itextsharp pdf to image converter c# : Create a fillable pdf form from a pdf control Library utility azure asp.net windows visual studio 2011UsenixWebApps0-part372

PHP Aspis: Using Partial Taint Tracking
To Protect Against Injection Attacks
IoannisPapagiannis
Imperial CollegeLondon
Matteo Migliavacca
Imperial CollegeLondon
Peter Pietzuch
Imperial CollegeLondon
Abstract
Web applicationsare increasingly popularvictimsofse-
curity attacks. Injection attacks, such as Cross Site
Scripting or SQL Injection, are a persistent problem.
Eventhoughdevelopersareawareofthem,thesuggested
best practices for protection are error prone: unless all
userinputisconsistentlyfiltered,anyapplicationmaybe
vulnerable. Whenhostingwebapplications, administra-
tors face a dilemma: they can only deploy applications
thataretrustedortheyrisktheirsystem’ssecurity.
To prevent injection vulnerabilities, we introduce
PHP Aspis: a source code transformation tool that ap-
pliespartialtainttrackingatthelanguagelevel.PHPAs-
pis augments values with taint meta-data to track their
origin in order to detectinjection vulnerabilities. To im-
proveperformance,PHPAspiscarriesouttaintpropaga-
tiononlyinanapplication’smostvulnerableparts: third-
party plugins. We evaluate PHP Aspis with Wordpress,
apopular open source weblog platform, and show that
itpreventsallcode injection exploitsthat were found in
Wordpresspluginsin2010.
1 Introduction
The most common types of web application attacks in-
volvecodeinjection[4]:Javascriptthatisembeddedinto
thegeneratedHTML(CrossSiteScripting,orXSS),SQL
thatispartofagenerateddatabasequery(SQLInjection,
or SQLI) or scripts that are executed on the web server
(Shell Injection and Eval Injection). These attackscom-
monlyexploitthewebapplication’strustinuser-provided
data. If user-provided data are not properly filtered and
sanitised before use, an attacker can trick the applica-
tioninto generatingarbitraryHMTLresponsesandSQL
queries,orevenexecuteuser-supplied,maliciouscode.
Even though web developers are generally aware of
code injection vulnerabilities, applications continue to
sufferfromrelevantexploits. In2010,23.9%ofthe total
reportedvulnerabilitiestotheCVEdatabasewereclassi-
fied as SQLIorXSS [12]. Morover,injection vulnera-
bilitiesareoftencommoninthird-partypluginsinsteadof
thewell-testedcore ofawebapplication: in2010,10out
of 12 reported Wordpress injection exploits in the CVE
database involvedpluginsandnotWordpressitself.
Suchvulnerabilitiesstillremainbecausesuggestedso-
lutions often require manual tracking and filtering of
user-generateddata throughoutthesourcecode ofanap-
plication. Yet, even a single unprotected input chan-
nel in an application is enough to cause an injection
vulnerability. Thus, less experienced and therefore less
security-conscious developers of third-party plugins are
morelikelytowritevulnerablecode.
Pastresearchhassuggestedruntimetainttracking[19,
18, 14] as an effective solution to prevent injection ex-
ploits. In this approach, the origin of all data within
the application is tracked by associating meta-data with
strings. When anapplicationexecutesa sensitive opera-
tion,suchasoutputtingHTML,thesemeta-dataare used
to escape potentially dangerous values. The most effi-
cient implementation of taint tracking iswithin the lan-
guage runtime.Runtimetainttrackingisnotwidelyused
in PHP, however, because it relies on custom runtimes
thatare notavailable in productionenvironments. Thus,
developersareforcedtoavoidvulnerabilitiesmanually.
We show that injection vulnerabilities in PHP can be
addressedbyapplyingtainttrackingentirelyatthesource
code level without modifications to the PHP language
runtime. To reduce the incurred performance overhead
duetoextensivesourcecoderewriting,weintroducepar-
tial taint tracking, which limits taint tracking only to
functionsofthewebapplicationinwhichvulnerabilities
aremorelikelytooccur. Partialtainttrackingeffectively
capturesthe different levelsoftrust placedinto different
parts of web applications. It offers better performance
becausepartsoftheapplicationcoderemainunchanged.
We demonstrate this approach using PHP Aspis
1
, a
1AnAspiswasthecircularwoodenshieldcarriedbysoldiersinan-
cientGreece.
1
Create a fillable pdf form from a pdf - C# PDF Field Edit Library: insert, delete, update pdf form field in C#.net, ASP.NET, MVC, Ajax, WPF
Online C# Tutorial to Insert, Delete and Update Fields in PDF Document
create a pdf form that can be filled out; add signature field to pdf
Create a fillable pdf form from a pdf - VB.NET PDF Field Edit library: insert, delete, update pdf form field in vb.net, ASP.NET, MVC, Ajax, WPF
How to Insert, Delete and Update Fields in PDF Document with VB.NET Demo Code
add fillable fields to pdf online; add an image to a pdf form
toolthatperformstainttrackingonlyonthird-partyplug-
insby rewriting theirsource code to explicitly trackand
propagate theoriginofcharactersinstrings. PHPAspis
augmentsvaluesto include taint meta-data and rewrites
PHPstatementstooperate inthepresence of taintmeta-
data and propagate these correctly. PHP Aspis then
uses the taint meta-data to automatically sanitise user-
provided untrusted values and transparently prevent in-
jection attacks. Overall, PHP Aspis does not require
modificationstothePHPlanguageruntime ortotheweb
server.
Ourevaluationshowsthat,byusingpartialtainttrack-
ing, PHP Aspis successfully prevents most XSS and
SQLIexploitsreportedinpublicWordpresspluginssince
2010.Pagegenerationtimeissignificantlyreducedcom-
paredtotrackingtaintintheentireWordpresscodebase.
Insummary,thecontributionsofthispaperare:
• a taint tracking implementation for PHP that uses
source codetransformationsonly;
• amethodforapplyingtainttrackingonlytopartsof
awebapplication,inwhichexploitsare morelikely
tooccur;
• animplementationofacodetransformationtooland
its evaluation with real-world exploits reported in
theWordpressplatform.
The next section provides background on code injec-
tionvulnerabilitiesandintroducespartialtainttrackingas
asuitable defence. In §3, we describe our approach for
achievingtaintpropagationinPHPbasedoncoderewrit-
ing,andweshowhowtolimitthescopeoftainttracking
topartsofa codebase. Finally,we evaluate ourapproach
bysecuringWordpressin§4andconcludein§5.
