Archive for 2006

The three little PHP pigs and the big bad cracker-wonna-be wolf

2006-11-08   

You all know the classic story about the three little pigs and the big bad wolf. Something similar happens when novice and inexperienced developers develop dynamic web sites.

The story goes like this:

Once upon a time there were three little pigs and the time came for them to leave home and seek for their fortunes.

Before they left, their mother told them "Whatever you do, do it the best way you can because that's the way to get along in this world."

Pigs left their house, waved at their mom and headed to the big city to become PHP developers.

The first little pig was a web designer who wanted to evolve to developer. He already had created some beautiful static web sites that featured nice graphics, javascript menus and, of course, flash. The first little pig was very proud of himself.
He bought a "good" PHP book and started to learn. After a month he created his first dynamic web site with shiny login and some other simple features like user postings and comments. The site had very good design, but was buggy. Nevertheless it started to gather more and more visitors.
The first little pig was even more proud. He invited his brothers to browse the site. They pointed that it is not very secure and well-built, but the first little pig did not pay attention. "It works", he said.

The second little pig was a novice PHP programmer. He had heard about some security issues, efficient practices, design patterns and so on, but he was not quite understanding them. He googled the net, found some interesting articles and started to educate himself. Somewhere at that time the first little pig showed his website. The second little pig was kind of frustrated -- "OK, his site is buggy and not secure, but it works and it has visitors. I will start to develop my site right away to catch up and after that I will educate myself and fix the things that don't look good".
So the second little pig developed a site, as fast as he could, installed it on a shared hosting and showed it to his brothers.
"It is not as pretty as mine", said the first little pig.
"Yes, but it is not so buggy and has a lot more functionality like picture uploads", answered the second pig.

"OK, it is better than the first site, but I still see some things that are not made the right way", said the third little pig.
"Name one?"
"This picture upload, why are you moving the uploaded files into a directory that is directly accessible? And also: are you changing the permissions after move_uploaded_file? Do you check if the uploaded file is really a picture?", asked the third pig.
"Uuuuh, what?", the second little pig felt kind of offended. "Yes… I mean -- no… I mean -- yes… Why are you asking me such questions, do you know how much time I spent on this site?! I know that it is not polished, but I was in a hurry, OK? I will take a good sleep this week and after that I will fix the things."

So, the second little pig relaxed for a week, then he had some urgent work to do, then he had to visit his mother, then more urgent work and so on. He never had time to look back at the sources and he was too busy to review and approve the uploaded pictures. His site was also successful and pulled some users from the site of the first little pig.

The third little pig had a completely different approach. He wanted to start the development of his own website only when he felt confident that he knew exactly what he wanted and how to achieve it. He read all the articles about good programming practices. He talked with experienced developers and learned from them. He reviewed some of the most successful PHP libraries and sites. After one(!) year he felt that he was ready. He developed THE site using template engine, database abstraction library, MVC framework, security logs and tripwires and so on, and so on. He installed the site on a dedicated server. He was veeery proud. He did not show the site to his brothers -- they were incompetent to comprehend it.
Well, the site was good, but it did not have many visitors because the sites of his brothers were already working for more than a year.

Enters the big bad wolf.
In fact he is not a pig. Also he is not bad. He is just a bored and frustrated teenager with some knowledge about PHP. He also knows few/some sites with articles about cracking and that is his dream -- to become a REAL cracker like his cousin Duke Wolfenstein.
One day he came across the website of the first little pig and decided that it was a good practicing target.
The first thing that he tried was SQL injection. He added an apostrophe after ?posting=235 in the address bar and voile: the server started printing ugly message "MySQL query failed: select content from postings where id = 235′"…
Obviously the SQL injection worked. You can imagine what happened next -- in no time the database was ruined and because the first little pig had not backed it up (he did not even know how to back-up the DB) -- the site was lost.

