subject:"\[PHP\] Security of PHP code"

RE: [PHP] Security of PHP code

2001-07-05 Thread Adrian Ciutureanu


$allowed_path = '/www/sites/mysite/teaching';
$file = realpath($file);
if(ereg(^$allowed_path, $file)) {
// it's OK
} else {
// possible attack!
}

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
 Sent: 4 iulie 2001 15:29
 To: [EMAIL PROTECTED]
 Subject: Re: [PHP] Security of PHP code 
 
 
 
  ?
  $allowed_path  = /www/sites/mysite/teaching;
 
  if (substr($file, 0, str_len($allowed_path))  $allowed_path )
  {
  die(not allowed!);
  }
  else
  {
  show_source($file);
  }
  ?
 
 I've missed part of the discussion, but if my understanding 
 of the issue
 is correct (accepting a filename and path from a visitor to 
 the site to
 display through a PHP script), then this solution is probably
 inadequate...
 
 If the user passes in a string like
 /www/sites/mysite/teaching/../../../../etc/passwd, the first 
 part of the
 string will pass your validity test, but the user may still be able to
 ascend to a place where files you don't wish to share are stored.
 
 A better solution may be to pass the filename through some 
 filter and then
 concatenate that to your path. For example:
 
 if(preg_match(/[^A-Za-z0-9]/, $file)) {
   die(Invalid filename.);
 }
 else {
   show_source($path . $file);
 }
 
 That's an awefully strict way to do it, but that's my 
 personal preference.
 If you must accept information that contains a path, perhaps 
 just check
 for '..' in the user input.
 
 Anyways, like I say I could be way off base as far as what 
 the discussion
 is actually about, and I haven't had near enough coffee this 
 morning, so
 forgive me if I'm just talking nonsense =)
 
 
 -- 
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 To contact the list administrators, e-mail: 
 [EMAIL PROTECTED]
 
 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

RE: [PHP] Security of PHP code

2001-07-05 Thread Adrian Ciutureanu


http://php.net/realpath

$allowed_path = '/www/sites/mysite/teaching';
$file = realpath($file);
if(ereg(^$allowed_path, $file)) {
// it's OK
} else {
// possible attack!
}

 -Original Message-
 From: Steve Werby [mailto:[EMAIL PROTECTED]]
 Sent: 5 iulie 2001 02:22
 To: Sascha Schumann
 Cc: Jon Haworth; 'Hankley, Chip'; PHP Mailingliste
 Subject: Re: [PHP] Security of PHP code
 
 
 Sascha Schumann [EMAIL PROTECTED] wrote:
  On Wed, 4 Jul 2001, Steve Werby wrote:
 
   Jon Haworth [EMAIL PROTECTED] wrote:
Yes, I would have thought this would do it:
   
if (strstr($file, /usr/local/apache/htdocs/) {
show_source($file);
  [..]
   Something along those lines will work.  Without some kind 
 of limitations
   built in, the page will be able to load any file that's 
 world-readable
 so
   it's a good idea to limit access to certain directories 
 or hardcode the
   directory you want to give access to.
 
  Imagine someone passing in
  /usr/local/apache/htdocs/../../../../etc/passwd as path..
 
 Excellent point.  In addition to hardcoding the path I would 
 do something to
 ensure that the file requested does not attempt to bypass 
 that directory.
 I'd probably use a regex to make sure it doesn't include a 
 / or if I want
 to serve files from a deeper directory I'd do a regex or use 
 something like
 strstr() to see if .. is within the filename.  Personally, 
 I wouldn't make
 a script that outputed a file on the server or a script's 
 code *and* allowed
 the user to dictate what file was accessed.
 
 --
 Steve Werby
 President, Befriend Internet Services LLC
 http://www.befriend.com/
 
 
 -- 
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 To contact the list administrators, e-mail: 
 [EMAIL PROTECTED]
 
 

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

RE: [PHP] Security of PHP code

2001-07-05 Thread Matt Williams


 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 The only foolproof method for restricting access is to strip
 forward  slashes.  In the above example, I can change the file to:
 /www/sites/mysite/teaching/../../../../etc/passwd
 And it will be allowed
 If you were to do this, however:
 $allowed_path = /www/sites/mysite/teaching;
 $file = ereg_replace(/,,$file);
 show_source($allowed_path./.$file);
 That would block any attempt to trick the server into going into
 another  directory.

You could also check for/ remove any instances of ..

M@

-BEGIN PGP SIGNATURE-
Version: PGPfreeware 7.0.3 for non-commercial use http://www.pgp.com

iQA/AwUBO0QmZ6W0/zC+QxWwEQJwEgCgkvHAwNgR+tHvlyWgfefw5tipb24AoPXn
QNZ72t51rOmh7dts2zZd0S3p
=q64c
-END PGP SIGNATURE-


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

RE: [PHP] Security of PHP code

2001-07-05 Thread Christopher Ostmo


Adrian Ciutureanu pressed the little lettered thingies in this order...

 $allowed_path = '/www/sites/mysite/teaching';
 $file = realpath($file);
 if(ereg(^$allowed_path, $file)) {
  // it's OK
 } else {
  // possible attack!
 }
 

This is not good code.

A user could replace the $file in the URL with this:
/www/sites/mysite/teaching/../../../../etc/passwd
Since it starts with $allowed_path, your code has just been fooled.

The basic problem that I have seen with posts to this thread is the fact 
that many people do not understand how Unix servers address and/or 
secure files. If what I have written above doesn't make any sense, 
please go and pick up a book that covers Unix/Linux security. If you 
don't, you are inviting a security breach.  You may or may not be aware 
of this, but many hackers know Unix, it's security and it's common 
vulnerabilities VERY well and they WILL exploit your code if it is 
exploitable.

Simply checking to see if a particular path exists in the URL will 
NEVER secure this issue.

