We need a PHP expert to do some security tasks on our e-commerce website. No direct access to the server will be given. You will be working on the 15 or so PHP files (most of them are similar) that we'll send you. There will be no payment or escrow until we see the files working properly on our server, we'll also need about a week of informational emails after you complete the task.
For qualifiers, if you could kindly send a message with answers to these initial questions that would not only clarify the project details for both sides, but also give us a good idea about your background and whether you would be a good pick.
1. It is a well known security recommendation to put php files outside the document root. With that, is it possible to have the .swf file access php files that would be placed outside the root? if this is not possible at all, what is the best way(s) to use include within the php files AND to make it safe.
2. do you have experience php commands that open/read files within the same server AND the security aspects involved with these and php sessions? We have some 'preloader' php files that open the main SWF file without caching the Swf file using sessions and referers. We need you to check this from the security perspective (specifically about the issues involved in sessions and fread, fopen etc)
3. Are you aware of the below issue and do you have experience installing and working with suhosin (from suhosin website):
"Another common error in these books is that they spread the urban legend that the most dangerous problem within PHP "remote code inclusion vulnerabilities" can be fixed by disabling allow_url_fopen in the configuration (or allow_url_include in PHP 5.2.x). This information is simply wrong, because these configuration directives do NOT protect against attacks through php://input or data:// URLs. Our Suhosin and the former Hardening-Patch are the only available protections that close all URL include attacks."
4. Below are the tasks we came up with for this project. Please add the tasks you think we missed that are crucial for securing php:
Check every php file and make the necessary changes that will ensure
-initialize all variables
-secure the usage of comments such as 'include, require etc' and make suggestions as far as paths etc.
-clean up php outputs (echo, error messages etc)
-clean up and organize the code
-comment and explain every change you make
-secure against SQL injection and cross site scripting
-remove .php extensions
-converting UTF-8 enc. data
-secure files that use fopen/fread etc, as mentioned in #2 above.
-install, configure Suhosin and give us a quick 'how to' guide.
(we're using suphp and registerglobals are off.)
Notice this is sort of a dynamic project and one or two items might change as we go. We're looking for someone that is knowledgeable and flexible that would get us up and running with this initial launch of the site, and we'll be looking forward to doing more projects in the near future as the site grows.
Thanks for reading and we're looking forward to working with you.