2 Preventing Injection Vulnerabilities
2.1 Injection Vulnerabilities
Consideraweblogwithasearchfield.Typically,inputto
the search field results in a web request with the search
termasaparameter:
http://goodsite.com/find?t=spaceship
Aresponseofthewebservertothisrequestmaycontain
the followingfragment:
<p> The term ``spaceship ' ' was not found. </p>
The important element ofthe above response isthat the
user-submittedsearchtermisincludedasisintheoutput.
Thiscanbeeasilyexploitedbyanattackertoconstructan
XSSattack.TheattackerfirstcreatesthefollowingURL:
http://goodsite.com/find?t=<script\%20
src='http://attack.com/attack.js'/>
0
2
4
6
8
10
12
14
16
18
20
2002
2003
2004
2005
2006
2007
2008
2009
2010
Total Vulnerabilities (%)
Year
XSS
SQLI
Figure1: HistoricalpercentageofXSSand SQLIinallCVE
vulnerabilities
When an unsuspecting user clicks on this link, the fol-
lowingHTMLfragmentisgenerated:
<p> The term ``<script src='http:// attack.com/
attack.js ' />'' was not found. </p>
The victim’s browser then fetches the malicious
Javascript code and executes it. Since the HTML doc-
ument originated from
goodsite.com
,the scriptisex-
ecutedwith full access to the victim’s web browserses-
sion.Iftheuserhasanaccountwiththisweblogandisal-
readyloggedon,theircookiescanbesenttotheattacker.
Ingeneral,the scriptcan issue any unverified operations
onbehalfofthe user.
SQLInjectionattacksareanalogous: theytakeadvan-
tage of applications that process user input to form an
SQLquery to a database. Similarly, Eval and Shell In-
jection attacks target PHP’s
eval()
and
exec()
state-
mentsrespectively. Since these statementsexecute arbi-
trary code at runtime, such anattack caneasily compro-
misethe hostmachine.
Figure 1 shows the percentage of reported SQLI and
XSS vulnerabilities in recent years, as classified in the
CVE database. Both problems continue to affect appli-
cations despite an increase of developer awareness. Ta-
ble 1 shows our classification of vulnerabilities for two
popularopensourcewebplatforms,WordpressandDru-
pal. Codeinjectionvulnerabilitiesare the most common
typeinboth,with higherpercentagescomparedtotradi-
tional applications acrossall programming languages in
Figure 1. By relying on prepared statements, an auto-
matedwaytoavoidSQLI(see§2.2),theDrupalplatform
hascomparativelyfewsuchexploits.
2.2 Existing Practices
The traditional approachto addressinjection vulnerabil-
itiesistotreatallinformation thatmay potentiallycome
fromtheuserasuntrusted—itshouldnotbeusedforsen-
sitiveoperations,suchaspagegenerationorSQLqueries,
unlessproperly sanitised orfiltered. In the previousex-
ample, a proper sanitisation functionwould translate all
2
C# Create PDF Library SDK to convert PDF from other file formats
Create fillable PDF document with fields. Load PDF from existing documents and image in SQL server. Load PDF from stream programmatically.
adding a signature to a pdf form; add editable fields to pdf
VB.NET Create PDF from OpenOffice to convert odt, odp files to PDF
Edit Bookmark. Metadata: Edit, Delete Metadata. Form Process. Create PDF document from OpenOffice Text Document with ODT, ODS, ODP forms into fillable PDF formats
create a pdf form in word; change pdf to fillable form
Num.ofOccurrences
Type
Wordpress
Drupal
CrossSiteScripting
9
28
SQLInjection
3
1
InformationLeakage
1
0
InsufficientAccessControl
1
9
EvalInjection
0
1
CrossSiteRequestForgery
1
0
Table1:Webapplicationvulnerabilitiesin2010
characters with special meaning in HTML to their dis-
play equivalents(e.g. “
<
”to“
&lt;
”). Sanitisationfunc-
tionssuchas
htmlentities()
or
escapeshellarg()
are part of the PHP language. After sanitisation, the
string can safely be echoed to the client because it can
nolongerchange the semanticsofthe output. SQLI fil-
tering functionsoperatesimilarlybuttheyalsocheckfor
user-providedSQLkeywordsinthequery[13,19].
Unfortunately,sanitisationfunctionsaredifficulttoap-
plyinpractice. Eachsensitiveoperationrequiresadiffer-
entsanitisationfunction. Forexample,ifthesamestring
isechoed tothe userand used aspart of anSQL query,
twodifferentstringsmustbegeneratedbasedontheorig-
inal value. Centralisedfiltering of inputdata when they
arereceivedisimpracticalbecausethereisnosingledata
representation that is both meaningful and secure in all
possible contexts. For example, the string “
WHERE
” is
safe in HTMLbut not in an SQLquery. Therefore,de-
velopershavetopropagatetheoriginaluserdataandonly
sanitisethembeforebeingused.
In addition, sanitisation assumes that developers can
effectively trackthe originofdata andenforcethatuser-
generateddata alwayspassthroughtheirrespective sani-
tisationfunction.Inpractice,left-outchecksbyinexperi-
enceddevelopersorunforeseeninteractionsthatresultin
unexpecteddataflow (e.g.assuming that ascript cannot
becalledfromanexternaluser)arelikelytooccur.
2.2.1 Static Approaches
Past researchhassuggested static analysis toolsthatde-
tectinjectionvulnerabilitiesinPHPscripts.Pixy[11]and
WebSSARI[10]relyondata flow analysistodetectsen-
sitive functionsthat may receive userdata without sani-
tisation and produce warnings. Wassermannand Su[16]
modelstringvaluesandoperationsasgrammarsandthen
inspect thembefore queryoperations to reduce thefalse
positiverate forSQLIdetection. XieandAiken[17]use
symbolic execution to support PHP’s dynamic features
andreportalowfalsepositiverate.
Althoughstaticanalysistoolsdonotintroduceruntime
overhead,theyarenotfullyautomated,cannotsupportall
PHPfeaturesand do notalwaysachievea lowfalse pos-
itive rate. In addition,they cannothandlevulnerabilities
that involve the file systemorthe database. Asa result,
suchtoolsarenotwidelyusedforPHPdevelopment.
Prepared statementsare away toavoidSQLIexploits.