Here's the script that I use:

?
require(common.php);
$f = ereg_replace(/,,$f);
commonHeader($f Source Code);
?
table border=1 cellpadding=3 cellspacing=0 bgcolor=#FF
trtd
?
show_source(./calendar/$f);
?
/td/tr
/table
?
commonFooter();
?

I explicitly declare the path and I delete all forward slashes. This means 
that if someone tries to send:
$f=calendar/../../../.../../../../etc/passwd
They instead send:
$f=calendar...etcpasswd
And the server interprets this as:
./calendar/calendar...etcpasswd

The bottom line is that no files outside of the intended directory will ever 
be viewable through this script, regardless of how clever, smart or 
devious the user might be.

I could have gotten a little more fancy and given warnings if there were 
forward slashes, but the point is this: If you are allowing real file names 
to be passed as the parameter, you HAVE to do one of two things:
1) Strip or otherwise block forward slashes and/or consecutive periods.
2) Declare the file path before the show_source() call and disallow 
consecutive periods (..), forward slashes or both.  This is the method 
used at slashdot.

Christopher Ostmo
a.k.a. [EMAIL PROTECTED]
AppIdeas.com
Innovative Application Ideas
Meeting cutting edge dynamic
web site needs since the 
dawn of Internet time (1995)

For a good time,
http://www.AppIdeas.com/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

RE: [PHP] Security of PHP code

2001-07-05 Thread Adrian Ciutureanu

This is a good code. Read http://php.net/realpath

 -Original Message-
 From: Christopher Ostmo [mailto:[EMAIL PROTECTED]]
 Sent: 5 iulie 2001 19:57
 To: Adrian Ciutureanu
 Cc: [EMAIL PROTECTED]
 Subject: RE: [PHP] Security of PHP code 

 Adrian Ciutureanu pressed the little lettered thingies in 
 this order...

  $allowed_path = '/www/sites/mysite/teaching';
  $file = realpath($file);
  if(ereg(^$allowed_path, $file)) {
   // it's OK
  } else {
   // possible attack!
  }

 This is not good code.

 A user could replace the $file in the URL with this:
 /www/sites/mysite/teaching/../../../../etc/passwd
 Since it starts with $allowed_path, your code has just been fooled.

 The basic problem that I have seen with posts to this thread 
 is the fact 
 that many people do not understand how Unix servers address and/or 
 secure files. If what I have written above doesn't make any sense, 
 please go and pick up a book that covers Unix/Linux security. If you 
 don't, you are inviting a security breach.  You may or may 
 not be aware 
 of this, but many hackers know Unix, it's security and it's common 
 vulnerabilities VERY well and they WILL exploit your code if it is 
 exploitable.

 Simply checking to see if a particular path exists in the URL will 
 NEVER secure this issue.

 Here's the script that I use:

 ?
 require(common.php);
 $f = ereg_replace(/,,$f);
 commonHeader($f Source Code);
 ?
 table border=1 cellpadding=3 cellspacing=0 bgcolor=#FF
 trtd
 ?
 show_source(./calendar/$f);
 ?
 /td/tr
 /table
 ?
 commonFooter();
 ?

 I explicitly declare the path and I delete all forward 
 slashes. This means 
 that if someone tries to send:
 $f=calendar/../../../.../../../../etc/passwd
 They instead send:
 $f=calendar...etcpasswd
 And the server interprets this as:
 ./calendar/calendar...etcpasswd

 The bottom line is that no files outside of the intended 
 directory will ever 
 be viewable through this script, regardless of how clever, smart or 
 devious the user might be.

 I could have gotten a little more fancy and given warnings if 
 there were 
 forward slashes, but the point is this: If you are allowing 
 real file names 
 to be passed as the parameter, you HAVE to do one of two things:
 1) Strip or otherwise block forward slashes and/or 
 consecutive periods.
 2) Declare the file path before the show_source() call and disallow 
 consecutive periods (..), forward slashes or both.  This is 
 the method 
 used at slashdot.

 Christopher Ostmo
 a.k.a. [EMAIL PROTECTED]
 AppIdeas.com
 Innovative Application Ideas
 Meeting cutting edge dynamic
 web site needs since the 
 dawn of Internet time (1995)

 For a good time,
 http://www.AppIdeas.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

RE: [PHP] Security of PHP code

2001-07-05 Thread Adrian Ciutureanu

An observation: I presume (in my code) that $allowed_path is a root of
an allowed path. So, files in subfolders of allowed_path are also
allowed.

 -Original Message-
 From: Christopher Ostmo [mailto:[EMAIL PROTECTED]]
 Sent: 5 iulie 2001 19:57
 To: Adrian Ciutureanu
 Cc: [EMAIL PROTECTED]
 Subject: RE: [PHP] Security of PHP code 

 Adrian Ciutureanu pressed the little lettered thingies in 
 this order...

  $allowed_path = '/www/sites/mysite/teaching';
  $file = realpath($file);
  if(ereg(^$allowed_path, $file)) {
   // it's OK
  } else {
   // possible attack!
  }

 This is not good code.

 A user could replace the $file in the URL with this:
 /www/sites/mysite/teaching/../../../../etc/passwd
 Since it starts with $allowed_path, your code has just been fooled.

 The basic problem that I have seen with posts to this thread 
 is the fact 
 that many people do not understand how Unix servers address and/or 
 secure files. If what I have written above doesn't make any sense, 
 please go and pick up a book that covers Unix/Linux security. If you 
 don't, you are inviting a security breach.  You may or may 
 not be aware 
 of this, but many hackers know Unix, it's security and it's common 
 vulnerabilities VERY well and they WILL exploit your code if it is 
 exploitable.

 Simply checking to see if a particular path exists in the URL will 
 NEVER secure this issue.

