the security state of
play

The Security State of Open Source PHP Applications Dr. Johannes - PowerPoint PPT Presentation

Jul 24, 2023 •33 likes •673 views

The Security State of Open Source PHP Applications Dr. Johannes Dahse, RIPS Technologies GmbH Introduction About Johannes Dahse Master IT Security at RUB, Germany (2006 - 2012) Capture The Flag (CTF) Contests Security Consultant

  1. The Security State of Open Source PHP Applications Dr. Johannes Dahse, RIPS Technologies GmbH

  2. Introduction About Johannes Dahse ● Master IT Security at RUB, Germany (2006 - 2012) ● Capture The Flag (CTF) Contests ● Security Consultant ● Developer of RIPS open source security scanner (2009 - 2011) ● PhD in „Static Code Analysis“ at RUB (2013 - 2016) ● CEO & Co-Founder RIPS Technologies GmbH

  3. Introduction Why care about PHP security? #1 Choice 22 Attacks/Day of cyber criminals on an average website 90% $3.8M use open source libraries average data breach costs

  4. Introduction The Security State of Top 5 PHP Applications Top 50 PHP Applications PHP Application Extensions Top 6 PHP Frameworks

  5. The Security State of the Top 5 PHP Applications

  6. The Security State of the Top 5 PHP Applications CMS Market Share WordPress 25% Joomla! Drupal 1% Magento 2% 60% 5% Typo3 7% Other Source: w3techs.com

  7. Top 5 PHP Applications Security Features Application Prepared Template CSRF Password Security Auto Bug Bounty (latest version) Statements Engine Protection Hashing Team Update* Program WordPress vsprintf() none yes phpass yes yes yes Joomla! MySQLi custom yes bcrypt yes no no Drupal PDO Twig yes salted sha-512 yes no 2015 Magento PDO custom yes salted sha-256 yes no yes Typo3 Doctrine Fluid yes pbkdf2 yes yes no *Pro/Con Discussion: https://www.drupal.org/node/2367319

  8. Top 5 PHP Applications Vulnerabilities Number of Vulnerabilities per Year 45 40 WordPress 35 Joomla! 30 25 Drupal 20 15 Magento 10 Typo3 5 0 2010 2011 2012 2013 2014 2015 2016 2017 Source: cvedetails.com

  9. Top 5 PHP Applications Vulnerabilities Number of Critical Vulnerabilities per Year (CVSS Score > 7) 8 WordPress 7 6 Joomla! 5 4 Drupal 3 Magento 2 1 Typo3 0 2010 2011 2012 2013 2014 2015 2016 2017 Source: cvedetails.com

  10. Top 5 PHP Applications Vulnerability Example #1 CVE-2015-3438 – Persistent XSS in Wordpress 4.1.2 ● MySQL‘s utf8 charset only supports 3-byte characters ● Strings with 4-byte characters will be truncated when inserted into utf8 columns Insert: test 𝌇 123 Result: test ● Solution: Use MySQL strict mode or latin1 charset https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/

  11. Top 5 PHP Applications Vulnerability Example #1 CVE-2015-3438 – Persistent XSS in Wordpress 4.1.2 https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/

  12. Top 5 PHP Applications Vulnerability Example #1 CVE-2015-3438 – Persistent XSS in Wordpress 4.1.2 < div class="comment" id="comment-1" > < div class="comment-content" > < a title='test 𝌇 123' >click</ a > </ div > </ div > https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/

  13. Top 5 PHP Applications Vulnerability Example #1 CVE-2015-3438 – Persistent XSS in Wordpress 4.1.2 < div class="comment" id="comment-1" > < div class="comment-content" > < a title='test </div> </div> https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/

  14. Top 5 PHP Applications Vulnerability Example #1 CVE-2015-3438 – Persistent XSS in Wordpress 4.1.2 < div class="comment" id="comment-1" > < div class="comment-content" > < a title='test </div> </div> <div class="comment" id="comment-2"> <div class="comment-content"> hack' onmouseover=' alert(1) ' style='width :100%; height :100%; … ' </ div > </ div > https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/