Instead of concatenating queries, an application defines
static placeholder queries with parameters filled in at
runtime. Parameters passed to the placeholders cannot
change thesemanticsofthe query,asitsstructure isde-
termined in advance when the statementisprepared. In
practice,manyPHPapplicationsdonotusethembecause
theywerenottraditionallysupportedbyPHPorMySQL
andinsteadmanuallysanitiseSQLqueries.
2.2.2 Dynamic TaintTracking
Adynamic approach to addressing injection vulnerabil-
itiesinexisting applications whenthey occur is runtime
taint tracking [19, 6]. It automates the tracking of the
origin of data and enforcesthat data pass through their
respective sanitisation functions. Runtime tainttracking
involvesthreedifferentsteps:
1. Dataentrypoints.Alldataenteringtheapplication
that may originate from the user are transparently
augmentedwithtaint meta-data. Theformofthese
meta-datamayvary: fromone bitthat marksthata
particularstringisuser-provided(ortainted)[14]to
apointerthatlinkstoarbitrarypolicyobjects[19].
2. Taint propagation. As the application processes
data, the runtime system transparently propagates
the associated taint meta-data. For example, when
ataintedstring is concatenated with anotherstring,
theresultmustbe markedastainted.
3. Guardedsinks.Everyoperationthatcanbeusedin
aninjectionvulnerability(e.g.
echo()
and
eval()
)
isintercepted. The interceptorexamines the corre-
spondingtaintmeta-dataandcallsthe relevantsani-
tisationfunctionorabortstheoperation.
Tainttrackinghasbeenshowntobeeffectiveinsecur-
ing existing web applications [19, 18, 9, 14, 6]. Com-
pared to static approaches, it does not require either de-
bugging or refactoring an existing codebase. Perl and
Rubysupport it in someform(throughPerl’staintmode
and Ruby’ssafe levels) but not PHP. Taint tracking can
beappliedtoPHPbymodifyingthecoreofthePHPrun-
time [19]. Typically, it has been implemented by aug-
mentingtheinterpreter’s
zval
structwithtaintdata.Sim-
ple approaches[13,14] assign one bitoftaint meta-data
perstringcharacterandpropagatethatmeta-datatosinks
independentlyoftheapplication’ssanitisationefforts.
Later systems stored more meta-data per character in
order to provide more fine-grained guarantees. Neme-
sis [7] usestwo taint bitsto automatically infer authen-
tication and enforce access control. Resin [19] uses a
pointer to arbitrary policy objects that can be also used
3
C# Create PDF from OpenOffice to convert odt, odp files to PDF in
Create PDF document from OpenOffice Presentation in both .NET WinForms and ASP.NET NET control to change ODT, ODS, ODP forms to fillable PDF formats in Visual
best way to make pdf forms; pdf form creation
VB.NET Create PDF Library SDK to convert PDF from other file
Create fillable PDF document with fields in Visual Basic .NET application. Load PDF from existing documents and image in SQL server.
create a fillable pdf form in word; add text fields to pdf
topreventinjectionvulnerabilities.
Xu et al. [18] suggest that a taint tracking implemen-
tationinC can be usedto compilethe PHPruntime and
transparentlyadd taint tracking support. Their approach
ignores sanitisation efforts of the hosted PHP applica-
tion and therefore suffers from false positives. Also, it
does not support different policies for different applica-
tions running in the same runtime, a common scenario
formanyPHPdeployments.
However, unless taint tracking is considered part of
PHP and is officially adopted, third party implementa-
tionsare impractical. Asthe PHPmanualputsit:
“modifications to the Zend
2
engine should be
avoided. Changes here result in incompati-
bilities with the rest of the world, and hardly
anyone will ever adapt to specially patched
Zend engines. Modificationscan’tbedetached
fromthemainPHPsourcesandareoverridden
withthenextupdateusingthe“official”source
repositories. Therefore, thismethod is gener-
allyconsideredbadpractice”
In the past, taint tracking support has been suggested
as a feature to the PHP community but it has not been
adopted,partlybecauseoffearsthatitmayleadtoafalse
senseofsecurity[15].
2.3 Partial TaintTracking
PHP is the most popular web development language,as
indicated by web surveys [2], and its gentle learning
curve oftenattractslessexperienceddevelopers. Inexpe-
rienced developers are more likely to extend webappli-
cationsthroughthird-partycodeintheformofplugins.
Such extensibility is frequently a popular feature for
web applicationsbut leadstoa significant securitythreat
fromplugins. In2009,theCVEdatabasereportedthatthe
Wordpress platform suffered from 15 injection vulnera-
bilities, out of which 13 were introduced by third-party
pluginsandonly 2 involved the core platform. In 2010,
the breakdown wassimilar: 10 vulnerabilitieswere due
topluginsandonly2duetoWordpressitself.
Asaresult,notallapplicationcodeisequallyproneto
injectionvulnerabilities.Forexample,Wordpressspends
much of its page generation time in initialisation code,
setting up the platform before handling user requests.
Thisinvolvestime-consumingstepssuchasqueryingthe
database forinstalledplugins, settingthemup, and gen-
eratingstaticpartsoftheresponseinvolvingtheme-aware
headersandfooters.
Injectionvulnerabilities,onthe otherhand,tendtoap-
pear in code that handlesuser-generated content: CVE-
2010-4257, an SQLI vulnerability, involved a function
2
ZendisthenameoftheofficialPHPscriptingengine
PHP Aspis Transformed Application
Taint-Tracking Code
Non Tracking Code
"spaceship"
Taint
PHP Statements
Library Calls
Sanitization Operations
HTML output
<p>spaceship</p>
SQL query
WHERE p=spaceship
Eval statement
spaceship()
1
2
3
4
Guarded sinks
Input
HTTP request
Figure2:PartialtainttrackingusingPHPAspis
that handles track-backs after a user published a post;
CVE-2009-3891, an XSSvulnerability, involveda func-
tion that validates uploaded files; and CVE-2009-2851
andCVE-2010-4536,againXSSvulnerabilities,involved
multiplefunctionsthatdisplayusercomments.
Weexploitthisobservationbyintroducingpartialtaint
tracking, which only transforms the source code of the
most vulnerable parts of an application in order to sup-
port taint tracking. By relying on source-level transfor-
mations, partial taint tracking does not require the de-
velopmentandmaintenance ofamodifiedversionofthe
PHPruntime.
