Re: register_globals in php4
Hello Christian G. Warden [EMAIL PROTECTED], Yes. But when a user type the url something like login.php?id=fakeid Then $HTTP_GET_VARS['id'] and $_GET['id'] will also get fakeid, right? How do I avoid users affecting the system by changing the variable values in the URL directly? If not, is there any way to protect myself from malicious url injection attack? On Thu, 9 May 2002 09:51:02 -0700 Christian G. Warden [EMAIL PROTECTED] wrote: one of the php lists is probably a better forum for this question, but in short, register_globals=off means that if you want to use the id variable passed in the query string by the browser, you would access it as $HTTP_GET_VARS['id'], or $_GET['id'] in 4.1+, rather than $id. more info at http://www.php.net/manual/en/language.variables.predefined.php xn On Fri, May 10, 2002 at 12:09:22AM +0800, Patrick Hsieh wrote: Hello list, php4.1 recommends to set register_globals=off in php.ini to make php more strict. My question is, if I turn off register_globals, what will happen if any malicious user just try to modify the variable values in the url? Say, http://www.domain.com/xxx.php?id=3sex=female Does it work if user just change the value in the URL directly and send the url directly to web server? How can we avoid the malicious attack by directly http GET/POST with modified parameter values to make possible system error or compromise? -- Patrick Hsieh [EMAIL PROTECTED] GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Patrick Hsieh [EMAIL PROTECTED] GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: register_globals in php4
On Fri, May 10, 2002 at 01:11:41AM +0800, Patrick Hsieh wrote: Yes. But when a user type the url something like login.php?id=fakeid Then $HTTP_GET_VARS['id'] and $_GET['id'] will also get fakeid, right? How do I avoid users affecting the system by changing the variable values in the URL directly? If not, is there any way to protect myself from malicious url injection attack? You don't avoid that. You can't avoid it. register_globals didn't avoid it either and if you rely on such behvaiour then your application is clearly very broken. You should always check the data supplied to your CGI *very* carefully for just this reason. See for instance (randomly picked from google): http://www-genome.wi.mit.edu/WWW/faqs/wwwsf4.html -- Simon [ [EMAIL PROTECTED] ] *\ JarJar Binks^W^WSupport for \** ** ]-+-+-+-+-+-+-+-+-[ **\ CRLF-LF translation in the kernel \* ** [ Htag.pl 0.0.19 ] ***\ must die. - Alexander Viro \ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: register_globals in php4
you must write your application safely. it sounds like you're trying to prevent a user from changing their userid. after they log in, you could create a session variable with their userid and only use that session variable. i still use register_globals=on with my code, but i have the following code that gets included on every page: if(!session_is_registered('userid') { unset($userid); } and in my login function, after username and password are verified, i put the userid in $userid and session_register('userid'); this allows me to always trust that $userid matches the userid of the authenticated user. here's an article on secure programming in php: http://www.zend.com/zend/art/art-oertli.php xn On Fri, May 10, 2002 at 01:11:41AM +0800, Patrick Hsieh wrote: Hello Christian G. Warden [EMAIL PROTECTED], Yes. But when a user type the url something like login.php?id=fakeid Then $HTTP_GET_VARS['id'] and $_GET['id'] will also get fakeid, right? How do I avoid users affecting the system by changing the variable values in the URL directly? If not, is there any way to protect myself from malicious url injection attack? On Thu, 9 May 2002 09:51:02 -0700 Christian G. Warden [EMAIL PROTECTED] wrote: one of the php lists is probably a better forum for this question, but in short, register_globals=off means that if you want to use the id variable passed in the query string by the browser, you would access it as $HTTP_GET_VARS['id'], or $_GET['id'] in 4.1+, rather than $id. more info at http://www.php.net/manual/en/language.variables.predefined.php xn On Fri, May 10, 2002 at 12:09:22AM +0800, Patrick Hsieh wrote: Hello list, php4.1 recommends to set register_globals=off in php.ini to make php more strict. My question is, if I turn off register_globals, what will happen if any malicious user just try to modify the variable values in the url? Say, http://www.domain.com/xxx.php?id=3sex=female Does it work if user just change the value in the URL directly and send the url directly to web server? How can we avoid the malicious attack by directly http GET/POST with modified parameter values to make possible system error or compromise? -- Patrick Hsieh [EMAIL PROTECTED] GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Patrick Hsieh [EMAIL PROTECTED] GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Try with it....
