Re: [PHP] prevent user from getting scripts outside the web folder

Thu, 13 Oct 2005 14:19:07 -0700 

Graham Anderson wrote:
How does a hacker get access to your scripts located outside the web folder? 
I asked a friend to hack my php script within the web folder...


all of my crucial function were called by:
require_once("/home/siren/includes/fonovisa.inc");
the 'encrypt' functions are MCRYPT_RIJNDAEL_256
He was able to get access to the 'fonovisa.inc' php script [outside the web folder] and all the stuff inside Based on my current knowledge, my security breaches are probably big enough to drive a truck through :( 


how can I prevent this ?
I am VERY new at the whole 'security' thing so any help is appreciated
Just looking briefly at the below script; NEVER trust user input! Sanatize it, escape it, check to see it's what you expect, and do it again. Doing things like this... 

freadMovie($_REQUEST['path']);

is just asking for trouble.


this is the script within the web folder:
<?php
require_once("/home/siren/includes/fonovisa.inc");
$thisScriptURL = ThisScriptsAbsoluteHTTPLocation($_SERVER ['SCRIPT_NAME']);
qtversiondetect($_SERVER['HTTP_USER_AGENT']);




//////////////////////////////////////////
//   This PHP script is performing three tasks
//   1)  Creates a SMIL playlist of Quicktime movies from a database  call
//   2)  Reads each requested movie file from outside the web folder
// Movies are downloaded by passing the GET variable, 'path', to the 'freadMovie()' function // This function is located in the script, 'fonovisa.inc', located outside the web folder // The movie files are fread chunk by chunk in binary format and loaded into the the Quicktime Player // 3) Build the Actual Quicktime Media Link with all the EMBED attributes like KIOSKMODE and QUITWHENDONE 
//
//
////////////////////////
//   Flow of the Code:
//   If the GET variable, 'cmd', equals 'makesmil'
//         Build the  SMIL playlist
//   ElseIf the GET variable, 'cmd', equals 'getmovie'
// Send the requested url [with the encrypted movie file path] to the freadmovie() function // which freads the requested movie file data to the Quicktime Player 
//   Else
// Build the Quicktime Media Link that generated the Headers and Embed tags // where the 'src' attribute points to the SMIL Playlist Movie function in THIS script 
//   Endif
//////////////////////


// any variable there ?
if( isset($_REQUEST['cmd']) OR isset($_REQUEST['path'] ))
{

    ////////////
    // Ok, there is a 'cmd' and/or 'path' variable, what are they ?
    ////////////

    //make the SMIL playlist of movie
if( trim(decrypt( $_REQUEST['cmd'])) =="makesmil") makesmil($thisScriptURL); 

     //fread a movie file in the playlist and send to QuickTime
elseif(trim(decrypt($_REQUEST['cmd']))=="getmovie") freadMovie($_REQUEST['path']); 


    }else{
    ///////////
    //  No commands were given
    //  So make the Quicktime Media Link with all the EMBED attributes
// The 'src' attribute is going to call the 'makesmil' function to generate the SMIL playlist movie 
    //////////
            buildQTMediaLinkForSMILPlaylist( $autoplay="true",
$cache="false", $kioskmode="true", $quitwhendone="true", $movieid=md5(time()), $moviename="Commercial Reel 2005", $src="$thisScriptURL?cmd=".encrypt('makesmil') 
                                                                );

        ///////////
// Output the Correct QuickTime Headers and the Embed Tags and send the movie to QuickTime 
        ///////////
            OutputHeaders($_SERVER['HTTP_USER_AGENT']);
            echo $finalQTMovie;


    }


/////////////////////////////////////
// Local Functions
/////////////////////////////////////

function makesmil($thisScriptURL)
{
    buildSMILArray($thisScriptURL,$d='siren',$playlist="Show Reel");

    // format the SMIL playlist
    buildSMILPlaylist(       $timeslider="true",
                                            $chaptermode="all",
$immediateinstantiation="false", 
                                            $autoplay="true",
                                            $left="1",
                                            $top="1",
                                            $height="208",
                                            $width = "352",
                                            $fit= "fill",
$title = "Commercial Reel 2005", 
                                            $regionid="siren",
                                            $bgcolor="black",
                                            $movieid=md5(time()),
$moviename="Commercial Reel 2005", 
                                            $movieArray);
}


//-------------------------
// Santize the variables to prevent mysql injection and trim them
function sanitizeVars()
{
    $path = getGetVarProcessed( 'path', 'cleanser', 'unknown' );
    $cmd = getGetVarProcessed( 'cmd', 'cleanser', 'unknown' );
}


//-------------------------
// Output Player or Browser Content-Type Header

function OutputHeaders($userAgent)
{
global $finalQTMovie;
if(strstr($userAgent,"qtver")){
    // Player
    header('Content-Type: application/x-quicktimeplayer');
}else{
    //Browser
    header('Content-Type: video/quicktime');
}
//output any of the other headers
header ("Content-Length:".strlen($finalQTMovie));
}

?>




--
John C. Nichel
ÜberGeek
KegWorks.com
716.856.9675
[EMAIL PROTECTED]

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to