Tag Archives: Security

If you store WordPress code on Github think about your wp-config.php

Leave a reply

If you store WordPress code on Github inside of a public repository all your code is public. Most people know and accept this, but people either don’t realise that their database credentials get stored inside the php file wp-config.php or they do and forget to exclude it from their repository.

This means that if you do a simple Google search for site:github.com master/wp_config.php password blob DB_PASSWORD you will find a whole rake of folk with their passwords on display.

Obviously it is impossible to tell if they are just sample details or real details, but it is still crumby practice and if you do it you really need to stop now.

I will be contacting people I find to let them know, but please pass this message on to any WordPress/GitHub users you know.

Share this on

Securing Facebook

1 Reply

Recently a couple of non-technical friends and family members have been asking me securing Facebook more than just locking down who can see what.

The best way I know of to achieve a more secure Facebook is to do the following:

  1. Click on Account > Account Settings
  2. Under Account Security hit Change.
  3. Tick to use https://
  4. Tick to email you when a new computer logs in.
  5. Hit Save

That is it! 5 steps to a more secure Facebook.

The first thing you tick, use https:// basically means that information that goes from your computer to Facebook will be jumbled up so if any ‘hacker’ type person will have a hard time reading it. (Without it ticked it is surprising easily to get Facebook logins from a Wireless network!)

The second thing you tick, to email you when a new computer logs in essentially means that each time you log into your account from a new computer (one that Facebook hasn’t seen before) it will ask you to give your computer a name.  I just use things like ‘TobyMac’ or ‘TobyLaptop’.  Once you do this you get two pretty awesome things.

The first is an email.  So if someone hacks into your account from their machine you will know about it immediately.

The second thing is you can access a list of who has been on your account (from the different computers), you can get this by going to your Account Security again.

Hopefully this makes sense, is easy to do and will keep you more secure!

If you found this useful please email or Facebook this link around -> http://bit.ly/h8rB8x

Share this on

The importance of supporting OWASP

23 Replies

The OWASP is a free and open security community based project that provides an absolute wealth of knowledge, tools and papers to help anyone involved in designing, developing, deploying or supporting a web application to insure security is built in from the ground up and that the overall product is as secure as it can be.

Because it is so free and open you can visit the site right now and check out some of the really cool things like;

All for free, literally thousands of hours worth of work from some of the top security professionals in the world, available completely for free.  It is brilliant, and why the internet is just a great place to work.

OWASP is split into localised chapters, with new ones popping up all the time.  My local chapter would be the Dublin based one (so I use the term local very very loosely, I even have to take out crazy fake money when I go down there!).

Again, you can join chapters for free, this gives you access to mailing lists and free talks that get put on as regularly as can be organised.  In my opinion anyone who gives half a crap about the security of the web applications they are creating should be attending these talks as often as they can.  I mean it is free, you are getting free security advise from professionals who have proven their chops many times over.

The other thing you can do, and the real point of my post, is that you can become a paid supporter.  This costs a minimum of $50, which I think is more than fair for the amount of excellent information available on their site alone (ignoring the talks organised by chapters), in fact, I say more than fair – I have spent more on ale in an evening, and I am willing to bet you have chucked away more than $50 on lesser causes before.

By rights the $50 should just get you the nice feeling of knowing you have contributed to an excellent cause, but it doesn’t end there, OWASP is such an awesome project that occasionally there will be extra talks or training sessions put on for paid up members by way of a thank you.  That is just bloody awesome, to get to talk to some of the top security professionals in the world or to get trained by them, $50 is a steal.

Sign up now. (or do what I did and ask your company to sign you up!)

Share this on

PHP Security – General PHP setup Gotchas

23 Replies

This is my first in a series of 9 posts dealing with PHP Security, my plan is to cover some of the broad topics associated with certain aspects of developing secure PHP applications in plain English.

Whilst I will be providing examples throughout I will not labour on certain points, I will however attempt to provide many sources that you can use to read up more on the various topics.

For this post I want to talk about some general PHP setup Gotchas that you might want to look out for. There is a tendancy amongst some people (especially if they haven’t had to install PHP) to assume that the default setting that their hosts provided them is the most secure. There are three things wrong with thinking like that.

  1. It is lazy (and worst of all, boring)
  2. The standard settings may not be the most secure for your setup.
  3. Who said they gave you the standard settings?

You should always check out your Apache/MySQL/PHP settings on any new server.

Register Globals

The first setting you should be looking up in php.ini is register_globals and making sure it is set to 0. This is the default setting but it is worth having a quick look because this little blighter could get you into a world of trouble (if you are a bad coder).

The reason I say if you are a bad coder is because there is nothing inherently wrong with having it turned on but if your code isn’t tight enough then having register_globals on can let people type something like…

http://yoursite.com/page.php?newVar=h@xx0r

This newVar variable is now set in your code, it doesn’t take a security expert to realise what crap that could land you in.

If you don’t have access to the php.ini file on your server you can include that parameter in your .htaccess file that should be located in the root of your web folder. The line you would need to add is..

php_flag register_globals on

Whilst it is best practice to turn them off in order to try and keep your code a little less vulnerable you should really be turning on Error Reporting to point you in the right direction from time to time, which leads me very nicely onto my next heading…

Error Reporting

Error Reporting is concerned with what errors PHP will record, where it will store them, and if it will display them.  There are essentially four settings we should be concerning ourselves with, like with register_globals these can be set in php.ini, in a .htaccess file or in your php code.