Weuseasimpleapproachtodecidewhentotracktaint:
wefocusonpartsofthird-partypluginsthathandle user-
generated data. This restricts source code transforma-
tionsto a small fraction of the codebase ofa web appli-
cation. Asa consequence, we mitigate the large perfor-
mancepenaltythatexhaustivetainttrackingatthesource
levelwouldincur.
3 PHPAspis
We describe the designand implementationofPHPAs-
pis, a PHP source code transformation tool for partial
taint tracking. Figure 2 presents an overview of how
PHP Aspis transforms applications. First, it modifies
codethatreceivesdata from usersand marksthe data as
user-generated (label 1). Second, it divides the applica-
tion’scodebase in twodifferent categories: tracking and
non-trackingcode. Insteadoftrackingtaintuniformly,it
focuses on parts of the codebase that are more likely to
contain code injection vulnerabilities(label 2). Intrack-
ing code, PHP Aspis records the origin of data at the
characterlevel andfiltersdata atoutput statementswhen
an injection vulnerabilitycould exist (label 3). For non-
tracking code,itdoesnotperformtainttracking,trusting
thecode nottobevulnerable(label4).
Nextweintroducetherepresentationoftaintmeta-data
used to record the origin of the data in each variable.
In §3.2, we describe the transformations that canbe ap-
4
VB.NET Create PDF from PowerPoint Library to convert pptx, ppt to
Convert multiple pages PowerPoint to fillable and editable PDF documents. Easy to create searchable and scanned PDF files from PowerPoint.
best pdf form creator; pdf add signature field
VB.NET Create PDF from Word Library to convert docx, doc to PDF in
formatting. Create PDF files from both DOC and DOCX formats. Convert multiple pages Word to fillable and editable PDF documents. Professional
create a pdf form online; change font size pdf form reader
Sanitisation
htmlentities()
functions
htmlspecialchars()
Guardedsinks
echo()
)
AspisAntiXss()
print()
)
AspisAntiXss()
:::
Table2:ExcerptofthedefinitionoftheXSStaintcategory
plied to PHP source code to (a) ensure itscorrect oper-
ation in the presence of taint meta-data; (b) propagate
taint meta-data correctly; and (c) attach checks that in-
spect taint meta-data before each “sensitive” operation.
Finally,we discusshowthenon-trackingcode caninter-
actwiththe partsoftheapplicationthathave beentrans-
formedtotracktaintin§3.3
3.1 Taint Representation
PHPAspisusescharacter-level tainttracking,i.e.tracks
thetaintofeachstringcharacterindividually[19]. Tradi-
tionalvariable-level tainttracking implementations (e.g.
Ruby’ssafelevels)requirethedevelopertountaintvalues
explicitly before they are used. Instead,PHP Aspispre-
ventsinjectionattackstransparently,andforthis,itneeds
toknowtheexactcharactersthatoriginate fromthe user.
Forexample,consideran applicationthatconcatenatesa
user-providedvalue witha staticHTMLtemplate,stores
the result in
$v
andthen returns
$v
totheclient asa re-
sponse. Inferringthatvariable
$v
istaintedisoflittleuse
because
$v
also contains application-generated HTML.
Instead, PHP Aspis uses character-level taint meta-data
andonlysanitisestheuser-generatedpartsof
$v
.
3.1.1 TaintCategories
PHPAspiscantrack multiple independentanduserpro-
videdtaintcategories. Ataint categoryisa genericway
ofdefininghowanapplicationissupposedtosanitisedata
and how PHPAspisshould enforce that the application
alwayssanitisesdatabeforetheyare used.
Each taint category is defined as a set of sanitisation
functionsand a set of guarded sinks. Sanitisation func-
tions can be PHP library functions or can be defined
by the application. A sanitisation function is called by
the application to transform untrusted user data so that
they cannot be used for a particular type of injection
attack. Commonly, sanitisation functions either trans-
formunsafecharactersequencestosafeequivalents(e.g.
htmlentities
)orfilteroutasubsetofpotentiallydan-
gerousoccurrences(e.g.byremoving
<script>
butnot
<b>
). Calls to sanitisation functions by the application
are intercepted and PHP Aspis untaintsthe correspond-
ingdatatoavoidsanitisingthemagain.
Guarded sinks are functions that protect data flow to
sensitive sink functions. When a call to a sink function
ismade,PHPAspisinvokesthe guard with referencesto
the parameters passed to the sink function. The guard
is a user-provided function that has access to the rele-
vant taint category meta-data and typically invokes one
ormore sanitisationfunctionsforthattaintcategory.
For example, Table 2 shows an excerpt of an XSS
taintcategorydefinition. It specifiesthata user-provided
string can be safely echoed to the user after either
htmlentities
or
htmlspecialchars
has been in-
voked on it. The second part exhaustively lists all func-
tions that can output strings to the user (e.g.
echo
,
print
, etc.) and guards them with an external filter-
ing function (
AspisAntiXss
). The guard either aborts
theprintoperationorsanitisesanyremainingcharacters.
The administratorcanchangethe definitionsoftaintcat-
egoriesaccordingtotherequirementsofthe application.
By listing all the sanitisation functions ofan applica-
tionintherelevanttaintcategory,PHPAspiscanclosely
monitor the application’s sanitisation efforts. When ap-
pliedtoa welldesignedapplication, PHPAspisuntaints
userdataastheygetsanitisedbythe application,butbe-
fore they reach the sink guards. Thus, sink guards can
apply a simple, application agnostic, sanitisation opera-
tion(e.g.
htmlentities
)actingasa“safetynet”.
On the other hand, an application may not define ex-
plicit sanitisation functions or these functions may be
omitted from the relevant taint category. In such cases,
sinkguardshavetoreplicatethefilteringlogic oftheap-
plication. Ingeneral, however, sinkguardslackcontex-
tual information and this prevents them from enforcing
context-aware filtering,e.g.guardscannotenforcesaniti-
sationthatvariesaccordingtothe currentuser.
Adifferenttaintcategorymustbeusedforeachtypeof
injection vulnerability. PHPAspistracksdifferent taint
categoriesindependently from each other. For example,
whena sanitisation functionof anXSS taintcategory is
calledonastring,thestringisstillconsideredunsanitised
forallothertaintcategories. Thisensuresthata sanitisa-
tionfunctionforhandlingonetype ofinjection vulnera-
bilityisnotusedtosanitisedataforanothertype.