Try with it... only show status of pid that do not show command. for i in `for n in [0-9]* ; do echo -n pid: $n ; cat $n/cmdline; echo; done|awk '{if($3!~/[a-zA-Z]/){print $2}}'`; do cat $i/status; echo; done|more -- Raúl Sáez Marlborough Stirling Gran Vía 62, 10º izq 28013 Madrid tel: +34-91-5487910 fax: +34-91-5400199 email: [EMAIL PROTECTED] www.puntoseguro.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
GPG subkeys and keyservers
My gpg encryption subkey expired recently; I created a new subkey; it's signed, expires in a few months, etc. The key imports fine when I pull it in from the ascii armored export version ... but exporting it to the keyserver via --send-key fails miserably. I get a report of success, but when I --recv-key, I don't get the new subkey. (below: my public/private keypair resides on meteu. fury is another host, which does not have either key.) meteu:~ 2% gpg --send-key flip gpg: success sending to `wwwkeys.us.pgp.net' (status=200) meteu:~ 3% gpg --export -a flip /var/www/public.asc meteu:~ 4% gpg --list-key flip pub 1024D/17984F07 2001-10-06 Chris Flipse [EMAIL PROTECTED] uidChris Flipse [EMAIL PROTECTED] uidChris Flipse [EMAIL PROTECTED] sub 1024g/B03178DE 2001-10-06 [expires: 2002-04-04] sub 1024g/BCA91458 2002-05-09 [expires: 2002-11-05] pub 1024D/17984F07 2001-10-06 Chris Flipse [EMAIL PROTECTED] uidChris Flipse [EMAIL PROTECTED] uidChris Flipse [EMAIL PROTECTED] sub 1024g/B03178DE 2001-10-06 [expires: 2002-04-04] sub 1024g/BCA91458 2002-05-09 [expires: 2002-11-05] meteu:~ 5% New subkey exists, supposedly got exported to wwwkeys.us.pgp.net alright. However. fury:~ 40% gpg --list-key flip gpg: Warning: using insecure memory! gpg: error reading key: public key not found fury:~ 41% wget http://meteu.octoraro.org/public.asc --11:46:10-- http://meteu.octoraro.org/public.asc = `public.asc' Connecting to meteu.octoraro.org:80... connected! HTTP request sent, awaiting response... 200 OK Length: 2,265 [text/plain] 0K .. 100% @ 44.24 KB/s 11:46:10 (44.24 KB/s) - `public.asc' saved [2265/2265] fury:~ 42% gpg --import public.asc gpg: Warning: using insecure memory! gpg: key 17984F07: public key imported gpg: Total number processed: 1 gpg: imported: 1 fury:~ 43% gpg --list-key flip gpg: Warning: using insecure memory! pub 1024D/17984F07 2001-10-06 Chris Flipse [EMAIL PROTECTED] uidChris Flipse [EMAIL PROTECTED] uidChris Flipse [EMAIL PROTECTED] sub 1024g/B03178DE 2001-10-06 [expires: 2002-04-04] sub 1024g/BCA91458 2002-05-09 [expires: 2002-11-05] fury:~ 44% Key is imported just fine from the ascii armored export. No problems. fury:~ 44% gpg --delete-key flip gpg: Warning: using insecure memory! pub 1024D/17984F07 2001-10-06 Chris Flipse [EMAIL PROTECTED] Delete this key from the keyring? yes fury:~ 45% gpg --list-key flip gpg: Warning: using insecure memory! gpg: error reading key: public key not found fury:~ 46% gpg --recv-key 17984F07 gpg: Warning: using insecure memory! gpg: requesting key 17984F07 from wwwkeys.us.pgp.net ... gpg: key 17984F07: public key imported gpg: Total number processed: 1 gpg: imported: 1 fury:~ 47% gpg --list-key flip gpg: Warning: using insecure memory! pub 1024D/17984F07 2001-10-06 Chris Flipse [EMAIL PROTECTED] uidChris Flipse [EMAIL PROTECTED] uidChris Flipse [EMAIL PROTECTED] sub 1024g/B03178DE 2001-10-06 [expires: 2002-04-04] fury:~ 48% Apparently, the version of the key up on the PGP server doesn't have the new subkey. So, what am I missing? -- //[pgp] 1024D/17984F07 [http] meteu.octoraro.org Nice, selfless people don't restore my faith in humanity -- they restore my faith in randomness. msg06658/pgp0.pgp Description: PGP signature
Re: GPG subkeys and keyservers
