[thelist] buffer overflows in web apps: something to think about?

Simon Willison cs1spw at bath.ac.uk
Fri Aug 1 18:32:11 CDT 2003


Hi Chris,
> I know that buffer overflows are an important thing to protect against
> when writing programs but what about the web? I did a little bit of
> googling on the subject but I have not come across anything web
> applicable.

> I use PHP and what I'd like to know is:

> 1. Are they something that need to be checked for?

> 2. Is it even possible to prevent them with PHP?

> 3. What are some ways of protecting your application from them?

Buffer overflows are only an issue when you are writing in a low level
language such as C. They happen when you forget to check the length of
a piece of data you are writing in to a C array - if you aren't
careful, you might write more data than the array has space to store
and the remaining data will "overflow" on to the stack. An attacker
can take advantage of this and use it to force your computer to
run executable code.

The good news is, you can't write code in a high level language (such
as PHP, Python, Perl or Java) that causes a buffer overflow as these
language include built in features to protect you from doing so. The
bad news is that if a buffer overflow exists in one of those languages
it can be exploited. PHP has been tested to destruction by thousands
of people to you can be reasonable certain that the buffer overflows
have all been fixed, but there's always the possibility that one
remains. There's nothing you can do about buffer overflows in the
language implementation unless you are a security and C expert.

Basically, you don't need to worry about them. For secure PHP you just
need to remember to have register_globals off, to validate EVERY piece
of data that comes from the user in some way and to be careful with
calls to things like include() and exec() which might be tricked in to
running hostile code.

The best security advice is simply to make regular off-site backups -
that way if the worst happens you'll have an easy way to recover from
the damage. Of course, if you are storing anything critical like
credit card details security becomes a lot more important but the best
approach there is to offload it to some off-site service so you don't
have to worry about it. Storing user account passwords encrypted (with
a one way hash such as MD5 or the mysql PASSWORD() function) is a good
idea as well.

Hope that helps,

Simon



More information about the thelist mailing list