 Here's the script that I use:

 ?
 require(common.php);
 $f = ereg_replace(/,,$f);
 commonHeader($f Source Code);
 ?
 table border=1 cellpadding=3 cellspacing=0 bgcolor=#FF
 trtd
 ?
 show_source(./calendar/$f);
 ?
 /td/tr
 /table
 ?
 commonFooter();
 ?

 I explicitly declare the path and I delete all forward 
 slashes. This means 
 that if someone tries to send:
 $f=calendar/../../../.../../../../etc/passwd
 They instead send:
 $f=calendar...etcpasswd
 And the server interprets this as:
 ./calendar/calendar...etcpasswd

 The bottom line is that no files outside of the intended 
 directory will ever 
 be viewable through this script, regardless of how clever, smart or 
 devious the user might be.

 I could have gotten a little more fancy and given warnings if 
 there were 
 forward slashes, but the point is this: If you are allowing 
 real file names 
 to be passed as the parameter, you HAVE to do one of two things:
 1) Strip or otherwise block forward slashes and/or 
 consecutive periods.
 2) Declare the file path before the show_source() call and disallow 
 consecutive periods (..), forward slashes or both.  This is 
 the method 
 used at slashdot.

 Christopher Ostmo
 a.k.a. [EMAIL PROTECTED]
 AppIdeas.com
 Innovative Application Ideas
 Meeting cutting edge dynamic
 web site needs since the 
 dawn of Internet time (1995)

 For a good time,
 http://www.AppIdeas.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

RE: [PHP] Security of PHP code

2001-07-05 Thread Christopher Ostmo


Adrian Ciutureanu pressed the little lettered thingies in this order...

 This is a good code. Read http://php.net/realpath
 

You are correct. I was unaware of the addition of the realpath() function 
to PHP. According to the description of realpath(), using it should close 
this hole also.

  -Original Message-
  From: Christopher Ostmo [mailto:[EMAIL PROTECTED]]
  Sent: 5 iulie 2001 19:57
  To: Adrian Ciutureanu
  Cc: [EMAIL PROTECTED]
  Subject: RE: [PHP] Security of PHP code 
  
  
  Adrian Ciutureanu pressed the little lettered thingies in 
  this order...
  
   $allowed_path = '/www/sites/mysite/teaching';
   $file = realpath($file);
   if(ereg(^$allowed_path, $file)) {
// it's OK
   } else {
// possible attack!
   }
   
  
  This is not good code.
  
  A user could replace the $file in the URL with this:
  /www/sites/mysite/teaching/../../../../etc/passwd
  Since it starts with $allowed_path, your code has just been fooled.
  
  The basic problem that I have seen with posts to this thread 
  is the fact 
  that many people do not understand how Unix servers address and/or 
  secure files. If what I have written above doesn't make any sense, 
  please go and pick up a book that covers Unix/Linux security. If you
  don't, you are inviting a security breach.  You may or may not be aware
  of this, but many hackers know Unix, it's security and it's common
  vulnerabilities VERY well and they WILL exploit your code if it is
  exploitable.
  
  Simply checking to see if a particular path exists in the URL will 
  NEVER secure this issue.
  
  Here's the script that I use:
  
  ?
  require(common.php);
  $f = ereg_replace(/,,$f);
  commonHeader($f Source Code);
  ?
  table border=1 cellpadding=3 cellspacing=0 bgcolor=#FF
  trtd ? show_source(./calendar/$f); ? /td/tr /table ?
  commonFooter(); ?
  
  I explicitly declare the path and I delete all forward 
  slashes. This means 
  that if someone tries to send:
  $f=calendar/../../../.../../../../etc/passwd
  They instead send:
  $f=calendar...etcpasswd
  And the server interprets this as:
  ./calendar/calendar...etcpasswd
  
  The bottom line is that no files outside of the intended 
  directory will ever 
  be viewable through this script, regardless of how clever, smart or
  devious the user might be.
  
  I could have gotten a little more fancy and given warnings if 
  there were 
  forward slashes, but the point is this: If you are allowing 
  real file names 
  to be passed as the parameter, you HAVE to do one of two things:
  1) Strip or otherwise block forward slashes and/or 
  consecutive periods.
  2) Declare the file path before the show_source() call and disallow
  consecutive periods (..), forward slashes or both.  This is the method
  used at slashdot.
  

Christopher Ostmo
a.k.a. [EMAIL PROTECTED]
AppIdeas.com
Innovative Application Ideas
Meeting cutting edge dynamic
web site needs since the 
dawn of Internet time (1995)

Business Applications:
http://www.AppIdeas.com/

Open Source Applications:
http://open.AppIdeas.com/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

[PHP] Security of PHP code

2001-07-04 Thread David A Dickson


Is it possible for others to view the php code for pages I have written? I thought I 
heard someone say before that they could write a simple script to accomplish this. If 
anyone knows of any tacticts people might use to attack my code please post them hee.

: David A. Dickson
: [EMAIL PROTECTED]




Get 250 color business cards for FREE!
http://businesscards.lycos.com/vp/fastpath/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

RE: [PHP] Security of PHP code

2001-07-04 Thread Tim Taubert


i think that you can't attack php code because it's a server side scripting
language...

just with *echo*(and others) you send some code to the browser... i guess
it's secure ;)

Tim Taubert

-
   Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/
-

-Original Message-
From: David A Dickson [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 04, 2001 3:43 PM
To: php-general
Subject: [PHP] Security of PHP code


Is it possible for others to view the php code for pages I have written? I
thought I heard someone say before that they could write a simple script to
accomplish this. If anyone knows of any tacticts people might use to attack
my code please post them hee.

: David A. Dickson
: [EMAIL PROTECTED]




Get 250 color business cards for FREE!
http://businesscards.lycos.com/vp/fastpath/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

RE: [PHP] Security of PHP code

2001-07-04 Thread Adrian Ciutureanu

Here is something that happend to me: I forgot to tell Apache that .inc
files must be parsed by PHP. All works fine if you include a .inc file,
but if somebody guess .inc file name, he can see the content of that
file!

