Intern working for Indian NGO - Help with PHP 4, advising staff

Question

Hello, For the past three months I've been working for an Indian NGO (http://sevamandir.org), doing some volunteer work in the field but also trying to improve their website, which needs a ton of work. Recently I've been trying to fix the "subscribe to newsletter" button, which is broken. I used filter_var to filter the email input, but when I tried to test this out I got an error. Then I learned that the web host is still using php version 4.3.2 and register_globals is turned on.

I've mentioned that they should upgrade their web host before (they are paying around $50 per year for Rediff Web Hosting, complete with 100MB storage and 1 MySQL database). That would add a lot of complexity for the IT staff of 3, who would have to update everyone's email information (I assume? this is a 250-person organization), and have me find a new web host and teach them about it. The staff isn't that sophisticated about web usage - the head guy still uses IE6, and the website's laid out in tables (they use Dreamweaver WYSIWYG to lay out pages).

So I've got two options - use regular expressions to filter the email, which I'm not that skilled at doing (and would be more vulnerable to exploitation after I leave), turn off register globals and then try to teach the staff what I'm doing, or try to get them to upgrade their versions of PHP and MySQL and/or change web host. I'd appreciate some advice.

Thanks for your help, Kevin

Answer 1

What I would do : - fix your main issue asap : parse the email using a regexp, you can find some quite easily with google - Discuss with the team about upgrading/migrating your host. Fixing the email problem first is allowing you to take your time in this matter.

I won't turn off register globals, because you might face many more problems on the other pages of the website. But this can remain in your 'todo list' as it would be a good update.

Answer 2

First, I'd make the application run properly and as safely as possible in that environment, with regexes if necessary.

Then, I'd talk to the IT people. They need to upgrade their web package at some point and that point is already long past. PHP 4.3.2 is out and not supported any more at all (see here). That means that if a vulnerability is detected, it's not guaranteed to get a fix (altough it's still pretty likely due to the number of hosts not having switched yet).

Better do the switch now than later.

It's not really clear from your description how the people in the organization use E-Mail (do they have their own mail clients? Do they use web mail) but if they use their own mail clients, the "only" issue will be moving the mailboxes to a new host.

While that may take a few painful days to move all the mailboxes and redirects, and get everything running - including setting up everybody's workplace with the new data - it is not impossible to do, and will hardly add any long-term strain.

Answer 3

If security is a real big deal, then you need to introduce a layer to tackle intrusion. There are a few options in PHP land, but they all seem to require >5.1.4. Therefore I'd look at maybe installing mod_security if the web server layer is running apache. That way your application will be protected not just from POST injections, but GET injections and COOKIE exploitations as well. Secondly it'll future proof the application if next week they add another form to it without your knowledge.

It does sound though as if you've got your hands tied, and I'll be honest with you, if the company holds, or intends to hold any personal information about their users, or sensitive information about the company in an area accessible by the application, security is not a series of hacks or hotfixes, it's a serious commitment to a graceful and correct solution.

Best of luck.

Answer 4

The standard regex to check for RFC822 compliance is VERY ugly:

/^(?:[A-Za-z0-9!#$%&\'*+\/=?^_`{|}~-]+(?:\.[A-Za-z0-9!#$%&\'*+\/=?^_`{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[A-Za-z0-9](?:[A-Za-z0-9-]*[A-Za-z0-9])?\.)+[A-Za-z0-9](?:[A-Za-z0-9-]*[A-Za-z0-9])?|\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[A-Za-z0-9-]*[A-Za-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])$/

from http://www.regular-expressions.info/email.html (hopefully it cut/pasted ok).

But implementing this will just delay your pain. A webhost still living in the register_globals = on days should be dumped as soon as possible. It's just begging to be subverted.