Al wrote: > I've got a website on a virtual-host, Apache/Linux system running php > scripts. > > I particular, I've designed a CMS where designated individuals compose > and edit text in an html textarea, and then save the raw text in files. > Custom [i.e., proxie] tags are used for emphasizing and the formating > text [e.g., <red>Red Text</red>]. The raw text is converted to W3C > compliant, html code for user rendering. When processing the text, I > remove all php start codes [<? <?php, etc.] from the text, though it's > not obvious to me how the text can be executed when it's treated as pure > text sent to the client. > > Now the question. Does anyone see an obvious security hole?
if you don't strip out stuff like '<script> evil haxor code here; </script>' then that's one thing that can bite. it's hard to say what holes there may be without seeing the code that does the conversion from 'raw text' to 'html' . another security issue is whether anyone could overwrite existing 'content' text files on the server - only your CMS should have write access to these. any php code in the files can't be run at all *unless* your using include on the given text files or your running the content of the text files through eval() > > Thanks..... > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