 -Original Message-
 From: David A Dickson [mailto:[EMAIL PROTECTED]]
 Sent: 4 iulie 2001 16:43
 To: php-general
 Subject: [PHP] Security of PHP code

 Is it possible for others to view the php code for pages I 
 have written? I thought I heard someone say before that they 
 could write a simple script to accomplish this. If anyone 
 knows of any tacticts people might use to attack my code 
 please post them hee.

 : David A. Dickson
 : [EMAIL PROTECTED]

 Get 250 color business cards for FREE!
 http://businesscards.lycos.com/vp/fastpath/

 -- 
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 To contact the list administrators, e-mail: 
 [EMAIL PROTECTED]

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

RE: [PHP] Security of PHP code

2001-07-04 Thread Tim Taubert


yes i had this problem too... it's easier to rename your .inc files to
.inc.php3 ... so nobody can see your code but the output maybe null or some
crazy code... but it's not your php code...

Tim Taubert

-
   Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/
-

 -Original Message-
 From: Adrian Ciutureanu [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, July 04, 2001 3:46 PM
 To: [EMAIL PROTECTED]
 Cc: php-general
 Subject: RE: [PHP] Security of PHP code


 Here is something that happend to me: I forgot to tell Apache that .inc
 files must be parsed by PHP. All works fine if you include a .inc file,
 but if somebody guess .inc file name, he can see the content of that
 file!

  -Original Message-
  From: David A Dickson [mailto:[EMAIL PROTECTED]]
  Sent: 4 iulie 2001 16:43
  To: php-general
  Subject: [PHP] Security of PHP code
 
 
  Is it possible for others to view the php code for pages I
  have written? I thought I heard someone say before that they
  could write a simple script to accomplish this. If anyone
  knows of any tacticts people might use to attack my code
  please post them hee.
 
  : David A. Dickson
  : [EMAIL PROTECTED]
 
 
 
 
  Get 250 color business cards for FREE!
  http://businesscards.lycos.com/vp/fastpath/
 
  --
  PHP General Mailing List (http://www.php.net/)
  To unsubscribe, e-mail: [EMAIL PROTECTED]
  For additional commands, e-mail: [EMAIL PROTECTED]
  To contact the list administrators, e-mail:
  [EMAIL PROTECTED]
 
 

 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 To contact the list administrators, e-mail: [EMAIL PROTECTED]



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

RE: [PHP] Security of PHP code

2001-07-04 Thread Rasmus Lerdorf


The right way to fix this is to add a rule to your Apache configuration
that looks like this:

Files ~ \.inc$
Order allow,deny
Deny from all
/Files

That will simply prevent any direct access at all to your .inc files.
Making the .inc files simply be parsed by PHP could still be a problem as
they could be called out of context.

-Rasmus


On Wed, 4 Jul 2001, Adrian Ciutureanu wrote:

 Here is something that happend to me: I forgot to tell Apache that .inc
 files must be parsed by PHP. All works fine if you include a .inc file,
 but if somebody guess .inc file name, he can see the content of that
 file!

  -Original Message-
  From: David A Dickson [mailto:[EMAIL PROTECTED]]
  Sent: 4 iulie 2001 16:43
  To: php-general
  Subject: [PHP] Security of PHP code
 
 
  Is it possible for others to view the php code for pages I
  have written? I thought I heard someone say before that they
  could write a simple script to accomplish this. If anyone
  knows of any tacticts people might use to attack my code
  please post them hee.
 
  : David A. Dickson
  : [EMAIL PROTECTED]
 
 
 
 
  Get 250 color business cards for FREE!
  http://businesscards.lycos.com/vp/fastpath/
 
  --
  PHP General Mailing List (http://www.php.net/)
  To unsubscribe, e-mail: [EMAIL PROTECTED]
  For additional commands, e-mail: [EMAIL PROTECTED]
  To contact the list administrators, e-mail:
  [EMAIL PROTECTED]
 
 

 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 To contact the list administrators, e-mail: [EMAIL PROTECTED]



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

RE: [PHP] Security of PHP code

2001-07-04 Thread PHPBeginner.com


SECURE, SECURE.

It is not how secure PHP is, it is how well YOU protect it.
For example = make this line show_source($file); then go to your page like
file.php?file=/etc/passwd and you're freaked!

There is a whole bunch of way to hack your pages if not protected well
enough, but PHP itself has no vital security problems.

Try to search the archives for this topic and see what people think/suggest.
You will find there thousands of tips on what to do to have a bullet-proof
website. (always of the server is yours).


Sincerely,

 Maxim Maletsky
 Founder, Chief Developer

 PHPBeginner.com (Where PHP Begins)
 [EMAIL PROTECTED]
 www.phpbeginner.com




-Original Message-
From: David A Dickson [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 04, 2001 10:43 PM
To: php-general
Subject: [PHP] Security of PHP code


Is it possible for others to view the php code for pages I have written? I
thought I heard someone say before that they could write a simple script to
accomplish this. If anyone knows of any tacticts people might use to attack
my code please post them hee.

: David A. Dickson
: [EMAIL PROTECTED]




Get 250 color business cards for FREE!
http://businesscards.lycos.com/vp/fastpath/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] Security of PHP code

2001-07-04 Thread ReDucTor

http://sourceforge.net/source.php?page_url=/source.php look at that...
- Original Message -
From: PHPBeginner.com [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; php-general [EMAIL PROTECTED]
Sent: Thursday, July 05, 2001 12:08 AM
Subject: RE: [PHP] Security of PHP code

 SECURE, SECURE.

 It is not how secure PHP is, it is how well YOU protect it.
 For example = make this line show_source($file); then go to your page like
 file.php?file=/etc/passwd and you're freaked!