On Thu, 09 May 2002, Chris Flipse wrote: My gpg encryption subkey expired recently; I created a new subkey; it's signed, expires in a few months, etc. The key imports fine when I pull it in from the ascii armored export version ... but exporting it to the keyserver via --send-key fails miserably. I get a report of success, but when I --recv-key, I don't get the new subkey. Known bug. The non-free stuff at keyserver.net seems to handle it, but the good old DFSG-free wwwkeys.*.pgp.net doesn't, and corrupt the key. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: how to use -j DROPLOG in iptables?
* Patrick Hsieh ([EMAIL PROTECTED]) [020508 20:24]: Hello, When I use -j DROPLOG in iptables, my woody complains: iptables v1.2.6a: Couldn't load target `DROPLOG':/lib/iptables/libipt_DROPLOG.so: cannot open shared object file: No such file or directory Try `iptables -h' or 'iptables --help' for more information. I've never seen DROPLOG; it's some kind of extension, no? What I have seen people do is something like this: iptables -N logndrop iptables -A logndrop -j LOG iptables -A logndrop -j DROP and then use -j logndrop wherever they want to log and drop a packet. Personally, I don't find it too much trouble to specify 2 lines (a log and a drop) each time I want to discard a packet. It gives me the added benefit of specifying a separate --log-prefix for each place in my filter that things are dropped. good times, Vineet -- Currently seeking opportunities in the SF Bay Area Please see http://www.doorstop.net/resume.shtml msg06660/pgp0.pgp Description: PGP signature
Problems with wireless cards ...
Hello all. I want to install Wireless card in my Linux. This is a pcmcia card which is being inserted into PCI adapter. =-= I have two complets of cards: 2x Planet WL8300 Pci adapter + PCMCIA 3550 (((see www page : http://www.planet-taiwan.com/product/CATALOG/WireFree.htm )) and 2x Avaya Adapter + PCMCIA (ups I forgot model - I have it at work - but this is probably not important) (((www page: http://www.veracomp.pl/pokaz_ceny_test.php?f_szukaj=AVAYAf_kategoria=c_producentf_pokaz_rodzina[]=Avaya%20Wireless%20infrastruktura%20sieci%20wireless ))) =-= What's option is recommended to install this card (in kernel config) ? How with secure connections ? Any experience and idea ? Regards Marcin Bednarz. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: possible hole in mozilla et al
Coming from a corporate environment I hardly feel that stable is ancient. With most commercial operating systems the quality control seems so poor it takes a few years before we feel comfortable moving to a new release. But with Debian I can point to the unstable-testing-stable system and my boss understands that it has already gone through a 'teething' period before it's released. If Debian were to accelerate the path to stable too much stable would loose it's value to us. (unless security fixes were released for older stable versions) I am not arguing for any change in the policies for determining what is stable and what is not. My feeling is (and I admit I haven't done any studies) that stable gets delayed sometimes due to obscure packages having bugs or obscure platform specific bugs. It seems to me that most commonly used packages like apache, php, postgres etc have a pretty good track record and could be considered stable a few months after they are released. Using the same criterea used the debian folks now you could have more frequent updates if you simply selected a small set of carefully chosen packages. Kind of a debian sub distro. -- Tim Uckun Mobile Intelligence Unit. -- There are some who call me TIM? -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: how to use -j DROPLOG in iptables?