3.1.2 Storingtaintmeta-data
Itischallengingtorepresenttaintmeta-datasothatitsup-
ports arbitrary taint categories and character-level taint
tracking. ThisisduetothefollowingpropertiesofPHP:
P1 PHP is not object-oriented. Although it supports
objects, built-in types such as
string
cannot be
augmentedtransparently withtaint meta-data. This
precludes solutions that rely on altered class li-
braries[6].
P2 PHPdoesnotofferdirectaccesstomemory. Anyso-
lutionmusttrackPHPreferencesbecausevariables’
memoryaddressescannotbe used[18].
5
VB.NET Create PDF from Excel Library to convert xlsx, xls to PDF
Link: Edit URL. Bookmark: Edit Bookmark. Metadata: Edit, Delete Metadata. Form Process. Create fillable and editable PDF documents from Excel in Visual
allow users to save pdf form; pdf form save with reader
C# Create PDF from Excel Library to convert xlsx, xls to PDF in C#
Create fillable and editable PDF documents from Excel in both .NET WinForms and ASP.NET. Create searchable and scanned PDF files from Excel.
adding a text field to a pdf; change font size in pdf fillable form
String
Taintmeta-data
$s='Hello'
array(0=>false)
$n='John'
array(0=>true)
$r=$s.$n
array(0=>false, 5=>true)
Table 3: Representation of taint meta-data for a single taint
category
P3 PHPusesdifferentassignmentsemanticsforobjects
(“byreference”)comparedto othertypesincluding
arrays(“bycopy”). Thisdoesnotallowforthe sub-
stitution of any scalar type with an object without
manuallycopyingobjectstoavoidaliasing.
P4 PHPisadynamicallytypedlanguage,whichmeans
thatthereisno genericmethod to staticallyidentify
allstringvariables.
Duetothese properties,oursolutionreliesonPHPar-
raystostoretaintmeta-databyenclosingtheoriginalval-
ues. Table 3showshow PHPAspis encodestaint meta-
data forasingletaintcategory. Foreachstring,PHPAs-
pis keeps an array of character taints, with each index
representing the first character that hasthistaint. In the
example, string
$s
is untainted,
$n
is tainted and their
concatenation,
$r
, it untainted from index 0 to 4, and
taintedfrom index 5onwards. Numericalvaluesuse the
same structure for taint representation but only store a
commontaintforalldigits.
Taintmeta-data mustremainassociatedwiththevalue
thattheyreferto.AsshowninTable4,wechoosetostore
themtogether. First,allscalarssuchas
'Hello'
and
12
are replaced witharrays(rows1and2). Werefertothis
enclosing array asthe value’sAspis. The Aspiscontains
the originalvalue and anarrayofthe taint meta-data for
allcurrentlytrackedtaintcategories(
TaintCats
). Sim-
ilarly, scalarswithin arrays are transformed into Aspis-
protectedvalues.
According to P4, PHP lacks static variable type in-
formation. Moreover, it offers type identification func-
tions at runtime. When scalars are replaced with ar-
rays, the system must be able to distinguish between
an Aspis-protected value and a proper array. For this,
we enclose the resulting arrays themselves in an Aspis-
protectedvalue,albeitwithoutanytaint(
false
inrows3
and 4). The original value of a variable can always be
foundat index0 whenAspis-protected. Objectsare han-
dled similarly. Aspis-protected valuescan replace origi-
nalvaluesinallplacesexceptforarraykeys: PHParrays
can only use the types
string
or
int
as keys. To cir-
cumvent this, the key’s taint categories are attached to
the content’sAspis(
KeyTaintCats
)andthekeyretains
itsoriginaltype (row5).
Overall,thistaintrepresentationiscompatiblewiththe
language propertiesmentioned above. Byavoidingstor-
Originalvalue
Aspis-protectedvalue
1.
'Hello'
array(
'Hello',TaintCats
)
2.
12
array(12,TaintCats)
3.
array()
array(
array()
,false)
4.
array('John')
array(
array(
array(
'John',TaintCats
)
)
,false)
5.
array(13=>20)
array(
array(13=>
array(
20,ContentTaintCats,
KeyTaintCats
)
)
,false)
Table4:Augmentingvalueswithtaintmeta-data
ingtaintinsideobjects,weensurethatanassignmentcan-
notleadtotwoseparatevaluesreferencingthesametaint
category instances (P3). By storing taint categories in
place, we ensure that variable aliasing correctly aliases
taints (P2). Finally, by not storing taint meta-data sep-
arately, the code transformationsthat enable taint prop-
agation can be limited to correctly handling the origi-
nal, Aspis-protected values. As a result, the structure
of the application in terms of functions and classes re-
mainsunchanged,which simplifiesinteroperabilitywith
non-trackingcodeasexplainedin§3.3.
3.2 Taint-tracking Transformations
Based on this taint representation, PHP Aspis modifies
anapplicationtosupporttainttracking.Werefertothese
source code transformations as taint-tracking transfor-
mations. These transformations achieve the three steps
described in §2.2.2 required for runtime taint tracking:
dataentrypoints,taintpropagationandguardedsinks.
3.2.1 DataEntryPoints
Taint-tracking transformations must mark any user-
generateddataasfullytainted,i.e.alltaint meta-data for
every taint category in an Aspis-protected value should
be setto
true
. Any input channel suchasthe incoming
HTTP request that isnot under the direct control of the
applicationmaypotentiallycontainuser-generateddata.
6
C# Create PDF from PowerPoint Library to convert pptx, ppt to PDF
Convert multiple pages PowerPoint to fillable and editable PDF documents. Easy to create searchable and scanned PDF files from PowerPoint.
adding form fields to pdf files; change font in pdf form
Originalexpression
Transformedexpression
$s.$t
concat($s,$t)
$l = &$m
$l=&$m
$j = $i++
$j=postincr($i)
$b+$c
add($b,$c)
if ($v) fg
if ($v[0]) fg
foreach
foreach
($a as $k=>$v)
($a[0] as $k=>$v)
f...g
frestoreTaint($k,$v)...g
Table 5: Transformations to propagate taint and restore the
originalsemanticswhenAspis-protectedvaluesareused
In each transformed PHP script, PHP Aspis inserts
initialisation code that (1) scans the superglobal arrays
to identify the HTTP request data, (2) replaces all sub-
mittedvalueswith theirAspis-enclosedcounterpartsand
(3)marksusersubmittedvaluesasfullytainted. Allcon-
stantsdefinedwithinthe scriptare also Aspis-protected,
however,they are markedasfullyuntainted (i.e.all taint
meta-dataforeverytaintcategoryhavethevalue
false
).