 There is a whole bunch of way to hack your pages if not protected well
 enough, but PHP itself has no vital security problems.

 Try to search the archives for this topic and see what people
think/suggest.
 You will find there thousands of tips on what to do to have a bullet-proof
 website. (always of the server is yours).

 Sincerely,

  Maxim Maletsky
  Founder, Chief Developer

  PHPBeginner.com (Where PHP Begins)
  [EMAIL PROTECTED]
  www.phpbeginner.com

 -Original Message-
 From: David A Dickson [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, July 04, 2001 10:43 PM
 To: php-general
 Subject: [PHP] Security of PHP code

 Is it possible for others to view the php code for pages I have written? I
 thought I heard someone say before that they could write a simple script
to
 accomplish this. If anyone knows of any tacticts people might use to
attack
 my code please post them hee.

 : David A. Dickson
 : [EMAIL PROTECTED]

 Get 250 color business cards for FREE!
 http://businesscards.lycos.com/vp/fastpath/

 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 To contact the list administrators, e-mail: [EMAIL PROTECTED]

 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 To contact the list administrators, e-mail: [EMAIL PROTECTED]

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

RE: [PHP] Security of PHP code

2001-07-04 Thread Tim Taubert


you're totally right.. look at this

http://www.ssw.uni-linz.ac.at/Teaching/Lectures/Sem/2000/Alexander/source.ph
p3?url=/etc/passwd

*no comment* and not my site...

Tim Taubert

-
   Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/
-

.o] -Original Message-
.o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]]
.o] Sent: Wednesday, July 04, 2001 4:09 PM
.o] To: [EMAIL PROTECTED]; php-general
.o] Subject: RE: [PHP] Security of PHP code
.o]
.o]
.o] SECURE, SECURE.
.o]
.o] It is not how secure PHP is, it is how well YOU protect it.
.o] For example = make this line show_source($file); then go to
.o] your page like
.o] file.php?file=/etc/passwd and you're freaked!
.o]
.o] There is a whole bunch of way to hack your pages if not protected well
.o] enough, but PHP itself has no vital security problems.
.o]
.o] Try to search the archives for this topic and see what people
.o] think/suggest.
.o] You will find there thousands of tips on what to do to have a
.o] bullet-proof
.o] website. (always of the server is yours).
.o]
.o]
.o] Sincerely,
.o]
.o]  Maxim Maletsky
.o]  Founder, Chief Developer
.o]
.o]  PHPBeginner.com (Where PHP Begins)
.o]  [EMAIL PROTECTED]
.o]  www.phpbeginner.com
.o]
.o]
.o]
.o]
.o] -Original Message-
.o] From: David A Dickson [mailto:[EMAIL PROTECTED]]
.o] Sent: Wednesday, July 04, 2001 10:43 PM
.o] To: php-general
.o] Subject: [PHP] Security of PHP code
.o]
.o]
.o] Is it possible for others to view the php code for pages I have
.o] written? I
.o] thought I heard someone say before that they could write a
.o] simple script to
.o] accomplish this. If anyone knows of any tacticts people might
.o] use to attack
.o] my code please post them hee.
.o]
.o] : David A. Dickson
.o] : [EMAIL PROTECTED]
.o]
.o]
.o]
.o]
.o] Get 250 color business cards for FREE!
.o] http://businesscards.lycos.com/vp/fastpath/
.o]
.o] --
.o] PHP General Mailing List (http://www.php.net/)
.o] To unsubscribe, e-mail: [EMAIL PROTECTED]
.o] For additional commands, e-mail: [EMAIL PROTECTED]
.o] To contact the list administrators, e-mail: [EMAIL PROTECTED]
.o]
.o]
.o]
.o] --
.o] PHP General Mailing List (http://www.php.net/)
.o] To unsubscribe, e-mail: [EMAIL PROTECTED]
.o] For additional commands, e-mail: [EMAIL PROTECTED]
.o] To contact the list administrators, e-mail: [EMAIL PROTECTED]
.o]


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

RE: [PHP] Security of PHP code

2001-07-04 Thread Tim Taubert


mh =) contacted the admin to fix this problem ;)