On Wed, 2002-05-08 at 22:25, Patrick Hsieh wrote: Hello, When I use -j DROPLOG in iptables, my woody complains: iptables v1.2.6a: Couldn't load target `DROPLOG':/lib/iptables/libipt_DROPLOG.so: cannot open shared object file: No such file or directory Try `iptables -h' or 'iptables --help' for more information. The Quick'n Dirty way. iptables -N DROPLOG iptables -A DROPLOG -j LOG iptables -A DROPLOG -j DROP You may want to consider: iptables -N DROPLOG iptables -A DROPLOG -j LOG iptables -A DROPLOG -p tcp -j REJECT --reject-with tcp-reset iptables -A DROPLOG -p udp -j REJECT --reject-with icmp-port-unreachable iptables -A DROPLOG -p udp -j DROP -- David Stanaway signature.asc Description: This is a digitally signed message part
Re: possible hole in mozilla et al
On Thu, 2002-05-09 at 01:22, Tim Uckun wrote: I am not arguing for any change in the policies for determining what is stable and what is not. My feeling is (and I admit I haven't done any studies) that stable gets delayed sometimes due to obscure packages having bugs or obscure platform specific bugs. It seems to me that most commonly used packages like apache, php, postgres etc have a pretty good track record and could be considered stable a few months after they are released. Using the same criterea used the debian folks now you could have more frequent updates if you simply selected a small set of carefully chosen packages. Kind of a debian sub distro. For those that need some of the new versions of packages (EG: Being stuck with the `stable' version of postgresql would be silly if you used it heavily) it is not that difficult to get around it by having a deb-src line that points at testing. apt-get build-depends apache apt-get -b source apache It is not going to work all the time. Sometimes the build depends have to be built from testing as well... Having lots of different stable branches as suggested by someone else would make the security team pretty difficult, and it is already hard enough from what I gather. On another note... I imagine that some of the security updates for stable have caused some frustration to the security team, as the flaw is sometimes something that has been fixed in a later version, and applying that fix to the older (Read: Old version not maintained any more upstream) version could be non-trivial and seem a little futile when upgrading to a new version fixes the problem. -- David Stanaway signature.asc Description: This is a digitally signed message part
RE: possible hole in mozilla et al
Coming from a corporate environment I hardly feel that stable is ancient. Also coming from a corporate environment, and one specifically focused on web technologies, I disagree. We have been forced to mix stable/testing to get basic fixes in things like Apache. Another thing that really irritates is that the commercial and non-commercial security scanning tools throw lots of 'this version is insecure' false positives which all have to be investigated and ticked once proof of patch has been established, and we run such scanning frequently. But with Debian I can point to the unstable-testing-stable system and my boss understands that it has already gone through a 'teething' period before it's released. This is also one reason that we use Debian - though more important to us is the improved security through fine-grained package control. If Debian were to accelerate the path to stable too much stable would loose it's value to us. (unless security fixes were released for older stable versions) The opposite is true of our company - stable lags so far behind now that we have been forced to combine stable/testing/unstable - not only in things like Apache, but even in basics like the use of netfilter stateful firewalling in the 2.4 kernel series. I agree with Tim Uckden's comments - we don't need bleeding edge, but we also don't need some-obscure-whizzo-package-on-104-obsolete-hardware-architectures.deb holding up basic things like Apache, PHP, Perl, Mod_Perl, MySQL etc. We would be over the moon to have a mini-stable that only contained core packages, and that kept better pace with the real world. -Original Message- From: James Morgan [mailto:[EMAIL PROTECTED] Sent: 09 May 2002 01:30 To: debian-security@lists.debian.org Subject: Re: possible hole in mozilla et al At 15:38 2002-05-08 -0600, Tim Uckun wrote: The situation right now is that for production you run an ancient system or cross your fingers, hold your breath and run unstable. Coming from a corporate environment I hardly feel that stable is ancient. With most commercial operating systems the quality control seems so poor it takes a few years before we feel comfortable moving to a new release. But with Debian I can point to the unstable-testing-stable system and my boss understands that it has already gone through a 'teething' period before it's released. If Debian were to accelerate the path to stable too much stable would loose it's value to us. (unless security fixes were released for older stable versions) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: tcp syn flood and /proc configuration