As a result, all initial values are Aspis-protected in the
transformedscript,taintedornot.
3.2.2 TaintPropagation
Next all statements and expressions are transformed to
(1) operate with Aspis-protected values, (2) propagate
theirtaintcorrectlyand(3)returnAspis-protectedvalues.
Table 5 lists some representative transformations for
commonoperationssupported by PHPAspis. Functions
intherightcolumnareintroducedtomaintaintheoriginal
semantics and/or propagate taint. For example,
concat
replacesoperationsforstringconcatenating in PHP(e.g.
double quotes or the concat operator “.”) and returns
an Aspis-protected result. Control statementsare trans-
formed to access the enclosed original values directly.
Only the
foreach
statement requires an extra call to
restoreTaint
torestorethe taint meta-dataofthe key
for subsequent statements in the loop body. The meta-
data is stored with the content in
KeyTaintCats
, as
showninrow5ofTable4.
PHP function library. Without modification, built-in
PHPfunctionscannot operate on Aspis-protected values
anddo not propagate taint meta-data. Since these func-
tions are commonly compiled for performance reasons,
PHPAspisusesinterceptorfunctionstointerceptcallsto
themandattachwrappersfortaintpropagation.
By default, PHP Aspis uses a generic interceptor for
built-infunctions. The genericinterceptorrevertsAspis-
protected parameters to their original values and wraps
return values to be Aspis-protected again. This default
behaviour isacceptable forlibrary functions that donot
propagate taint (e.g.
fclose
). However, the removal of
taintfromresultvaluesmayleadtofalsenegativesintaint
tracking. PHPAspisthereforeprovidescustomintercep-
torfunctionsforspecificbuilt-infunctions.Byincreasing
the numberofintercepted functions, we improve the ac-
curacyoftainttrackingandreduce falsenegatives.
The purpose of a custom interceptor is to propagate
taintfromtheinputparameterstothe returnvalues.Such
interceptorsrely onthe welldefinedsemanticsofthe li-
brary functions. When possible, the interceptor calcu-
lates the taint of the return value based on the taints of
theinputs(e.g.
substr
). Itthen removesthe taint meta-
data from the input values, invokes the original library
function and attaches the calculated taint to the result
value. Alternatively, the interceptor comparesthe result
value to the passed parameterand infersthe taintof the
result. As an example, assume that the interceptor for
stripslashes
receives a string with a taint category
array(0=>false,5=>true)
. The comparison of the
original to the result string identifiesthe actualcharacter
indices that
stripslashes
removed from the original
string;assume here,forsimplicity,thatonlyindex2was
removed. To calculate the taint of the result, the inter-
ceptor subtracts fromall taint category indices the total
numberofcharactersremoved before eachindex. Thus,
itreturns
array(0=>false,4=>true)
inthe givenex-
ample.Intotal,66providedinterceptorsusethismethod.
Forother functions, the interceptor can use the origi-
nal function to obtain a result with the correct taint au-
tomatically. Forexample,
usort
sorts an array accord-
ingtoauser-providedcallbackfunctionandthuscansort
Aspis-protected values without changes. If the callback
is a library function, the function is unable to compare
Aspis-protected elementsand callsto
usort
wouldfail.
When callbacksare used, custom interceptors introduce
anewcallbackreplacingtheold. Thatnewcallbackcalls
theoriginalcallbackafterremovingtaintfromitsparam-
eters.Intotal,21providedinterceptorsusedthismethod.
Incasesinwhichtheresulttaintcannotbedetermined,
suchasfor
sort
,aninterceptorprovidesaseparate,taint-
aware version of the original PHP library function. We
hadtore-implement19libraryfunctionsinthisway.
Ourcurrent prototypeintercepts106functions. These
include most of the standardPHP string library that are
enoughtoeffectivelypropagate taint inWordpress(§4).
Dynamic features. PHP has many dynamic features
suchasvariable variables,variablefunctioncallsandthe
eval
and
create
function
functions. These are not
compatible with Aspis-protected values, but PHP Aspis
mustneverthelessmaintaintheircorrectsemantics.
Variable variablesonlyrequire accessto the enclosed
string. A dynamic access to a variable named
$v
is
transformed from
$$v
to
$f$v[0]g
. Variable func-
7
tion calls that use variables or library functions (e.g.
call
user
func
array
)allow a script to call a func-
tion that is statically unknown. PHP Aspis transforms
these callsandinspectsthematruntime. Whena library
call isdetected, PHP Aspis generates an interceptor, as
describedintheprevioussection,atruntime.
The functions
eval
and
create
function
are used
to execute code generated at runtime. Since application
generatedcodedoesnotpropagatetaint,PHPAspismust
apply the taint-tracking transformations at runtime. To
avoidahighruntimeoverhead,PHPAspisusesacaching
mechanismsuchasZendCachewhenavailable.
3.2.3 GuardedSinks
PHP Aspis can protect code from injection vulnerabili-
tiesusingthetaintmeta-dataanddefinedtaintcategories.
Asdescribedin §3.1.1,guardfunctionsspecified aspart
of active taint categories are executed before the calls
to their respective sensitive sink functions. Guards use
PHP’s sanitisation routinesor define their own. For ex-
ample,weuseanSQLfilteringroutinethatrejectsqueries
withuser-providedSQLoperatorsorkeywords[13].
3.3 Partial TaintTracking
ThetainttrackingtransformationsusedbyPHPAspisre-
quire extensive changestothesourcecode,whichhasan
adverse impact on execution performance. To preserve
programsemantics,transformationsoften involve the re-
placement of efficient low-level operations by slower,
high-levelones(seeTable 5).
Partial taint tracking aims to improve execution per-
formance by limiting taint tracking to the parts of the
application in which injection vulnerabilities are more
likely toexist. Partialtainttrackingcanbeappliedatthe
granularity of contexts: functions, classes or the global
scope. The administratorcan assign each of these to be
ofthefollowingtypes: trackingornon-tracking.
Nextwediscusshowthepresenceofnon-trackingcode
reducestheability ofPHPAspistopreventexploits. We
alsopresent the additional transformationsthatare done
byPHPAspistosupportpartialtainttracking.
3.3.1 MissedVulnerabilities
Whenpartialtainttrackingisused,allcodemustbeclas-
sifiedintotrackingornon-trackingcode. Thisdecisionis
based on the trust that the application administrator has
inthedevelopersofa given part of the codebase. When
partsofthecodebaseareclassifiedasnon-tracking,injec-
tion vulnerabilities within this code cannot be detected.
