( ! ) Warning: Creating default object from empty value in /var/www/clients/client1/web1/web/modules/Forums/common.php on line 421
Call Stack
#TimeMemoryFunctionLocation
10.0000358512{main}( ).../modules.php:0
20.0008369456include( '/var/www/clients/client1/web1/web/index.php ).../modules.php:4
31.0221677392include( '/var/www/clients/client1/web1/web/modules/PHP_Manual/index.php ).../index.php:179
41.1553678496include( '/var/www/clients/client1/web1/web/header.php ).../index.php:157
51.1553695096head( ).../header.php:112
61.1553695680online( ).../header.php:39
71.1553695680my_online( ).../mainfile.php:720
81.1554698856include( '/var/www/clients/client1/web1/web/modules/Forums/common.php ).../custom_mainfile.php:1151
Omega13a's Corner - PHP Manual - Security - Errors
Omega13a's Corner
Contribute To This Site
Submit a Download
Submit a Link
Submit A Review for Omega13a's Corner

This Website Is Best Viewed In Mozilla Firefox 0.9+
You Are Currently Using
  Login or Register
::  Home   ::  Your Account   ::  Forums   ::  UFT Encyclopedia   ::  UFT Writer  ::
2020.83
Omega13a's Wish List
My Amazon.com Wish List
 
Affiliates
Supported by

[ Be A Supporter ]
[ NukeSupporters( tm) ]
 
Navigation
· Hom e
· Rep ort An Error

Omega13a's Corner

· Ome ga13a's Corner Index
· Ana grams
· Ana grams
· Aut ograms
· Aut ograms
· Bum per Stickers
· Bum per Stickers
· Cow Analogies
· Cow Analogies
· Cru el Baby Names
· Cru el Baby Names
· DHT ML Tricks
· DHT ML Tricks
· Dum b Criminals
· Dum b Criminals
· Dum b Headlines
· Dum b Headlines
· Dum b Laws
· Dum b Laws
· Dum b Questions
· Dum b Questions
· Dum b Quotes
· Dum b Quotes
· Dum b Signs
· Dum b Signs
· Dum b Warning Labels
· Dum b Warning Labels
· Eye witness Reports
· Eye witness Reports
· Fea rs
· Fea rs
· Gam es
· Gam es
· Goo gle Searches
· Goo gle Searches
· Gra phing Calculator
· Gra phing Calculator
· Hor oscope
· Hor oscope
· hta ccess Tutorials
· hta ccess Tutorials
· HTM L Manual
· HTM L Manual
· IP Lookup
· IP Lookup
· Jok es
· Jok es
· Mis c Funny Stuff
· Mis c Funny Stuff
· Odd Books
· Odd Books
· Odd Place Names
· Odd Place Names
· Odd Product Names
· Odd Product Names
· Our Solar System
· Our Solar System
· Pal indromes
· Pal indromes
· Pan grams
· Pan grams
· PEA R Manual
· PEA R Manual
· PHP Manual
· PHP Manual
· PHP Nuke Tools
· PHP Nuke Tools
· Poi ntless Quizzes
· Poi ntless Quizzes
· Pri me Numbers
· Pri me Numbers
· Ran dom Quotes
· Ran dom Quotes
· Ran t
· Ran t
· Rev iews
· Rev iews
· Rhy ming Pairs
· Rhy ming Pairs
· Sci -Fi/Fantasy Encyclopedia
· Sci -Fi/Fantasy Encyclopedia
· Wea ther
· Wea ther
· Wei rd Ads
· Wei rd Ads
· Wei rd Wide Web
· Wei rd Wide Web
· Zen Sarcasms
· Zen Sarcasms

Star Trek

·&nbs pBorg Species Designations
· Bor g Species Designations
· FAQ
· FAQ
· Sev Trek
· Sev Trek
· Sta r Trek Alien Sayings
· Sta r Trek Alien Sayings
· Sta r Trek Eggs
· Sta r Trek Eggs
· Sta r Trek Encyclopedia
· Sta r Trek Encyclopedia
· Sta r Trek Episode Guides
· Sta r Trek Episode Guides
· Sta r Trek Goofs
· Sta r Trek Goofs
· Sta r Trek Mysteries
· Sta r Trek Mysteries
· Sta r Trek Reviews
· Sta r Trek Reviews
· Sta r Trek Timeline
· Sta r Trek Timeline
· Tre k Today Headlines
· Tre k Today Headlines
· Wor lds in Star Trek
· Wor lds in Star Trek

Community

· Cha t Bot
· Cha t Bot
· Cha t Room
· Cha t Room
· Fee dback
· Fee dback
· For ums
· For ums
· Gue stbook
· Gue stbook
· Joi n a Webring
· Joi n a Webring
· Joi n the Staff
· Joi n the Staff
· Mem bers List
· Mem bers List
· Pri vate Messages
· Pri vate Messages
· Rec ommend Us
· Rec ommend Us
· Rul es/Terms of Use
· Rul es/Terms of Use
· Sur veys
· Sur veys
· Use r Journals
· Use r Journals
· Vot e For Us
· Vot e For Us
· Win An Award
· Win An Award
· You r Account
· You r Account

Media/Arts

· Dow nloads
· Dow nloads
· Fan Fictions
· Fan Fictions
· Han gman
· Han gman
· Ima ge Gallery
· Ima ge Gallery
· Tec hnobable Generator
· Tec hnobable Generator

Staff Personal Sections

· Lad y Lursa's Reading Corner

Links and Webrings

· Ban ner Exchanges
· Ban ner Exchanges
· Joi n Banner Exchange
· Joi n Banner Exchange
· Lin king To Us
· Lin king To Us
· Top sites
· Top sites
· Web Links
· Web Links
· Web rings
· Web rings

Site Info

· Abo ut the Owner
· Abo ut the Site
· Abo ut the Site
· Abo ut UFT_PHP
· Abo ut UFT_PHP
· Abo ut You
· Awa rds
· Awa rds
· Ban ned Stuff
· Ban ned Stuff
· Cop yright
· Cop yright
· Leg al Information
· Leg al Information
· Mod ifications Installed
· Mod ifications Installed
· Sea rch Results
· Sea rch Results
 
UFT Community

Omega13a's Corner Forums

 
Vote For Us
 
Ads


Error Reporting

Chapter 28. Error Reporting

With PHP security, there are two sides to error reporting. One is beneficial to increasing security, the other is detrimental.