On Wed, May 08, 2002 at 01:45:32AM +0800, Patrick Hsieh wrote: Hello Vincent Hanquez [EMAIL PROTECTED], But this option seems to bring some side-effect. Is there any alternative? tcp_syncookies - BOOLEAN Only valid when the kernel was compiled with CONFIG_SYNCOOKIES Send out syncookies when the syn backlog queue of a socket overflows. This is to prevent against the common 'syn flood attack' Default: FALSE Note, that syncookies is fallback facility. It MUST NOT be used to help highly loaded servers to stand against legal connection rate. If you see synflood warnings in your logs, but investigation shows that they occur because of overload with legal connections, you should tune another parameters until this warning disappear. See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow. syncookies seriously violate TCP protocol, do not allow to use TCP extensions, TCP extensions work normally when you aren't being SYN flooded, IIRC. DJB is one of the co-designers of SYN cookies. Read his explanation at http://cr.yp.to/syncookies.html. can result in serious degradation of some services (f.e. SMTP relaying), visible not by you, but your clients and relays, contacting you. While you see synflood warnings in logs not being really flooded, your server is seriously misconfigured. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: possible hole in mozilla et al
On Wed, May 08, 2002 at 10:58:38PM +0200, Wichert Akkerman wrote: Previously Raymond Wood wrote: but I would really like to see either: a) woody receiving security patches as soon as sid and potato; or b) no woody. From a security viewpoint b) is the only option, and we have always said so. s/woody/testing/g Otherwise that is not true. Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Fixing file system privileges
Hi, I screwed up file system privileges, issuing a chmod -R in the wrong (/ -- where else?) directory :-( Is there a way to fix this? TIA, Kofa Homepage at http://emil.alarmix.org/kofa/ For PGP public key: send mail with the subject PGP Public Key Request or finger [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: possible hole in mozilla et al
I agree with Tim Uckden's comments - we don't need bleeding edge, but we also don't need some-obscure-whizzo-package-on-104-obsolete-hardware-architectures.deb holding up basic things like Apache, PHP, Perl, Mod_Perl, MySQL etc. We would be over the moon to have a mini-stable that only contained core packages, and that kept better pace with the real world. I have given this more thought since I posted my comments and it occurs to me that this is a business opportunity more then anything else. What is needed is a distro based on debian, following the same rules of safety as debian, using the same packages etc. Everything is the same except that apt-sources points to a list which contains a smaller set of platform specific packages. This list get's updated as often is possible while staying with the safety requirements of debian. As for us we decided to go with freebsd on some systems thinking it might offer security along with more frequently updated ports. So far I am not impressed with it. The ports are not as easy to use as apt, and ports are sometimes just plain old broken. If anybody has an answer I'm all ears as long as the answer does not contain the words microsoft or red or hat. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
register_globals in php4
Hello list, php4.1 recommends to set register_globals=off in php.ini to make php more strict. My question is, if I turn off register_globals, what will happen if any malicious user just try to modify the variable values in the url? Say, http://www.domain.com/xxx.php?id=3sex=female Does it work if user just change the value in the URL directly and send the url directly to web server? How can we avoid the malicious attack by directly http GET/POST with modified parameter values to make possible system error or compromise? -- Patrick Hsieh [EMAIL PROTECTED] GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: register_globals in php4
one of the php lists is probably a better forum for this question, but in short, register_globals=off means that if you want to use the id variable passed in the query string by the browser, you would access it as $HTTP_GET_VARS['id'], or $_GET['id'] in 4.1+, rather than $id. more info at http://www.php.net/manual/en/language.variables.predefined.php xn On Fri, May 10, 2002 at 12:09:22AM +0800, Patrick Hsieh wrote: Hello list, php4.1 recommends to set register_globals=off in php.ini to make php more strict. My question is, if I turn off register_globals, what will happen if any malicious user just try to modify the variable values in the url? Say, http://www.domain.com/xxx.php?id=3sex=female Does it work if user just change the value in the URL directly and send the url directly to web server? How can we avoid the malicious attack by directly http GET/POST with modified parameter values to make possible system error or compromise? -- Patrick Hsieh [EMAIL PROTECTED] GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: register_globals in php4