  15. Top 5 PHP Applications Vulnerability Example #2 CVE-2017-14596 – LDAP Injection in Joomla! 1.5 - 3.7.5 https://blog.ripstech.com/2017/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/

  16. Top 5 PHP Applications Vulnerability Example #2 CVE-2017-14596 – LDAP Injection in Joomla! 1.5 - 3.7.5 class LoginController extends JControllerLegacy { public function login() { ⋮ $app = JFactory:: getApplication (); ⋮ $model = $this->getModel( 'login' ); $credentials = $model->getState( 'credentials' ); ⋮ $app->login($credentials, array ( 'action' => 'core.login.admin' )); } https://blog.ripstech.com/2017/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/

  17. Top 5 PHP Applications Vulnerability Example #2 CVE-2017-14596 – LDAP Injection in Joomla! 1.5 - 3.7.5 class JApplicationCms extends JApplicationWeb { public function login($credentials, $options = array ()) { ⋮ $authenticate->authenticate($credentials, $options); } } class JAuthentication extends Jobject { public function authenticate($credentials, $options = array ()) { ⋮ $plugin ->onUserAuthenticate($credentials, $options, $response); } https://blog.ripstech.com/2017/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/

  18. Top 5 PHP Applications Vulnerability Example #2 CVE-2017-14596 – LDAP Injection in Joomla! 1.5 - 3.7.5 class PlgAuthenticationLdap extends JPlugin { public function onUserAuthenticate($credentials, $options, &$response){ ⋮ $userdetails = $ldap->simple_search( str_replace( '[search]' , $credentials[ 'username' ], $this-> params ->get( 'search_string' ) // uid=[search] ) ); } https://blog.ripstech.com/2017/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/

  19. Top 5 PHP Applications Vulnerability Example #2 CVE-2017-14596 – LDAP Injection in Joomla! 1.5 - 3.7.5 XXX;(&(uid=Admin)(userPassword= A* )) XXX;(&(uid=Admin)(userPassword= B* )) XXX;(&(uid=Admin)(userPassword= C* )) ... XXX;(&(uid=Admin)(userPassword= s* )) ... XXX;(&(uid=Admin)(userPassword= se* )) ... XXX;(&(uid=Admin)(userPassword= sec* )) ... XXX;(&(uid=Admin)(userPassword= secretPassword )) https://blog.ripstech.com/2017/joomla-takeover-in-20-seconds-with-ldap-injection-cve-2017-14596/

  20. Top 5 PHP Applications Vulnerability Demo #2

  21. Top 5 PHP Applications Conclusion ● Good security features by default ● Great security teams ● Bug bounty programs ● But very attractive targets ● Average 14 security issues reported per year ● Average 1-2 critical issues reported per year https://codex.wordpress.org/Hardening_WordPress ● As secure/insecure as any other popular software https://docs.joomla.org/Security_Checklist/en https://www.drupal.org/docs/8/security https://magento.com/security/best-practices https://docs.typo3.org/typo3cms/SecurityGuide/

  22. The Security State of the Top 50 PHP Applications

  23. The Security State of the Top 50 PHP Applications ● PHP Applications within the list of popular CMS (w3techs.com) ● E.g. PrestaShop, phpBB, SugarCRM ● Popular PHP Applications with a similar high google trend ● E.g. phpMyAdmin, Piwik, Roundcube ● 50 Applications, 13.2 MLOC total (300 KLOC average) ● Automated code analysis

  24. Top 50 PHP Applications Security State Time To Fix (if) Critical Detected by RIPS Security Contact Available 33% 39% 42% 44% 56% 58% 28% Yes No Yes No 2 weeks 6 weeks 3 month

  25. Top 50 PHP Applications Attack Vectors File Inclusion Code Execution SQL Injection Path Traversal File Upload PHP Object Injection Command Execution Cross-Site Scripting