A standard attack tactic involves profiling a system by feeding it improper data, and checking for the kinds, and contexts, of the errors which are returned. This allows the system cracker to probe for information about the server, to determine possible weaknesses. For example, if an attacker had gleaned information about a page based on a prior form submission, they may attempt to override variables, or modify them:

Example 28_1. Attacking Variables with a custom HTML page

<form method="post" action="attacktarget?username=badfoo&amp;password=badfoo">
<input type="hidden" name="username" value="badfoo" />
<input type="hidden" name="password" value="badfoo" />
</form>

The PHP errors which are normally returned can be quite helpful to a developer who is trying to debug a script, indicating such things as the function or file that failed, the PHP file it failed in, and the line number which the failure occurred in. This is all information that can be exploited. It is not uncommon for a php developer to use show_source(), highlight_string(), or highlight_file() as a debugging measure, but in a live site, this can expose hidden variables, unchecked syntax, and other dangerous information. Especially dangerous is running code from known sources with built_in debugging handlers, or using common debugging techniques. If the attacker can determine what general technique you are using, they may try to brute_force a page, by sending various common debugging strings:

Example 28_2. Exploiting common debugging variables

<form method="post" action="attacktarget?errors=Y&amp;showerrors=1&amp;debug=1">
<input type="hidden" name="errors" value="Y" />
<input type="hidden" name="showerrors" value="1" />
<input type="hidden" name="debug" value="1" />
</form>

Regardless of the method of error handling, the ability to probe a system for errors leads to providing an attacker with more information.

For example, the very style of a generic PHP error indicates a system is running PHP. If the attacker was looking at an .html page, and wanted to probe for the back_end (to look for known weaknesses in the system), by feeding it the wrong data they may be able to determine that a system was built with PHP.

A function error can indicate whether a system may be running a specific database engine, or give clues as to how a web page or programmed or designed. This allows for deeper investigation into open database ports, or to look for specific bugs or weaknesses in a web page. By feeding different pieces of bad data, for example, an attacker can determine the order of authentication in a script, (from the line number errors) as well as probe for exploits that may be exploited in different locations in the script.

A filesystem or general PHP error can indicate what permissions the webserver has, as well as the structure and organization of files on the web server. Developer written error code can aggravate this problem, leading to easy exploitation of formerly "hidden" information.

There are three major solutions to this issue. The first is to scrutinize all functions, and attempt to compensate for the bulk of the errors. The second is to disable error reporting entirely on the running code. The third is to use PHP's custom error handling functions to create your own error handler. Depending on your security policy, you may find all three to be applicable to your situation.

One way of catching this issue ahead of time is to make use of PHP's own error_reporting(), to help you secure your code and find variable usage that may be dangerous. By testing your code, prior to deployment, with E_ALL, you can quickly find areas where your variables may be open to poisoning or modification in other ways. Once you are ready for deployment, you should either disable error reporting completely by setting error_reporting() to 0, or turn off the error display using the php.ini option display_errors, to insulate your code from probing. If you choose to do the latter, you should also define the path to your log file using the error_log ini directive, and turn log_errors on.

Example 28_3. Finding dangerous variables with E_ALL

<?php
if ($username) {  // Not initialized or checked before usage
    
$good_login = 1;
}
if (
$good_login == 1) { // If above test fails, not initialized or checked before usage
    
readfile ("/highly/sensitive/data/index.html");
}
?>


Total Hits: 0

Powered by PHPNukePage Protected By Copyscape. Do Not CopyNukeSentinel ProtectedPowered by PEARPowered by PECL

© 2000, 2001, 2002 Trek Archive, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 United Federation of Trek.
Omega's Corner is © 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 omega13a.
Star Trek®, Star Trek: The Next Generation®, Star Trek: Deep Space Nine®, Star Trek: Voyager®, Enterprise®, and Star Trek: Enterprise® are registered trademarks of Paramount Pictures and Viacom. All Star Trek material found on this site is for promotional purposes only, and not personal or financial gain. No infringements on their copyrights is intended.
All logos and trademarks in this site are property of their respective owners. The comments are property of their posters.


ROR Sitemap Google Sitemap

PHP-Nuke Copyright © 2005 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.
Page Generation: 3.5763 Seconds
Server Load: 6.53
Queries: 33 (0.2386 seconds)
Included 110 files
253 classes defined
46 interfaces defined
0 classes loaded using __autoload()
2,760 functions defined
4,464 constants defined

:: subBlack phpbb2 style by spectre :: PHP-Nuke theme by www.nukemods.com ::

This Website Is Best Viewed In Mozilla Firefox 0.9+
You Are Currently Using

UFT's Webring of Sci-Fi and Fantasy
UFT's Webring of Sci-Fi and Fantasy
Previous site : Random : Next site : List sites
Powered by PHP-Ring
Psychology News
Scitrek webring
Scitrek webring
Previous site : Random : Next site : List sites
Powered by .PHP-Ring
Psychology News
robots.txt
Contributors Contact Us