Hello Christian G. Warden [EMAIL PROTECTED], Yes. But when a user type the url something like login.php?id=fakeid Then $HTTP_GET_VARS['id'] and $_GET['id'] will also get fakeid, right? How do I avoid users affecting the system by changing the variable values in the URL directly? If not, is there any way to protect myself from malicious url injection attack? On Thu, 9 May 2002 09:51:02 -0700 Christian G. Warden [EMAIL PROTECTED] wrote: one of the php lists is probably a better forum for this question, but in short, register_globals=off means that if you want to use the id variable passed in the query string by the browser, you would access it as $HTTP_GET_VARS['id'], or $_GET['id'] in 4.1+, rather than $id. more info at http://www.php.net/manual/en/language.variables.predefined.php xn On Fri, May 10, 2002 at 12:09:22AM +0800, Patrick Hsieh wrote: Hello list, php4.1 recommends to set register_globals=off in php.ini to make php more strict. My question is, if I turn off register_globals, what will happen if any malicious user just try to modify the variable values in the url? Say, http://www.domain.com/xxx.php?id=3sex=female Does it work if user just change the value in the URL directly and send the url directly to web server? How can we avoid the malicious attack by directly http GET/POST with modified parameter values to make possible system error or compromise? -- Patrick Hsieh [EMAIL PROTECTED] GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Patrick Hsieh [EMAIL PROTECTED] GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: register_globals in php4
On Fri, May 10, 2002 at 01:11:41AM +0800, Patrick Hsieh wrote: Yes. But when a user type the url something like login.php?id=fakeid Then $HTTP_GET_VARS['id'] and $_GET['id'] will also get fakeid, right? How do I avoid users affecting the system by changing the variable values in the URL directly? If not, is there any way to protect myself from malicious url injection attack? You don't avoid that. You can't avoid it. register_globals didn't avoid it either and if you rely on such behvaiour then your application is clearly very broken. You should always check the data supplied to your CGI *very* carefully for just this reason. See for instance (randomly picked from google): http://www-genome.wi.mit.edu/WWW/faqs/wwwsf4.html -- Simon [ [EMAIL PROTECTED] ] *\ JarJar Binks^W^WSupport for \** ** ]-+-+-+-+-+-+-+-+-[ **\ CRLF-LF translation in the kernel \* ** [ Htag.pl 0.0.19 ] ***\ must die. - Alexander Viro \ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: register_globals in php4
you must write your application safely. it sounds like you're trying to prevent a user from changing their userid. after they log in, you could create a session variable with their userid and only use that session variable. i still use register_globals=on with my code, but i have the following code that gets included on every page: if(!session_is_registered('userid') { unset($userid); } and in my login function, after username and password are verified, i put the userid in $userid and session_register('userid'); this allows me to always trust that $userid matches the userid of the authenticated user. here's an article on secure programming in php: http://www.zend.com/zend/art/art-oertli.php xn On Fri, May 10, 2002 at 01:11:41AM +0800, Patrick Hsieh wrote: Hello Christian G. Warden [EMAIL PROTECTED], Yes. But when a user type the url something like login.php?id=fakeid Then $HTTP_GET_VARS['id'] and $_GET['id'] will also get fakeid, right? How do I avoid users affecting the system by changing the variable values in the URL directly? If not, is there any way to protect myself from malicious url injection attack? On Thu, 9 May 2002 09:51:02 -0700 Christian G. Warden [EMAIL PROTECTED] wrote: one of the php lists is probably a better forum for this question, but in short, register_globals=off means that if you want to use the id variable passed in the query string by the browser, you would access it as $HTTP_GET_VARS['id'], or $_GET['id'] in 4.1+, rather than $id. more info at http://www.php.net/manual/en/language.variables.predefined.php xn On Fri, May 10, 2002 at 12:09:22AM +0800, Patrick Hsieh wrote: Hello list, php4.1 recommends to set register_globals=off in php.ini to make php more strict. My question is, if I turn off register_globals, what will happen if any malicious user just try to modify the variable values in the url? Say, http://www.domain.com/xxx.php?id=3sex=female Does it work if user just change the value in the URL directly and send the url directly to web server? How can we avoid the malicious attack by directly http GET/POST with modified parameter values to make possible system error or compromise? -- Patrick Hsieh [EMAIL PROTECTED] GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Patrick Hsieh [EMAIL PROTECTED] GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: how to use -j DROPLOG in iptables?