Then the big bad wolf sought for similar sites and he found the second pig's website. He tried again the SQL injection, but this piggy was smarter -- GET parameters are properly escaped. Wolf scratched himself between the ears and started to examine the site. He found the picture upload and in a few minutes of playing with it he discovered a flaw -- files were moved to a directory directly accessible via HTTP request and also were not even checked for valid image extension. He prepared a small PHP file del_curr_dir_content_ha_ha.php that erased everything in the current directory, uploaded it and then pointed his browser to "http://3thlittlepig.com/images/del_curr_dir_content_ha_ha.php". The result? An entire directory content was erased and all users' uploaded pictures were lost.
After some time the second little pig found that the site was corrupted and started to seek for the last made backup. When he found it, it turned out that the backup was made 3 months ago. He recovered the site using the back-up but that brought more problems than it solved -- users were angry that their content was lost and a lot of swearing and cursing took place. The result -- most of the users abandoned the site.

The wolf started to feel himself as a real cracker but then he hit the third little pig's site. He tried SQL injection, sought for upload vulnerabilities, tried every trick he knew but without any success and then he gave up.

Is this the end of the story? Is this a happy end?
No.

After two months, the wolf's cousin -- Duke Wolfenstein, the real cracker, came for a visit. He was slick. You know -- with custom made sunglasses, exact replica of Neo's from Matrix, with black hat (with holes for the ears, of course), black clothes, etc…
Our teenage wolf told his cousin about the unsuccessful attempt for cracking the site of the third pig. Duke was not impressed. He sat in front of the computer and started to do his "magic". The little wolf sat next to him and absorbed everything with wide-open eyes.
The PHP application, however, had been designed and developed with security in mind. After the first unsuccessful attempts, tripwire was triggered and warning email was sent to the third little pig but he did not pay much attention -- after all, he received such emails almost every day (a lot of crackers out there, eh?). He just banned the source IP from accessing the web site.
Duke got pissed off.
"Enough with this PHP shit. I will bring the heavy artillery."
At this stage story gets kind of blurry. It is not known what actions took place, but at the end rootkit was installed on the dedicated server, several thousands emails with ads for viagra and porn sites were submitted. In this particular case, one thing is known for sure -- the security breach did not come from the PHP part, but from the linux part. The third little pig did not even had a chance -- he was inexperienced in linux administration.

This is the end of story.

The moral?
Well:
1. There are a lot of sites out there, which are buggy but have big audience. We, as users, have to recognize those sites and avoid them -- sooner or later such sites will be breached and destroyed.
2. This web development thing is getting more and more rushed. Web developers are chased by unmeetable deadlines, unstable requirements, pressure by bosses and so on. In result some crucial development activities are often overlooked, well-known bugs are left aside intentionally because no one has time to fix them and this leads to low-quality websites. Of course -- this is not an excuse not to do our job better, but this is the reality of the highly competitive market. We, as web developers, have to try to lower the pace to a level that will allow us to do our job better without the current stress and sacrifices of our personal time.
3. Web sites/applications are getting more and more complicated. It is not possible for a single person or even a group of persons with similar profile (for example PHP programmers) to be able to create quality and secure product without the help of additional experts like experienced sysadmins, DB designers, tools masters, trained testers, javascript programmers, etc. The lack of qualified people is already a heavy problem for most of the countries and this will get even worse.
A few years ago web development required knowledge of some server side scripting language, SQL, HTML and a little bit of javascript. It was not a problem for a single person to learn those technologies.
Then came Macromedia Flash. Then ActionScript was improved to useful levels. Now we have also video clips embedded into flv files. Let's not forget about the ajax fuzz. Also, at server side И we have CGIs, perl, PHP, .Net, Python, Cold Fussion and God knows how many more… The word, that I think of, is "dispersion". Developers and effort are dispersed in too many directions and in the light of lack of qualified people that is a real problem. Maybe it is time that we -- as an industry -- start thinking about some unification.

Note: This story is also posted at http://dotgeek.org/ and it is part of CodeBlog Bingo. If you liked it, please visit dotgeek and vote for it.