Kerberos Authentication is a means by which a communicating entity on a non-secure network can prove itself to another entity about its identity in a secured way.
In a system developed for a client-server model, it is inconceivable to identify the threat posed by the network users and the intruders.
Primary goal of Kerberos Authentication System is to prevent free text based transmission of passwords over the network.
Kerberos was created by MIT with a license similar to BSD and the current version is Version 5. It is implemented across various OS – Linux, Unix, Windows, MacOS.
Kerberos system is built on a symmetric key algorithm.
It is always secured to turn OFF register_globals in PHP applications. Earlier, we have seen how to turn OFF register_globals setting via .htaccess file and in this blog we will use php.ini instead.
Using a text editor create a file called php.ini. This will be our first step.
Next, we need to add the following line of code in php.ini
register_globals = off
Upload php.ini file to the root folder where your application resides.
There may be situation where you wanted all users to store files in a certain folder but might want to restrict users from deleting other users file. For this scenario, you can set the sticky bit of the folder which will serve our purpose.
For example we have created a folder inside /tmp directory called “user”
root@dev:/tmp# ls -l | tail -1
drwxr-xrwx 2 root root 4096 2009-07-13 11:39 user
root@dev:/tmp# cd user
Now create a file called a.txt (you are currently with root privileges)
root@dev:/tmp/user# touch a.txt
Now change to the user with normal privileges (i have created a user called ‘usr100’ for this purpose)
usr100@dev:/tmp/user$ su usr100
List of steps to take care when using PHP to upload images or documents
i) use is_uploaded() function to check if the file is uploaded before moving the file from temporary location
ii) sanitize the name of the file before moving the file from the temporary location by executing the ‘mv’ system command (use escapeshellargs, escapeshellcmd as needed)
iii) chmod the file setting to 644 if needed
iv) the directory from where the file will be moved and the destination directory should be initialized beforehand in order to prevent users from altering the path where the files could be stored
Register Globals directive is turned OFF from PHP version 4.2.
PHP Global Variables
Environment variables, GET, POST, Server, Cookie variables are knows as Global Variables.
When register_globals directive is turned ON (like what most ISP’s did), you can access/set the global variables like $username, $password instead of $_POST[“username”], $_POST[“password”].
escapeshellcmd and escapeshellarg are two commands that are used to escape the defect causing characters that are present in the system command or the arguments that get passed to it respectively. Before passing the commands to the system or exec, the strings get escaped using these commands.
Sample program to demonstrate the usage:
<?php // shell command $mycmd = "ls -al"; $returncmd = escapeshellcmd($mycmd); system($returncmd); // shell arguments $myshellargs = "al"; system("ls -".escapeshellargs($myshellargs); ?>
Cross site scripting XSS is a term used to refer attacks or loop holes present in the scripting used by websites favoring hackers to exploit this path towards identity theft or phishing.
In PHP, two functions are mainly used to circumvent XSS attacks.
Obfuscating Scripting Language Extension in PHP is one of the technique that is effective to a certain extent in delaying the unscrupulous act of an active hacker. Following are few simple techniques used for hiding the program extensions.
i) Hiding program extension using .htaccess
ii) Hiding program extension using php.ini
iii) Hiding program extension using apache directive configuration
In order to ensure that the files that are downloaded from a site has been saved in its entirety and to give the added security that no intruders have modified the content of the files, various techniques have been used by source providers like MD5 checksum, SHA1 checksum, PGP verification. To explain how MD5 checksum, SHA1 checksum or PGP verification of the files happen, I will go ahead by explaining the steps by using a copy of openSSL program. Continue Reading…