  • error_reporting (Which I think should be set to E_ALL | E_STRICT *)
  • display_errors (On for an internal DEV server or your home setup, Off for a client setup)
  • log_errors (You should always have this set to On)
  • error_log (You set this to where you want the logs to be stored eg /location/to/log **)

*E_ALL in  basically means report everything, E_STRICT means be damned strict about it, errors and warnings alike will be picked up by PHP.

** Obviously your logs shouldn’t be anywhere close to being inside the www folder, error notifications could really help a potential hacker.

You can set up your own error handling within PHP, but my suggestion would be use a framework to do this for you, only roll your own if you are confident in your abilities because if there is an error in your error handler, well…

Closing Up

You could write a small book on how to securely set up a server, and of course by the time you have written it the tips will be obsolete.  I will leave this post here with those 2 categories for now because these are the main ones that keep cropping up when people mention PHP setup and Security.

When I start writing my next post (entitled Forms and Filtering) there will be a lot more content to get your teeth into, because if you can write bullet proof code your app should be able to stand up on all but the most flaky of server setups!

Resources

If you thought this post was in any way useful, please share it amongst others who you think would also benifit.

Share this on

Skipfish – No such file or directory.

178 Replies

I wanted to play about with Google’s Skipfish to see if it could automate any of my security scans and grabbed the source code from the code library.

When I tried to make the file whilst running Ubuntu 9.10 I was presented with the following error:

cc -L/usr/local/lib/ -L/opt/local/lib skipfish.c -o skipfish -O3 -Wno-format -Wall -funsigned-char -g -ggdb -I/usr/local/include/ -I/opt/local/include/ -D_FORTIFY_SOURCE=0 \
http_client.c database.c crawler.c analysis.c report.c -lcrypto -lssl -lidn -lz
In file included from crawler.h:26,
from skipfish.c:39:
http_client.h:26:25: error: openssl/ssl.h: No such file or directory
In file included from crawler.h:26,
from skipfish.c:39:
http_client.h:189: error: expected specifier-qualifier-list before ‘SSL_CTX’
skipfish.c: In function ‘main’:
skipfish.c:154: warning: implicit declaration of function ‘SSL_library_init’
http_client.c:37:25: error: openssl/ssl.h: No such file or directory
http_client.c:38:25: error: openssl/err.h: No such file or directory
http_client.c:39:18: error: idna.h: No such file or directory
http_client.c:40:18: error: zlib.h: No such file or directory
In file included from database.h:29,
from http_client.c:45:
http_client.h:189: error: expected specifier-qualifier-list before ‘SSL_CTX’
http_client.c: In function ‘parse_url’:
http_client.c:285: warning: implicit declaration of function ‘idna_to_ascii_8z’
http_client.c:285: error: ‘IDNA_SUCCESS’ undeclared (first use in this function)
http_client.c:285: error: (Each undeclared identifier is reported only once
http_client.c:285: error: for each function it appears in.)
http_client.c: In function ‘parse_response’:
http_client.c:1516: error: ‘z_stream’ undeclared (first use in this function)
http_client.c:1516: error: expected ‘;’ before ‘d’
http_client.c:1521: error: ‘d’ undeclared (first use in this function)
http_client.c:1531: warning: implicit declaration of function ‘inflateInit2’
http_client.c:1531: error: ‘Z_OK’ undeclared (first use in this function)
http_client.c:1532: warning: implicit declaration of function ‘inflateEnd’
http_client.c:1537: warning: implicit declaration of function ‘inflate’
http_client.c:1537: error: ‘Z_FINISH’ undeclared (first use in this function)
http_client.c:1540: error: ‘Z_BUF_ERROR’ undeclared (first use in this function)
http_client.c:1540: error: ‘Z_STREAM_END’ undeclared (first use in this function)
http_client.c: In function ‘destroy_unlink_conn’:
http_client.c:1636: error: ‘struct conn_entry’ has no member named ‘q’
.

.

. SNIP SNIP!

.


http_client.c:2188: error: ‘struct conn_entry’ has no member named ‘next’
http_client.c:2192: error: ‘struct conn_entry’ has no member named ‘q’
In file included from database.c:33:
http_client.h:26:25: error: openssl/ssl.h: No such file or directory
In file included from database.c:33:
http_client.h:189: error: expected specifier-qualifier-list before ‘SSL_CTX’
In file included from crawler.c:30:
http_client.h:26:25: error: openssl/ssl.h: No such file or directory
In file included from crawler.c:30:
http_client.h:189: error: expected specifier-qualifier-list before ‘SSL_CTX’
In file included from analysis.c:28:
http_client.h:26:25: error: openssl/ssl.h: No such file or directory
In file included from analysis.c:28:
http_client.h:189: error: expected specifier-qualifier-list before ‘SSL_CTX’
analysis.c: In function ‘maybe_xsrf’:
analysis.c:397: warning: implicit declaration of function ‘time’
In file included from report.c:33:
http_client.h:26:25: error: openssl/ssl.h: No such file or directory
In file included from report.c:33:
http_client.h:189: error: expected specifier-qualifier-list before ‘SSL_CTX’
make: *** [skipfish] Error 1

Some digging about made me realise this is a fairly common problem even if your machine has a fairly good set of dependencies downloaded.

If you run the following command it should act as a catchall and set you up to be able to play with this tool.

sudo apt-get install libssl-dev build-essential zlibc zlib-bin libidn11-dev libidn11

Share this on