Ontheotherhand,PHPAspismuststillbe abletodetect
vulnerabilitiesintrackingcode.However,inthepresence
ofnon-trackingcode,trackingcode maynotbetheplace
whereanexploitmanifestsitselfandthuscanbedetected.
PHP Aspis Transformed Application
Taint-Tracking Code
Non Tracking Code
<script .../>
Taint
Input
HTTP request
1
2
Data altering
Guarded
Source
HTML output
<script ... />
t()
n()
3
Figure3:XSSvulnerabilitymanifestinginnon-trackingcode
For example, a non-tracking function
n
in Figure 3
callsatrackingfunction
t
(step1).Itthenreceivesauser-
providedvalue
$v
fromfunction
t
(step2)andprintsthis
value (step 3). If
t
fails to escape user input,
n
is un-
abletosanitisethe datatransparently. Thisisbecause,in
non-tracking code, taint meta-data are not available and
callstosensitivesinkssuchas
print
arenotintercepted.
From the perspective of
n
,
t
acts as the source of user
generated data that must be sanitised before they leave
thetrackingcontext.
To address this issue, PHP Aspis takes a conserva-
tive approach. It can sanitise data at the boundary be-
tween tracking and non-tracking code. PHP Aspis adds
source guardstoeach taintcategory toprovide sanitisa-
tion functions for this purpose. A source is a tracking
functionandtheguardisthesanitisationfunctionapplied
to its return value when called from non-tracking code.
In the above example,thetracking function
t
can act as
asource of usergenerated data when called from
n
. A
guard for
t
would intercept
t
’s return value and apply
htmlentities
toanyuser-generatedcharacters.Source
guardsensurethatuserdataareproperlysanitisedbefore
theycanbeusedinnon-trackingcode.
Notethoughthatthisearlysanitisationisanadditional
operation introduced by PHP Aspis. Thus, if the non-
trackingcontextthatreceivedthedataattemptstosanitise
themagain,theapplicationwouldfail.Moreover,thereis
nogenericsanitisationroutinethatcanalwaysbeapplied
because the final use of the data is unknown. Instead,
thissolution isonly suitable forcases when both the fi-
naluse ofthe data isknownandthe applicationdoesnot
performanyadditionalsanitisation.Thisisoftenthecase
forthird-partypluginAPIs.
3.3.2 CompatibilityTransformations
The taint-tracking transformationsin §3.2generate code
that handles Aspis-protected values. For example, a
tracking function that changes the case of a string pa-
rameter
$p
expects to find the actual string in
$p[0]
.
Such a function can no longer be called directly from
8
non-tracking code with a simple string for its parame-
ter. Instead, PHP Aspis requires additional transforma-
tionsto intercept this call and automatically convert
$p
toanAspis-protectedvalue,whichismarkedasfullyun-
tainted. We referto these additionaltransformationsfor
partialtainttrackingascompatibilitytransformations.
Compatibility transformations make changes to both
trackingandnon-trackingcode. These changesalterthe
datathatareexchangedbetweenatrackingcontextanda
non-tracking context, i.e.data exchanged betweenfunc-
tions, classes and code in the global scope. They strip
Aspis-protectedvalueswhenpassedtonon-trackingcon-
textsandrestoreAspisprotectionfortrackingcontexts.
Function calls. A function call is the most common
way of passing data across contexts. PHP Aspis trans-
forms all cross-context function calls: a call from a
tracking to a non-tracking context hasitstaint removed
from parameters and the return value Aspis-protected
again. The oppositehappensforcallsfrom non-tracking
totrackingcontexts.Thisalsoappliestomethodcalls.
Adaptingparametersandreturnvaluesissimilartous-
ingthedefaultinterceptorfunctionfrom§3.2.Usercode,
however, can share objects of user-defined classes. In-
steadofadaptingeveryinternalobjectproperty,PHPAs-
pisusesproxy objectsthat decoratepassed values. Con-
sideranobject
$o
ofclass
c
andassume that
c
isatrack-
ing context. When
$o
ispassedtothenon-tracking con-
textoffunction
f
,
f
isunabletoaccess
$o
’sstatedirectly
orcallitsmethods. Instead,itreceivesthedecorator
$do
that pointsto
$o
internally.
$do
is then responsible for
adapting the parametersand the returnvaluesof method
calls when such calls occur. It also handles reads and
writesofpublic objectproperties.
PHP also supports call-by-reference semantics for
functionparameters. Since changestoreference param-
etersby the callee are visible tothe caller,these param-
eters effectively resemble return values. Compatibility
transformationshandlereferenceparameterssimilarlyto
returnvalues—theyare adaptedtothe callingcontextaf-
terthefunctioncallreturns.
Thisbehaviourcanleadtoproblemsifreferencesto a
single variable are stored in contexts of different types,
i.e.ifa tracking classinternallyhasa reference toa vari-
able also stored in a non-tracking class. In such cases,
PHPAspiscannolongertrackthesevariableseffectively
across contexts, forcing the administrator to mark both
contextsastrackingornon-tracking. Since sharedrefer-
ences to internal state make it hard tomaintain class in-
variants,theyare considered badpractice[5]andaman-
ualauditdidnotrevealanyoccurrencesinWordpress.
Accessing global variables. PHP functions can ac-
cess references to variables in the global scope using
the
global
keyword. These variables may be Aspis-
protected or not, dependent on the type of the current
global context and previousfunctioncalls. Thecompat-
ibilitytransformationsrewrite
global
statements: when
the imported variable doesnot match the context of the
function, the variable is altered so that it can be used
by the function. After the function returns, all im-
portedglobalvariablesmustberevertedtotheirprevious
forms—
return
statementsare precededwiththeneces-
sary reversetransformations. When functionsdonotre-
turn values,reverse transformationsare addedasthe last
functionstatement.
Accessing superglobal variables. PHP also supports
thenotionofsuperglobals: arraysthat includethe HTTP
request data and can be accessed from any scope with-
out a
global
declaration. Data in these arrays are al-
wayskept tainted;removingtheirtaintwouldeffectively
stop taint tracking everywhere in the application. As a
result, only tracking contexts should directly access su-
perglobals.Inaddition,compatibilitytransformationsen-
ablelimited accessfromnon-tracking contextswhen ac-
cesscanbestaticallydetected(i.e.adirectreadto
$
GET
but not an indirect access through an aliasing variable).
