I’ve been meaning to review some of my older PHP code for security vulnerabilities for a while, but never really got around to it. This afternoon, I started searching for some tools I might be able to use to do that for me. I came across the Spike PHP Security Audit Tool, and was actually fairly impressed with it.
In order to run it, I believe you need to have the PHP command-line interface installed. However, as long as you’ve got that, all you need to do is upload the package and type a simple command. It will take a while, but when it’s done, the script generates a nice HTML report showing all of the vulnerabilities it detected.
In my case, the code I scanned came up with a few warnings, but most of them are things that aren’t extremely important or over which I have no control. For me, the most common issue raised by the tool was the fact that a “TOCTOU” (time of check/time of use) racecheck condition might exist. In all of those cases, I am using my code to check to see if a file or folder exists before I try to open it. Since the file_exists or is_dir function runs separately from the actual use command (whether it’s an include or file_get_contents or whatever it is), it’s remotely possible that the file could change between the two function calls. I don’t really see anyway around the issue, though; and I don’t really see how that’s a security vulnerability, so I’m not overly concerned about it.
Still, though, it’s good to know that the issue exists, and it’s great to see what else might cause issues in my code.
If you’ve found any other free utilities that can be used to evaluate PHP code to look for potential vulnerabilities, I’d love to hear about them.
RATS (Rough Auditing Tool for Security) is one: http://www.fortify.com/security-resources/rats.jsp