* Patrick Hsieh ([EMAIL PROTECTED]) [020508 20:24]: Hello, When I use -j DROPLOG in iptables, my woody complains: iptables v1.2.6a: Couldn't load target `DROPLOG':/lib/iptables/libipt_DROPLOG.so: cannot open shared object file: No such file or directory Try `iptables -h' or 'iptables --help' for more information. I've never seen DROPLOG; it's some kind of extension, no? What I have seen people do is something like this: iptables -N logndrop iptables -A logndrop -j LOG iptables -A logndrop -j DROP and then use -j logndrop wherever they want to log and drop a packet. Personally, I don't find it too much trouble to specify 2 lines (a log and a drop) each time I want to discard a packet. It gives me the added benefit of specifying a separate --log-prefix for each place in my filter that things are dropped. good times, Vineet -- Currently seeking opportunities in the SF Bay Area Please see http://www.doorstop.net/resume.shtml pgpOxFerHy88y.pgp Description: PGP signature
Try with it....
Try with it... only show status of pid that do not show command. for i in `for n in [0-9]* ; do echo -n pid: $n ; cat $n/cmdline; echo; done|awk '{if($3!~/[a-zA-Z]/){print $2}}'`; do cat $i/status; echo; done|more -- Raúl Sáez Marlborough Stirling Gran Vía 62, 10º izq 28013 Madrid tel: +34-91-5487910 fax: +34-91-5400199 email: [EMAIL PROTECTED] www.puntoseguro.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
GPG subkeys and keyservers
My gpg encryption subkey expired recently; I created a new subkey; it's signed, expires in a few months, etc. The key imports fine when I pull it in from the ascii armored export version ... but exporting it to the keyserver via --send-key fails miserably. I get a report of success, but when I --recv-key, I don't get the new subkey. (below: my public/private keypair resides on meteu. fury is another host, which does not have either key.) meteu:~ 2% gpg --send-key flip gpg: success sending to `wwwkeys.us.pgp.net' (status=200) meteu:~ 3% gpg --export -a flip /var/www/public.asc meteu:~ 4% gpg --list-key flip pub 1024D/17984F07 2001-10-06 Chris Flipse [EMAIL PROTECTED] uidChris Flipse [EMAIL PROTECTED] uidChris Flipse [EMAIL PROTECTED] sub 1024g/B03178DE 2001-10-06 [expires: 2002-04-04] sub 1024g/BCA91458 2002-05-09 [expires: 2002-11-05] pub 1024D/17984F07 2001-10-06 Chris Flipse [EMAIL PROTECTED] uidChris Flipse [EMAIL PROTECTED] uidChris Flipse [EMAIL PROTECTED] sub 1024g/B03178DE 2001-10-06 [expires: 2002-04-04] sub 1024g/BCA91458 2002-05-09 [expires: 2002-11-05] meteu:~ 5% New subkey exists, supposedly got exported to wwwkeys.us.pgp.net alright. However. fury:~ 40% gpg --list-key flip gpg: Warning: using insecure memory! gpg: error reading key: public key not found fury:~ 41% wget http://meteu.octoraro.org/public.asc --11:46:10-- http://meteu.octoraro.org/public.asc = `public.asc' Connecting to meteu.octoraro.org:80... connected! HTTP request sent, awaiting response... 200 OK Length: 2,265 [text/plain] 0K .. 