP code unlike any other code sometimes just doesn’t do what you want.. it does what you told it do… unless of course you’ve tested it, and trained it. So, if you test and train the PHP (mod_knowwhatimeant), you’re guaranteed to have the code work to your liking.