  26. Top 50 PHP Applications Critical Examples Software Attack Vector detected by RIPS Roundcube Command Execution via Email FreePBX Command Execution via Cross-Site Scripting Coppermine Command Execution via SQL Injection osClass Command Execution via Local File Inclusion Expression Engine Command Execution via PHP Object Injection KLIQQI CMS Command Execution via Cross-Site Request Forgery Redaxo CMS Command Execution via Cross-Site Request Forgery Precurio Command Execution via Path Traversal Serendipity Command Execution via Logical Flaw https://demo.ripstech.com

  27. Top 50 PHP Applications Vulnerability Example #1 CVE-2016-9920 – Remote Command Execution in Roundcube 1.2.2 https://blog.ripstech.com/2016/roundcube-command-execution-via-email/

  28. Top 50 PHP Applications Vulnerability Example #1 CVE-2016-9920 – Remote Command Execution in Roundcube 1.2.2 $from = rcube_utils:: get_input_value ( '_from' , rcube_utils:: INPUT_POST ); $RCMAIL->deliver_message($MAIL, $from, $mailto, $error); public function deliver_message(&$message, $from, $mailto, &$error) { ⋮ if (filter_var(ini_get( 'safe_mode' ), FILTER_VALIDATE_BOOLEAN )) $sent = mail($to, $subject, $msg_body, $header_str); else $sent = mail($to, $subject, $msg_body, $header_str, "-f $from " ); https://blog.ripstech.com/2016/roundcube-command-execution-via-email/

  29. Top 50 PHP Applications Vulnerability Example #1 CVE-2016-9920 – Remote Command Execution in Roundcube 1.2.2 $from = rcube_utils:: get_input_value ( '_from' , rcube_utils:: INPUT_POST ); $RCMAIL->deliver_message($MAIL, $from, $mailto, $error); public function deliver_message(&$message, $from, $mailto, &$error) { ⋮ if (filter_var(ini_get( 'safe_mode' ), FILTER_VALIDATE_BOOLEAN )) $sent = mail($to, $subject, $msg_body, $header_str); else $sent = mail ($to, $subject, $msg_body, $header_str, "-f $from " ); https://blog.ripstech.com/2016/roundcube-command-execution-via-email/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The State: Militarism, National Security, Imperialism Lecture points: Nation and State under

The State: Militarism, National Security, Imperialism Lecture points: Nation and State under

Session 9 The State: Militarism, National Security, Imperialism Lecture points: Nation and State under Security The State of Siege Politics as Force War is the New Nation The Absolute Security Agenda Reordering

377 views • 8 slides
Crypto Currency Security from the Frontlines Hedge Funds, Nation State Threats &amp; T echnical

Crypto Currency Security from the Frontlines Hedge Funds, Nation State Threats &amp; T echnical

Crypto Currency Security from the Frontlines Hedge Funds, Nation State Threats &amp; T echnical Security Approaches Adam Healy, CISO State of Crypto Asset Security 2016 Market Capitalization NASDAQ 1 ~$7.8 trillion London Stock Exchange 1

291 views • 12 slides
International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International Security What is security? Freedom from threats to core values? Contestation over referent object: Individual? State? System? How is security achieved?

715 views • 11 slides
NO SQL! NO INJECTION? A talk on the state of NoSQL security IBM Cyber Security Center of IBM

NO SQL! NO INJECTION? A talk on the state of NoSQL security IBM Cyber Security Center of IBM

NO SQL! NO INJECTION? A talk on the state of NoSQL security IBM Cyber Security Center of IBM AppScan Excellence Aviv Ron Emanuel Bronshtein Alexandra Shulman-Peleg IBM Security Systems Cyber Center of Excellence AVIV RON Security

452 views • 27 slides
Security and Privacy in Machine Learning Nicolas Papernot Pennsylvania State University &amp;

Security and Privacy in Machine Learning Nicolas Papernot Pennsylvania State University &amp;

Security and Privacy in Machine Learning Nicolas Papernot Pennsylvania State University &amp; Google Brain Lecture for Prof. Trent Jaegers CSE 543 Computer Security Class November 2017 - Penn State Thank you to my collaborators Patrick

635 views • 59 slides
Protection and Security - I Tevfik Ko ar Louisiana State University April 15 th , 2008 1 The