Tim Taubert

-
   Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/
- 

.o] -Original Message-
.o] From: Tim Taubert [mailto:[EMAIL PROTECTED]]
.o] Sent: Wednesday, July 04, 2001 4:58 PM
.o] To: PHP Mailingliste
.o] Subject: RE: [PHP] Security of PHP code
.o] 
.o] 
.o] you're totally right.. look at this
.o] 
.o] http://www.ssw.uni-linz.ac.at/Teaching/Lectures/Sem/2000/Alexander/source.ph
.o] p3?url=/etc/passwd
.o] 
.o] *no comment* and not my site...
.o] 
.o] Tim Taubert
.o] 
.o] -
.o]Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/
.o] -
.o] 
.o] .o] -Original Message-
.o] .o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]]
.o] .o] Sent: Wednesday, July 04, 2001 4:09 PM
.o] .o] To: [EMAIL PROTECTED]; php-general
.o] .o] Subject: RE: [PHP] Security of PHP code
.o] .o]
.o] .o]
.o] .o] SECURE, SECURE.
.o] .o]
.o] .o] It is not how secure PHP is, it is how well YOU protect it.
.o] .o] For example = make this line show_source($file); then go to
.o] .o] your page like
.o] .o] file.php?file=/etc/passwd and you're freaked!
.o] .o]
.o] .o] There is a whole bunch of way to hack your pages if not protected well
.o] .o] enough, but PHP itself has no vital security problems.
.o] .o]
.o] .o] Try to search the archives for this topic and see what people
.o] .o] think/suggest.
.o] .o] You will find there thousands of tips on what to do to have a
.o] .o] bullet-proof
.o] .o] website. (always of the server is yours).
.o] .o]
.o] .o]
.o] .o] Sincerely,
.o] .o]
.o] .o]  Maxim Maletsky
.o] .o]  Founder, Chief Developer
.o] .o]
.o] .o]  PHPBeginner.com (Where PHP Begins)
.o] .o]  [EMAIL PROTECTED]
.o] .o]  www.phpbeginner.com
.o] .o]
.o] .o]
.o] .o]
.o] .o]
.o] .o] -Original Message-
.o] .o] From: David A Dickson [mailto:[EMAIL PROTECTED]]
.o] .o] Sent: Wednesday, July 04, 2001 10:43 PM
.o] .o] To: php-general
.o] .o] Subject: [PHP] Security of PHP code
.o] .o]
.o] .o]
.o] .o] Is it possible for others to view the php code for pages I have
.o] .o] written? I
.o] .o] thought I heard someone say before that they could write a
.o] .o] simple script to
.o] .o] accomplish this. If anyone knows of any tacticts people might
.o] .o] use to attack
.o] .o] my code please post them hee.
.o] .o]
.o] .o] : David A. Dickson
.o] .o] : [EMAIL PROTECTED]
.o] .o]
.o] .o]
.o] .o]
.o] .o]
.o] .o] Get 250 color business cards for FREE!
.o] .o] http://businesscards.lycos.com/vp/fastpath/
.o] .o]
.o] .o] --
.o] .o] PHP General Mailing List (http://www.php.net/)
.o] .o] To unsubscribe, e-mail: [EMAIL PROTECTED]
.o] .o] For additional commands, e-mail: [EMAIL PROTECTED]
.o] .o] To contact the list administrators, e-mail: [EMAIL PROTECTED]
.o] .o]
.o] .o]
.o] .o]
.o] .o] --
.o] .o] PHP General Mailing List (http://www.php.net/)
.o] .o] To unsubscribe, e-mail: [EMAIL PROTECTED]
.o] .o] For additional commands, e-mail: [EMAIL PROTECTED]
.o] .o] To contact the list administrators, e-mail: [EMAIL PROTECTED]
.o] .o]
.o] 
.o] 
.o] -- 
.o] PHP General Mailing List (http://www.php.net/)
.o] To unsubscribe, e-mail: [EMAIL PROTECTED]
.o] For additional commands, e-mail: [EMAIL PROTECTED]
.o] To contact the list administrators, e-mail: [EMAIL PROTECTED]
.o] 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

RE: [PHP] Security of PHP code

2001-07-04 Thread PHPBeginner.com


Yup, I believe you - that's not your site.

That is what I meant: It is no PHP, it is how you use PHP.

DISCLAIMER:
No one's fault (except the programmer) that there was THAT BIG security hole
on the site.

-maxim maletsky




-Original Message-
From: Tim Taubert [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 04, 2001 11:58 PM
To: PHP Mailingliste
Subject: RE: [PHP] Security of PHP code


you're totally right.. look at this

http://www.ssw.uni-linz.ac.at/Teaching/Lectures/Sem/2000/Alexander/source.ph
p3?url=/etc/passwd

*no comment* and not my site...

Tim Taubert

-
   Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/
-

.o] -Original Message-
.o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]]
.o] Sent: Wednesday, July 04, 2001 4:09 PM
.o] To: [EMAIL PROTECTED]; php-general
.o] Subject: RE: [PHP] Security of PHP code
.o]
.o]
.o] SECURE, SECURE.
.o]
.o] It is not how secure PHP is, it is how well YOU protect it.
.o] For example = make this line show_source($file); then go to
.o] your page like
.o] file.php?file=/etc/passwd and you're freaked!
.o]
.o] There is a whole bunch of way to hack your pages if not protected well
.o] enough, but PHP itself has no vital security problems.
.o]
.o] Try to search the archives for this topic and see what people
.o] think/suggest.
.o] You will find there thousands of tips on what to do to have a
.o] bullet-proof
.o] website. (always of the server is yours).
.o]
.o]
.o] Sincerely,
.o]
.o]  Maxim Maletsky
.o]  Founder, Chief Developer
.o]
.o]  PHPBeginner.com (Where PHP Begins)
.o]  [EMAIL PROTECTED]
.o]  www.phpbeginner.com
.o]
.o]
.o]
.o]
.o] -Original Message-
.o] From: David A Dickson [mailto:[EMAIL PROTECTED]]
.o] Sent: Wednesday, July 04, 2001 10:43 PM
.o] To: php-general
.o] Subject: [PHP] Security of PHP code
.o]
.o]
.o] Is it possible for others to view the php code for pages I have
.o] written? I
.o] thought I heard someone say before that they could write a
.o] simple script to
.o] accomplish this. If anyone knows of any tacticts people might
.o] use to attack
.o] my code please post them hee.
.o]
.o] : David A. Dickson
.o] : [EMAIL PROTECTED]
.o]
.o]
.o]
.o]
.o] Get 250 color business cards for FREE!
.o] http://businesscards.lycos.com/vp/fastpath/
.o]
.o] --
.o] PHP General Mailing List (http://www.php.net/)
.o] To unsubscribe, e-mail: [EMAIL PROTECTED]
.o] For additional commands, e-mail: [EMAIL PROTECTED]
.o] To contact the list administrators, e-mail: [EMAIL PROTECTED]
.o]
.o]
.o]
.o] --
.o] PHP General Mailing List (http://www.php.net/)
.o] To unsubscribe, e-mail: [EMAIL PROTECTED]
.o] For additional commands, e-mail: [EMAIL PROTECTED]
.o] To contact the list administrators, e-mail: [EMAIL PROTECTED]
.o]


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

RE: [PHP] Security of PHP code

2001-07-04 Thread Tim Taubert


oh thanks for the disclaimer ;) forgot it..

richard: didn't think about it.. but should have done it.. first and last time i did 
it *promised*
:)

