Ok, not saying this code is well done, but I had a question about if it was
possible to do some Regex injection that has really bad consequences. I've
made a simple little PHP (attached) script as a test to look for the top
404s and 403 on a site based on its http log. Since web scanners seem to
cause a lot of these (causing errors and looking for files that are not
there), it seems like a good way to spot them. The downside, I'm pretty
much letting the user put anything into the regular expression for
searching that they want. I'm not using the exec function, but preg_match
instead, so shell execution should not be an issue as far as I know.
Assuming I don't care if people know what is in my logs, how secure is
this? I could also always just password it off.
Thanks,
Adrian
--
"The ability to quote is a serviceable substitute for wit." ~ W. Somerset
Maugham
<html>
<body>
<pre>
<?
echo '<a href="'.$_SERVER['PHP_SELF'].'">Back to main page</a><P>';
$logpath='/some/path/to/logs/http/access.log';
$searchfield =$_GET["s"];
if ($searchfield==""){
$matches403=greplines("/403/");
showtop($matches403,"Top 403s",10);
echo "\n\n";
$matches404=greplines("/404/");
showtop($matches404,"Top 404s",10);
echo "\n\n Path transversals:\n\n";
$matches=greplines("/\.\.\/\.\.\//");
showlines($matches);
echo "\n\n Password grabs:\n\n";
$matches=greplines("/\/etc\/passwd/");
showlines($matches);
echo "\n\n RFIs:\n\n";
$matches=greplines("/page\=http\:\/\//");
showlines($matches);
} else{
$output=greplines("~".$searchfield."~");
showlines($output);
}
function showlines($lines){
//echo $lines;
if(is_array($lines)){
foreach($lines as $line){
echo $line;
}
} else {
echo "Empty grep or some error";
}
}
function showtop($somearray,$label,$number){
foreach ($somearray as $line) {
$fields=explode(" -",$line);
$ipcounts[$fields[0]]++;
}
natsort($ipcounts);
$ipcounts=array_reverse($ipcounts);
$ipcountnames=array_keys($ipcounts);
echo '<table border="2"><tr><td align="center"
colspan="3">'.$label.'</td></tr>';
for($i=0;$i<$number;$i++){
echo '<tr><td>'.$ipcounts[$ipcountnames[$i]].
'</td><td><a href="'.$_SERVER['PHP_SELF'].
'?s=^'.$ipcountnames[$i].'
"target="_blank">'.$ipcountnames[$i].
'</a></td><td><a href="http://www.robtex.com/ip/'.
$ipcountnames[$i].'"
target="_blank">Info</a></td></tr>';
}
echo '</table>';
}
function greplines($pattern){
global $logpath;
$fh = fopen($logpath, 'r') or die($php_errormsg);
while (!feof($fh)) {
$line = fgets($fh, 8096);
if (preg_match($pattern, $line)) { $matches[ ] = $line; }
}
fclose($fh);
return $matches;
}
?>
</pre>
</body>
</html>
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
