Mini Servers: Guest book
Mini Servers: Introduction | Support | Server 1 - Portable | Server 2 - Service | Server 3 - Portable Authentication | Server 4 - Portable Authen. SSL | Server 5 - SSL Standalone | Browsers dislike self-signed certificates | Server 6 - PHP 5.2.6 Portable | Server 7 - PHP 5.2.6 Service | Server 8 - MySQL Support | Guest Book | Server 9 - Perl 5.2.6 Portable | Server 10 - Perl 5.2.6 Service | Server 11 - MySQL 5.0.67 Portable | Server 12 - MySQL 5.0.67 Service | Server 13 - MySQL 4.1.22 Portable | Server 14 - MySQL 4.1.22 Service | phpMyAdmin - Mini support | MySQL - General problems |
Mini Servers: Compact but fully functional. |
Mini Server 2 - Guest book
This mini server includes a quest book (version 1.7.2) downloaded from the DigiOz web site. Its a flexible script easily integrated into any web site more importantly its folder structure is logically set out and the code is very readable.
Its inclusion serves to illustrate a fundamental problem with the server configuration and to provide an insight into defensive programming.
Server configuration problem
When installing any new script you need to set-up its configuration file the guest book is no exception.
- Open the file config.php located in folder *\uc_server_2a\udrive\www\guestbook
- Locate the line $image_verify and set it to equal 1.
- Run the script and select “Add Entry”
- Note the lack of an image that should display the verify code.
- Open the Apache error log file error_log located in folder *\uc_server_2a\udrive\usr\local\apache2\logs
- You will find an error message something like this:
[error] [client 127.0.0.1] PHP Fatal error: Call to undefined function imagecreatefromjpeg() in W:\\www\\guestbook\\random.php on line 16, referer: http://localhost/guestbook/guestbook.php |
The cause no GD 2.0.x, open the php.ini file and locate the section “Windows Extensions” you will notice all the extension are disabled (each line starts with ;) remove the semi colon from this line: extension=php_gd2.dll to enable the GD 2 library. Save php.ini, now that on its own will not correct the problem it only informs PHP to load the extension.
Extensions folder:
First create a new folder in PHP named extensions from the full distribution copy the file php_gd2.dll (located in folder ext) to the new folder you just created.
For the new configuration to be picked restart the server, now run the script again. You will see an image displayed containing the verify code.
I purposely excluded this extension from the support files because I wanted you download a full version of PHP. It will ease the task of adding extension since you will have them immediately to hand. In addition I wanted to show how easy it is to added extensions.
File extensions
It’s very tempting to name included files with the extension .inc, rename the guest book file config.php to config.inc now type the following into your browser:
http://localhost/guestbook/config.inc
It exposes the admin password knowing this I can delete your quest book. OK rename the file back to config.php and type http://localhost/guestbook/config.php into your browser.
Before being served all pages with a .php extension are passed to the PHP interpreter for processing. The sole task of config.php is to set-up PHP variables hence a blank page is served.
Always use a php file extension on all your pages that contain php code, if you want you can use "inc" in the file name for example config.inc.php remember the .inc file extension is an hackers dream come true.
Defensive programming
Defensive programming is really all about not trusting what a user returns to your server. The DigiOz guest book is worth looking at just to get a feel for the techniques used.
Returned data 1
View the guest book entries change what’s displayed in the browser address bar for example:
- From: http://localhost/guestbook/list.php?page=1&order=asc
- To: http://localhost/guestbook/list.php?page=1&order=fred
The script responds with: Entry order can only be 'asc' or 'desc'
Clearly the designer has put some kind of input validation in place:
Always validate user input example from list.php |
---|
$page = $_GET['page']; $order= $_GET['order']; // Validate browser input ------------------------------------------------ if (is_numeric($page) == false) { echo "<font color=\"red\">Non Numeric Page Number</font>"; include("footer.php"); exit; } if (!($order == "asc" || $order == "desc")) { echo "<font color=\"red\">Entry order can only be 'asc' or 'desc'</font>"; include("footer.php"); exit; } |
Returned data 2
An obvious attack on any input form is to inject html try the following on any quest book, type in test if test is displayed in bold the guest book is wide open for html injection. Notice that this quest book displays what was typed, again the input is being validated.
Open the file add.php one very important thing never use any received variable directly always re-assign them, for example you will find this re-assignment:
- $yourname = $_POST['yourname'];
- $youremail = $_POST['youremail'];
- $yourmessage = $_POST['yourmessage'];
Below this you will find an error handling and entry checking section.
Open the file functions.php and look for the message clean-up function it contains these lines:
$rep1 = array( "<", ">", "\n", "'" ); $rep2 = array( "<", ">", "<br>", "'" );
The top line contains HTML characters these are replaced with their corresponding character entities shown on second line preventing html injection.
Automated posts
Automated posting is a real pain you can check posts and only allow new post after a predetermined time. Not a real deterrent to an automated process just sits there until it determines the time you have set, will then go off and hassle other sites and periodically return to yours and post.
Captua (that's an image and code) works fine to prevent automated posts. If you think it’s difficult to implement open the file random.php and have a read.
Single file database
All that defensive code is required to protect a single file database. Using a database that runs on a server like MySQL also requires similar techniques. The big advantage of using DigiOz’s guest book the code is readable you can go in and hack it around and hopefully understand what the code does.
You may not appreciate the elegant use of the serialize and unserialize functions but I have that covered. Hence it may be worth while downloading this version of the mini server and checking out site MPG2!
Summary
Apache with PHP makes a powerful combination, I was serious about a database server not being required they just add complexity and provide another point of failure, consider using a database file for less complex applications.
Having the power to run scripts on your server introduces security issues, you not only need to secure the script program and server you also need to secure any scripts you run. Associated with this never trust any data a user provides it may inject all kinds of nastiness either intentional or unintentional, always verify input data.
This server is portable making it ideal for testing and learning it can be put on line however it requires restarting every time you restart your PC. The next page covers running the server as a service.
Ric |