Tim Taubert

-
   Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/
-

.o] -Original Message-
.o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]]
.o] Sent: Wednesday, July 04, 2001 5:09 PM
.o] To: [EMAIL PROTECTED]; PHP Mailingliste
.o] Subject: RE: [PHP] Security of PHP code
.o]
.o]
.o] Yup, I believe you - that's not your site.
.o]
.o] That is what I meant: It is no PHP, it is how you use PHP.
.o]
.o] DISCLAIMER:
.o] No one's fault (except the programmer) that there was THAT BIG security hole
.o] on the site.
.o]
.o] -maxim maletsky
.o]
.o]
.o]
.o]
.o] -Original Message-
.o] From: Tim Taubert [mailto:[EMAIL PROTECTED]]
.o] Sent: Wednesday, July 04, 2001 11:58 PM
.o] To: PHP Mailingliste
.o] Subject: RE: [PHP] Security of PHP code
.o]
.o]
.o] you're totally right.. look at this
.o]
.o] http://www.ssw.uni-linz.ac.at/Teaching/Lectures/Sem/2000/Alexander/source.ph
.o] p3?url=/etc/passwd
.o]
.o] *no comment* and not my site...
.o]
.o] Tim Taubert
.o]
.o] -
.o]Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/
.o] -
.o]
.o] .o] -Original Message-
.o] .o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]]
.o] .o] Sent: Wednesday, July 04, 2001 4:09 PM
.o] .o] To: [EMAIL PROTECTED]; php-general
.o] .o] Subject: RE: [PHP] Security of PHP code
.o] .o]
.o] .o]
.o] .o] SECURE, SECURE.
.o] .o]
.o] .o] It is not how secure PHP is, it is how well YOU protect it.
.o] .o] For example = make this line show_source($file); then go to
.o] .o] your page like
.o] .o] file.php?file=/etc/passwd and you're freaked!
.o] .o]
.o] .o] There is a whole bunch of way to hack your pages if not protected well
.o] .o] enough, but PHP itself has no vital security problems.
.o] .o]
.o] .o] Try to search the archives for this topic and see what people
.o] .o] think/suggest.
.o] .o] You will find there thousands of tips on what to do to have a
.o] .o] bullet-proof
.o] .o] website. (always of the server is yours).
.o] .o]
.o] .o]
.o] .o] Sincerely,
.o] .o]
.o] .o]  Maxim Maletsky
.o] .o]  Founder, Chief Developer
.o] .o]
.o] .o]  PHPBeginner.com (Where PHP Begins)
.o] .o]  [EMAIL PROTECTED]
.o] .o]  www.phpbeginner.com
.o] .o]
.o] .o]
.o] .o]
.o] .o]
.o] .o] -Original Message-
.o] .o] From: David A Dickson [mailto:[EMAIL PROTECTED]]
.o] .o] Sent: Wednesday, July 04, 2001 10:43 PM
.o] .o] To: php-general
.o] .o] Subject: [PHP] Security of PHP code
.o] .o]
.o] .o]
.o] .o] Is it possible for others to view the php code for pages I have
.o] .o] written? I
.o] .o] thought I heard someone say before that they could write a
.o] .o] simple script to
.o] .o] accomplish this. If anyone knows of any tacticts people might
.o] .o] use to attack
.o] .o] my code please post them hee.
.o] .o]
.o] .o] : David A. Dickson
.o] .o] : [EMAIL PROTECTED]
.o] .o]
.o] .o]
.o] .o]
.o] .o]
.o] .o] Get 250 color business cards for FREE!
.o] .o] http://businesscards.lycos.com/vp/fastpath/
.o] .o]
.o] .o] --
.o] .o] PHP General Mailing List (http://www.php.net/)
.o] .o] To unsubscribe, e-mail: [EMAIL PROTECTED]
.o] .o] For additional commands, e-mail: [EMAIL PROTECTED]
.o] .o] To contact the list administrators, e-mail: [EMAIL PROTECTED]
.o] .o]
.o] .o]
.o] .o]
.o] .o] --
.o] .o] PHP General Mailing List (http://www.php.net/)
.o] .o] To unsubscribe, e-mail: [EMAIL PROTECTED]
.o] .o] For additional commands, e-mail: [EMAIL PROTECTED]
.o] .o] To contact the list administrators, e-mail: [EMAIL PROTECTED]
.o] .o]
.o]
.o]
.o] --
.o] PHP General Mailing List (http://www.php.net/)
.o] To unsubscribe, e-mail: [EMAIL PROTECTED]
.o] For additional commands, e-mail: [EMAIL PROTECTED]
.o] To contact the list administrators, e-mail: [EMAIL PROTECTED]
.o]
.o]


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

RE: [PHP] Security of PHP code

2001-07-04 Thread PHPBeginner.com


Just for the respect of the community, Tim, you shouldn't have posted that.
Poor them, they are under the risks, of course the things will be probably
fixed, but if someone cares he might be already in the machine just for the
sake of it.