100% @ 44.24 KB/s 11:46:10 (44.24 KB/s) - `public.asc' saved [2265/2265] fury:~ 42% gpg --import public.asc gpg: Warning: using insecure memory! gpg: key 17984F07: public key imported gpg: Total number processed: 1 gpg: imported: 1 fury:~ 43% gpg --list-key flip gpg: Warning: using insecure memory! pub 1024D/17984F07 2001-10-06 Chris Flipse [EMAIL PROTECTED] uidChris Flipse [EMAIL PROTECTED] uidChris Flipse [EMAIL PROTECTED] sub 1024g/B03178DE 2001-10-06 [expires: 2002-04-04] sub 1024g/BCA91458 2002-05-09 [expires: 2002-11-05] fury:~ 44% Key is imported just fine from the ascii armored export. No problems. fury:~ 44% gpg --delete-key flip gpg: Warning: using insecure memory! pub 1024D/17984F07 2001-10-06 Chris Flipse [EMAIL PROTECTED] Delete this key from the keyring? yes fury:~ 45% gpg --list-key flip gpg: Warning: using insecure memory! gpg: error reading key: public key not found fury:~ 46% gpg --recv-key 17984F07 gpg: Warning: using insecure memory! gpg: requesting key 17984F07 from wwwkeys.us.pgp.net ... gpg: key 17984F07: public key imported gpg: Total number processed: 1 gpg: imported: 1 fury:~ 47% gpg --list-key flip gpg: Warning: using insecure memory! pub 1024D/17984F07 2001-10-06 Chris Flipse [EMAIL PROTECTED] uidChris Flipse [EMAIL PROTECTED] uidChris Flipse [EMAIL PROTECTED] sub 1024g/B03178DE 2001-10-06 [expires: 2002-04-04] fury:~ 48% Apparently, the version of the key up on the PGP server doesn't have the new subkey. So, what am I missing? -- //[pgp] 1024D/17984F07 [http] meteu.octoraro.org Nice, selfless people don't restore my faith in humanity -- they restore my faith in randomness. pgpBnn3rAbpLc.pgp Description: PGP signature
Re: GPG subkeys and keyservers
On Thu, 09 May 2002, Chris Flipse wrote: My gpg encryption subkey expired recently; I created a new subkey; it's signed, expires in a few months, etc. The key imports fine when I pull it in from the ascii armored export version ... but exporting it to the keyserver via --send-key fails miserably. I get a report of success, but when I --recv-key, I don't get the new subkey. Known bug. The non-free stuff at keyserver.net seems to handle it, but the good old DFSG-free wwwkeys.*.pgp.net doesn't, and corrupt the key. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Problems with wireless cards ...
Hello all. I want to install Wireless card in my Linux. This is a pcmcia card which is being inserted into PCI adapter. =-= I have two complets of cards: 2x Planet WL8300 Pci adapter + PCMCIA 3550 (((see www page : http://www.planet-taiwan.com/product/CATALOG/WireFree.htm )) and 2x Avaya Adapter + PCMCIA (ups I forgot model - I have it at work - but this is probably not important) (((www page: http://www.veracomp.pl/pokaz_ceny_test.php?f_szukaj=AVAYAf_kategoria=c_producentf_pokaz_rodzina[]=Avaya%20Wireless%20infrastruktura%20sieci%20wireless ))) =-= What's option is recommended to install this card (in kernel config) ? How with secure connections ? Any experience and idea ? Regards Marcin Bednarz. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]