Protection and Security - I Tevfik Ko ar Louisiana State University April 15 th , 2008 1 The

CSC 4103 - Operating Systems Spring 2008 Lecture - XX Protection and Security - I Tevfik Ko ar Louisiana State University April 15 th , 2008 1 The Security Problem Security must consider external environment of the system, and

236 views • 7 slides
St State ate of Al f Alas aska ka Presented by Department of Administration State Security

St State ate of Al f Alas aska ka Presented by Department of Administration State Security

St State ate of Al f Alas aska ka Presented by Department of Administration State Security Office Mark Breunig, CISO April 30, 2019 1 A Brief History External Factors Increasing external threats Successful cyber-attacks, and

387 views • 9 slides
Introduction to Security Prof. Tom Austin San Jos State University Why should we learn about

Introduction to Security Prof. Tom Austin San Jos State University Why should we learn about

CS 166: Information Security Introduction to Security Prof. Tom Austin San Jos State University Why should we learn about information security? Computer Security in the News Computer Crime for Fun &amp; Profit Attackers have gone from

942 views • 48 slides
Threshold Ring Signatures: New Security Definitions and Post-Quantum Security Abida Haque ,

Threshold Ring Signatures: New Security Definitions and Post-Quantum Security Abida Haque ,

Problem Description Current State of the Art Our Contribution Our Scheme Summary References Threshold Ring Signatures: New Security Definitions and Post-Quantum Security Abida Haque , Alessandra Scafuro North Carolina State University May

736 views • 61 slides
20 Billion IoT Devices In 2023 page 02 * Gemalto The State of IoT Security guidelines 79

20 Billion IoT Devices In 2023 page 02 * Gemalto The State of IoT Security guidelines 79

20 Billion IoT Devices In 2023 page 02 * Gemalto The State of IoT Security guidelines 79 % required breach 48 % exists? improve 62 % security page 03 * Gemalto The State of IoT Security Honeypot A honeypot is a computer

631 views • 25 slides
U.S. DEPARTMENT OF STATE JSAS Cyber Security IT Security Awareness training consistent with NIST

U.S. DEPARTMENT OF STATE JSAS Cyber Security IT Security Awareness training consistent with NIST

ISSLOB SSC CYBERSECURITY AWARENESS U.S. DEPARTMENT OF STATE JSAS Cyber Security IT Security Awareness training consistent with NIST SP 800-50 A proven, reliable solution that verifies retention of material and concepts A well

344 views • 17 slides
New York State Energy Planning Board Cyber Security and the Energy Infrastructure New York

New York State Energy Planning Board Cyber Security and the Energy Infrastructure New York

New York State Energy Planning Board Cyber Security and the Energy Infrastructure New York State Division of Homeland Security and Emergency Services Office of Cyber Security Office of Cyber Security Overview Established as the Office

451 views • 31 slides
Advanced Systems Security: Introduction to OS Security Trent Jaeger Systems and Internet

Advanced Systems Security: Introduction to OS Security Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Introduction to OS Security Trent

770 views • 28 slides
Update: State Funding for Border Security September 1, 2015 February 29, 2016 PRESENTED TO THE

Update: State Funding for Border Security September 1, 2015 February 29, 2016 PRESENTED TO THE

Update: State Funding for Border Security September 1, 2015 February 29, 2016 PRESENTED TO THE JOINT COMMITTEE ON BORDER SECURITY LEGISLATIVE BUDGET BOARD STAFF May 2016 Update: State Funding for Border Security These materials include

538 views • 41 slides
2017-18 Non Public Test Security Training Office of the State Superintendent of Education

2017-18 Non Public Test Security Training Office of the State Superintendent of Education

2017-18 Non Public Test Security Training Office of the State Superintendent of Education January 26, 2018 Agenda Test Security ACCESS for ELLs Alternate Assessments PARCC 2 Test Security 2017-18 Test Security Agenda

1.84k views • 129 slides
Advanced Systems Security: Security-Enhanced Linux Trent Jaeger Systems and Internet

