tags:

views:

60

answers:

2
Q: 

PHP Exceptions and Security

When in a page triggered by an exception, what vulnerabilities is a php page open to?

I am using Kohana and am used to triggering exceptions (404, runtimes, etc)

But I recently read a book (19 Sins in Software Security) that says a site in an unstable state(i.e. in an page triggered by exception) is open to critical attacks.

I am worried because most of the time I am throwing 404 exceptions if a page is not allowed to be accessed or another exception if parameters passed to functions are not of the expected type.

+1  A: 

If a page is not allowed to be accessed, you should send the 403 forbidden header istead of the 404 not found.

Exceptions open a site to no special vulnerabilities - but frequent throwing of Exceptions are a hint that your code is suboptimal and unstable. Remember: Exceptions are the last straw you have, not the first solution you should consider.

Martin Hohenberg  2009-10-27 06:58:30
Perhaps you meant that not handling exceptions is the last straw you have?
Ignas R  2009-10-27 07:18:27
Hm...what I have is a page that can "only be accessed once" that means if I perform a redirect from it and the user pushes the browser back button, I throw a 404
Ygam  2009-10-27 07:23:38
A: 

In your case, it sounds like the exceptions you are using present no particular security vunerabilities.

However, they can if error_reporting is set to on (it shouldn't be in production, but if it was..) in that the default exception output presents a backtrace. A good example of this is that when connecting to your DB, if you are using PDO with exceptions on and the connection fails a PDO exception is thrown, whoose default output contains the arguments provided to the PDO object (i.e. you db name and password).

Rob Tuley  2009-10-27 14:02:43

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases