Point taken about XSS, I've added some encoding for that since (htmlentities). I'll likely recommend people password protect wherever they put the script.
Adrian On Sun, Feb 26, 2012 at 1:21 PM, Dancing Dan <[email protected]> wrote: > Disclaimer: My PHP skills are very rusty so, I may have misunderstood some > of what I saw. Some of what I say may be complete or partial rubbish.... > YMMV > > I'm not sure how much of a difference this would make but, I would > constrain the choices from the Internet to specific items instead of > allowing regexs. It would be good to white list the specific searches you > want to allow and discard anything not on the approved list. > > You could separate the retrieval and searching functions from the display > functions by using a scheduled task on the server to extract the data to > separate files with a subset of data. Not necessarily real time but, it > would gain a little separation and could be a lower privileged process > separate account. This could be especially helpful if you are using SELinux > or other MAC control. > > I would also suggest considering the types of data that could be stored in > the log. It would be a bad thing (TM) for someone to generate a log event > that would cause reflected XSS when viewing the log file in a browser. My > paranoia would cause me to retrieve a text file containing data that I > could view as pure ASCII.... > > Hope this helps.... > > Bart > > On Fri, Feb 24, 2012 at 10:02 AM, Adrian Crenshaw > <[email protected]>wrote: > >> >> Ok, not saying this code is well done, but I had a question about if it >> was possible to do some Regex injection that has really bad consequences. >> I've made a simple little PHP (attached) script as a test to look for the >> top 404s and 403 on a site based on its http log. Since web scanners seem >> to cause a lot of these (causing errors and looking for files that are not >> there), it seems like a good way to spot them. The downside, I'm pretty >> much letting the user put anything into the regular expression for >> searching that they want. I'm not using the exec function, but preg_match >> instead, so shell execution should not be an issue as far as I know. >> Assuming I don't care if people know what is in my logs, how secure is >> this? I could also always just password it off. >> >> >> Thanks, >> Adrian >> >> >> -- >> "The ability to quote is a serviceable substitute for wit." ~ W. Somerset >> Maugham >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- "The ability to quote is a serviceable substitute for wit." ~ W. Somerset Maugham "The ability to Google can be a serviceable substitute for technical knowledge." ~ Adrian D. Crenshaw
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