Advanced Systems Security: Security-Enhanced Linux Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Security-Enhanced Linux Trent

474 views • 26 slides
Hardware Acceleration: An Essential Part of Cyber Security in High-Speed Networks Ji

Hardware Acceleration: An Essential Part of Cyber Security in High-Speed Networks Ji

Hardware Acceleration: An Essential Part of Cyber Security in High-Speed Networks Ji Novotn Pavel eleda Radek Krej novotny@ics.muni.cz celeda@ics.muni.cz krejci@liberouter.org DeepSec In-Depth Security Conference 2010

652 views • 52 slides
Understanding the Security of Traffic Signal Infrastructure Zhenyu Ning , Fengwei Zhang, and

Understanding the Security of Traffic Signal Infrastructure Zhenyu Ning , Fengwei Zhang, and

Understanding the Security of Traffic Signal Infrastructure Zhenyu Ning , Fengwei Zhang, and Stephen Remias COMPASS Lab Wayne State University DIMVA, June 19, 2019 Understanding the Security of Traffic Signal Infrastructure, DIMVA 19 1

952 views • 53 slides
SCADA Hacking Clear and Present Danger ITAC 2014 02 Oct 2014 Presen sented ed b by:

SCADA Hacking Clear and Present Danger ITAC 2014 02 Oct 2014 Presen sented ed b by:

SCADA Hacking Clear and Present Danger ITAC 2014 02 Oct 2014 Presen sented ed b by: Francis Brown Bishop Fox, LLC www.bishopfox.com Agenda O V E R V I E W Introd oduction on/B /Bac ackgr grou ound Target eting ng S

892 views • 64 slides
Nikhil Mittal (SamratAshok) } SamratAshok } Twitter - @nikhil_mitt } I am interested in

Nikhil Mittal (SamratAshok) } SamratAshok } Twitter - @nikhil_mitt } I am interested in

Nikhil Mittal (SamratAshok) } SamratAshok } Twitter - @nikhil_mitt } I am interested in Offensive Information Security, new attack vectors and methodologies to pwn systems. } Previous Talks Compromising a highly secure environment

505 views • 48 slides
Extending a Legacy Platform Providing a Minimalistic, Secure Single-Sign-On-Library 20/11/2015

Extending a Legacy Platform Providing a Minimalistic, Secure Single-Sign-On-Library 20/11/2015

Extending a Legacy Platform Providing a Minimalistic, Secure Single-Sign-On-Library 20/11/2015 Gschlberger/Gttfert 1 Introduction Research Studios Austria FG MicroLearning and Information Environments Bernhard Gschlberger

488 views • 19 slides
The Opportunity in Front of Us Marc Rowan Co-Founder and Senior Managing Director September

The Opportunity in Front of Us Marc Rowan Co-Founder and Senior Managing Director September

Strictly Confidential The Opportunity in Front of Us Marc Rowan Co-Founder and Senior Managing Director September 12, 2011 It should not be assumed that investments made in the future will be profitable or will equal the performance of the

447 views • 25 slides
Verizon Transactions Conference Call Lowell McAdam Chairman and CEO Fran Shammo Chief

Verizon Transactions Conference Call Lowell McAdam Chairman and CEO Fran Shammo Chief

VlpHU09DSUQyMDE0UTM Verizon Transactions Conference Call Lowell McAdam Chairman and CEO Fran Shammo Chief Financial Officer February 5, 2015 VlpHU09DSUQyMDE0UTM= Safe Harbor Statement NOTE: In this presentation we have made

397 views • 10 slides
Supertex, Inc. (Name of Registrant as Specified In Its Charter) Microchip Technology Incorporated

Supertex, Inc. (Name of Registrant as Specified In Its Charter) Microchip Technology Incorporated

UNITED STATES SECURITIES AND EXCHANGE COMMISSION Washington, D.C. 20549 SCHEDULE 14A Proxy Statement Pursuant to Section 14(a) of the Securities Exchange Act of 1934 Filed by the Registrant Filed by a Party other than the Registrant Check

376 views • 9 slides

More recommend