Thisisbecause PHP Aspisdoes not perform static alias
analysistodetectsuchindirectaccesses[11].
Includestatements. PHP’sglobalscopeincludescode
outsideoffunctionandclassdefinitionsandspansacross
all included scripts. Compatibility transformations can
handle different context typesfor different scripts. This
introduces a problem for variables in the global scope:
theyareAspis-protectedwhentheyarecreatedbyatrack-
ing context but have their original value when they are
createdbyanon-trackingcontext.
Toaddressthisissue,PHPAspisalterstemporarilyall
variables in the global scope to be compatible with the
currentcontextofanincludedscript,beforean
include
statement is executed. After the
include
, all global
variables are altered again to match the previous con-
texttype. Tomitigate the performance overheadofthis,
globalscopecodeplacedindifferentfilesbutusedtohan-
dlethe samerequestshouldbe inthesamecontexttype.
Dynamic features. Compatibility transformations in-
terceptcallsto
create
function
and
eval
atruntime.
PHPAspisthen rewritestheprovidedcodeaccording to
the context type of the caller: when non-tracking code
calls
eval
, only the compatibility transformations are
applied and non-tracking code is generated. Moreover,
create
function
usesa global array tostore the con-
text type of the resulting function. This information is
then used to adapt the function’sparametersand return
valueinsubsequentcalls.
9
3.4 Discussion
The taint tracking carried out by PHP Aspis isnot pre-
cise. PHPAspisfollowsa designphilosophy thatavoids
uncertain taint prediction (e.g. inlibrary functionswith-
out interceptors),whichmayresultinfalse positivesand
affectapplicationsemantics.Instead,itfavoursareduced
abilitytocapturetaintoncertainexecutionpaths,leading
tofalsenegatives. Forthis,itshouldnotbetrustedasthe
solemechanismforprotectionagainstinjectionattacks.
Partial taint tracking is suited for applications where
apartition between trusted and untrusted components is
justified, e.g. third-party code. In addition, interactions
acrosssuch componentsmust be limited because ifdata
flow from a tracking to non-tracking context and back,
taint meta-data may be lost. PHP Aspis also does not
track taint in file systems or databases, although tech-
niquesforthishavebeenproposedinthepast[8,19].
PHP is a language without formal semantics. Avail-
able documentation is imprecise regarding certain fea-
tures (e.g. increment operators and their side effects)
and there are behavioural changes between interpreter
versions(e.g.runtime call-by-reference semantics). Al-
thoughourapproachrequireschangeswhenthelanguage
semanticschange,webelievethatthiscostissmallerthan
the maintenance ofthird-party runtime implementations
thatrequireupdatesevenwithmaintenancereleases.
Ourtaint tracking transformationssupport most com-
mon PHP features, as they are specified in the online
manual [1]. We have yet to add support for newer fea-
turesfromPHP5suchasnamespacesorclosures.
4 Evaluation
Thegoalsofourevaluation areto measuretheeffective-
nessofourapproachinpreventingreal-worldvulnerabil-
itiesandtoexploretheperformancepenaltyforthetrans-
formed application. To achieve this, we use PHP Aspis
tosecureaninstallationofWordpress[3],apopularopen
sourcewebloggingplatform,withknownvulnerabilities.
WefirstdescribehowanadministratorsetsupPHPAs-
pis to protect a Wordpressinstallation. We then discuss
the vulnerabilities observed and show how PHP Aspis
addresses them. Finally, we measure the performance
penaltyincurredbyPHPAspisformultipleapplications.
4.1 Securing Wordpress
Wordpress’ extensibilityreliesona set of hooksdefined
atcertainplacesduring request handling. User-provided
functionscanattachtothesehooksandmultipletypesare
supported: actionsareusedbypluginstocarryoutopera-
tionsinresponsetocertainevent(e.g.sendanemailwhen
anewpostispublished),andfiltersallowaplugintoalter
CVE
Type
GuardedSources
Prevented
2010-4518
XSS
1
Yes
2010-2924
SQLI
2
Yes
2010-4630
XSS
0
Yes
2010-4747
XSS
1
Yes
2011-0740
XSS
1
Yes
2010-4637
XSS
2
Yes
2010-3977
XSS
5
Yes
2010-1186
XSS
15
Yes
2010-4402
XSS
6
Yes
2011-0641
XSS
2
Yes
2011-1047
SQLI
1
Yes
2010-4277
XSS
3
Yes
2011-0760
XSS
1
No
2011-0759
XSS
9
No
2010-0673
SQLI
––
––
Table6: Wordpressplugins’injectionvulnerabilities;reported
in2010andinthefirstquarterof2011.
databefore theyare usedby Wordpress(e.g.apostmust
receivespecialformattingbefore beingdisplayed).
Aplugin contains a set of event handlersforspecific
actions and filters and their initialisation code. Plugin
scripts can also be executed through direct HTTP re-
quests. In such cases, plugin scripts execute outside of
themainWordpresspagegenerationprocess.
Wesecureapluginfrominjectionvulnerabilitiesusing
PHPAspisasfollows: first,we listthefunctions,classes
and scripts defined by the plugin and mark the relevant
contexts as tracking; second, we automatically inspect
thepluginforpossiblesensitivesinks,suchasprintstate-
ments and SQLqueries. We then decide the taint cate-
goriestobeusedinordertoavoidirrelevanttracking(i.e.
avoid tracking taint for eval injection if no
eval
state-
mentsexist);third,weobtainalistofeventhandlersfrom
the
add
filter
statementsusedbythe plugin. Weaug-
ment thetaintcategorydefinitionswiththese handlersas
guardedsourcesbecause filters’ returnvaluesare subse-
quentlyusedbyWordpress(§3.3);andfourth,weclassify
the plugininitialisation code asnon-trackingasitisless
likelytocontaininjectionvulnerabilities(§2.3).
4.2 Security
Table6listsallinjectionvulnerabilitiesreportedinWord-
presspluginssince2010.Foreachvulnerableplugin,we
verify the vulnerabilityusingthe attackvectordescribed
intheCVEreport. Wethentrythe sameattackvectoron
aninstallationprotectedbyPHPAspis.
Theexperimentsaredone onthelatestvulnerable plu-
ginversions, asmentionedoneachCVEreport, running
onWordpress2.9.2. PHPAspismanagestopreventmost
vulnerabilities, which can be summarised according to
threedifferentcategories:
10
Documents you may be interested
Documents you may be interested