OSCMS – Rasmus on PHP

RasmuS Lerdorf oh PHP and Internet security. (One of the sessions I attended at OSCMS)

(For what it’s worth – if you have any issue or disagreement with my barely technical descriptions below, please take it up “in original” – i.e. with Rasmus, and not me. PHP security auditing is not my job, and I’m just giving a basic report back).

Rasmus began his talk by saying “Basically, you should never ever ever click on a link.” Or even mouse over it, apparently. Now, I’m not a PHP coder, but most of what he explained was understandable by me, and thus scary. His main point was to illustrate that you can “inject” javascript into PHP (and thus almost any webpage) quite easily, and hence you have to be a) very diligent about your PHP scripting, b) even more diligent about your web browsing.

For example, a (trap) page could load in invisible

section that listed a number of popular websites – including Yahoo and Bank of America – that would not be visible to the person browsing. Javascript could then analyze whether any of the links had been “followed” by checking the color state of the link – the logic being if the link to Bank of America has been followed, you probably have an account there. Then the javascript could then check any other open browser tabs, and compare them to the standard homepage (like Bank of America, for example). If not, then that (likely) means you are currently logged in – and the javascript can make actions on that account!Sure, you can argue that there’s a lot of programming involved to get that far, and then much more to actually do anything fun with the bank acocunt you’re logged into. Rasmus went on to describe another type of attack that loads an invisible IFrame in your browser window that could log keystrokes; and even take actions on other open browser tabs (a more sophisticated version of the above). He showed how this is possible on something as simple as a “mouseover” command in PHP – using sophisticated javascript injection attacks.

Someone asked him if he ever developed a tool to scan pages for the types of holes in poorly formatted PHP that he was talking about. He admitted he had, but he did not make the tool avaialble, because he would discover too many large corporate sites (including banks) that had vulnerabilities. In his words, “I didn’t want to be the guy that released the tool that broke the web.”

(If anyone finds a link to his presentation – did he even have any slides? – lemme know.)

Technorati Tags: , ,

powered by performancing firefox


2 Responses to “OSCMS – Rasmus on PHP”

  1. 1 OS-CMS 2007 Reportback « Goat at Large Trackback on March 27, 2007 at 2:53 am
Comments are currently closed.

%d bloggers like this: