Web application security
A departmental web manager recently asked me what she could do about the security of the web-based databases she had recently inherited. There are generally two classes of web attacks I see on campus: exploitation of known problems in open-source web-based systems (such as Mambo, phpwebsite, phpBB), and specific attacks on insecure aspects of a home-grown application.
The former are far more prevalent. A typical attack vector is to search Google for sites which are running known-insecure versions of a package, break into those sites, run malicious code (often leaving “zombies” in place to participate in spamming), and try to leave back doors to get back into the machine. Usually these attacks are not directed at the department in question; the hackers are just looking for a machine to use for their own purposes.
The latter are less prevalent, but can be more problematic, as they are more likely to represent an attack directed at the department or the application in question. However, I’ve also seen some examples of hackers attacking a departmental application simply because it was easy to find holes in.
In either case, you want to follow good coding and administration practices to reduce your risk. Never have world-writable directories within the web hierarchy. Any time you get input from the user, test that input for validity, ideally with a positive rather than a negative test (that is, test “does the input contains only A-Z and 0-9″, rather than “does the input not contain |’”/\, etc.”) If you install someone else’s software (open-source or not), put yourself on the mailing list for security updates, and install those as soon as they are available. If you customize someone else’s software, realize that upgrading it will be challenging in direct proportion to the extent that you’ve customized it.
Breaking into computers is no longer the province of 14-year-olds with too much time on their hands; it’s now a huge business with ties to organized crime. Access to compromised machines and applications is sold on the black market. Attacks continue to become more sophisticated, and our practices need to change to keep our machines and data safe.
I should remind you that PHP 4 has reached the end of its support life; we currently have a PHP 5 server up and running if you want to test your code before we go live with the new version around the end of calendar 2007. Mail sysadmin@LS if you are interested in getting a test directory in the PHP 5 installation.