-maxim maletsky


-Original Message-
From: Tim Taubert [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 05, 2001 12:09 AM
To: PHP Mailingliste
Subject: RE: [PHP] Security of PHP code


oh thanks for the disclaimer ;) forgot it..

richard: didn't think about it.. but should have done it.. first and last
time i did it *promised*
:)

Tim Taubert

-
   Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/
-

.o] -Original Message-
.o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]]
.o] Sent: Wednesday, July 04, 2001 5:09 PM
.o] To: [EMAIL PROTECTED]; PHP Mailingliste
.o] Subject: RE: [PHP] Security of PHP code
.o]
.o]
.o] Yup, I believe you - that's not your site.
.o]
.o] That is what I meant: It is no PHP, it is how you use PHP.
.o]
.o] DISCLAIMER:
.o] No one's fault (except the programmer) that there was THAT BIG security
hole
.o] on the site.
.o]
.o] -maxim maletsky
.o]
.o]
.o]
.o]
.o] -Original Message-
.o] From: Tim Taubert [mailto:[EMAIL PROTECTED]]
.o] Sent: Wednesday, July 04, 2001 11:58 PM
.o] To: PHP Mailingliste
.o] Subject: RE: [PHP] Security of PHP code
.o]
.o]
.o] you're totally right.. look at this
.o]
.o]
http://www.ssw.uni-linz.ac.at/Teaching/Lectures/Sem/2000/Alexander/source.ph
.o] p3?url=/etc/passwd
.o]
.o] *no comment* and not my site...
.o]
.o] Tim Taubert
.o]
.o] -
.o]Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/
.o] -
.o]
.o] .o] -Original Message-
.o] .o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]]
.o] .o] Sent: Wednesday, July 04, 2001 4:09 PM
.o] .o] To: [EMAIL PROTECTED]; php-general
.o] .o] Subject: RE: [PHP] Security of PHP code
.o] .o]
.o] .o]
.o] .o] SECURE, SECURE.
.o] .o]
.o] .o] It is not how secure PHP is, it is how well YOU protect it.
.o] .o] For example = make this line show_source($file); then go to
.o] .o] your page like
.o] .o] file.php?file=/etc/passwd and you're freaked!
.o] .o]
.o] .o] There is a whole bunch of way to hack your pages if not protected
well
.o] .o] enough, but PHP itself has no vital security problems.
.o] .o]
.o] .o] Try to search the archives for this topic and see what people
.o] .o] think/suggest.
.o] .o] You will find there thousands of tips on what to do to have a
.o] .o] bullet-proof
.o] .o] website. (always of the server is yours).
.o] .o]
.o] .o]
.o] .o] Sincerely,
.o] .o]
.o] .o]  Maxim Maletsky
.o] .o]  Founder, Chief Developer
.o] .o]
.o] .o]  PHPBeginner.com (Where PHP Begins)
.o] .o]  [EMAIL PROTECTED]
.o] .o]  www.phpbeginner.com
.o] .o]
.o] .o]
.o] .o]
.o] .o]
.o] .o] -Original Message-
.o] .o] From: David A Dickson [mailto:[EMAIL PROTECTED]]
.o] .o] Sent: Wednesday, July 04, 2001 10:43 PM
.o] .o] To: php-general
.o] .o] Subject: [PHP] Security of PHP code
.o] .o]
.o] .o]
.o] .o] Is it possible for others to view the php code for pages I have
.o] .o] written? I
.o] .o] thought I heard someone say before that they could write a
.o] .o] simple script to
.o] .o] accomplish this. If anyone knows of any tacticts people might
.o] .o] use to attack
.o] .o] my code please post them hee.
.o] .o]
.o] .o] : David A. Dickson
.o] .o] : [EMAIL PROTECTED]
.o] .o]
.o] .o]
.o] .o]
.o] .o]
.o] .o] Get 250 color business cards for FREE!
.o] .o] http://businesscards.lycos.com/vp/fastpath/
.o] .o]
.o] .o] --
.o] .o] PHP General Mailing List (http://www.php.net/)
.o] .o] To unsubscribe, e-mail: [EMAIL PROTECTED]
.o] .o] For additional commands, e-mail: [EMAIL PROTECTED]
.o] .o] To contact the list administrators, e-mail:
[EMAIL PROTECTED]
.o] .o]
.o] .o]
.o] .o]
.o] .o] --
.o] .o] PHP General Mailing List (http://www.php.net/)
.o] .o] To unsubscribe, e-mail: [EMAIL PROTECTED]
.o] .o] For additional commands, e-mail: [EMAIL PROTECTED]
.o] .o] To contact the list administrators, e-mail:
[EMAIL PROTECTED]
.o] .o]
.o]
.o]
.o] --
.o] PHP General Mailing List (http://www.php.net/)
.o] To unsubscribe, e-mail: [EMAIL PROTECTED]
.o] For additional commands, e-mail: [EMAIL PROTECTED]
.o] To contact the list administrators, e-mail: [EMAIL PROTECTED]
.o]
.o]


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

RE: [PHP] Security of PHP code

2001-07-04 Thread Tim Taubert


mh i know it was the wrong decision. didn't think about it. already said that. feeling 
guilty now
*argh*

Tim Taubert

-
   Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/
-

.o] -Original Message-
.o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]]
.o] Sent: Wednesday, July 04, 2001 5:17 PM
.o] To: [EMAIL PROTECTED]; PHP Mailingliste
.o] Subject: RE: [PHP] Security of PHP code
.o]
.o]
.o] Just for the respect of the community, Tim, you shouldn't have posted that.
.o] Poor them, they are under the risks, of course the things will be probably
.o] fixed, but if someone cares he might be already in the machine just for the
.o] sake of it.
.o]
.o] -maxim maletsky
.o]
.o]
.o] -Original Message-
.o] From: Tim Taubert [mailto:[EMAIL PROTECTED]]
.o] Sent: Thursday, July 05, 2001 12:09 AM
.o] To: PHP Mailingliste
.o] Subject: RE: [PHP] Security of PHP code
.o]
.o]
.o] oh thanks for the disclaimer ;) forgot it..
.o]
.o] richard: didn't think about it.. but should have done it.. first and last
.o] time i did it *promised*
.o] :)
.o]
.o] Tim Taubert
.o]
.o] -
.o]Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/
.o] -
.o]
.o] .o] -Original Message-
.o] .o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]]
.o] .o] Sent: Wednesday, July 04, 2001 5:09 PM
.o] .o] To: [EMAIL PROTECTED]; PHP Mailingliste
.o] .o] Subject: RE: [PHP] Security of PHP code
.o] .o]
.o] .o]
.o] .o] Yup, I believe you - that's not your site.
.o] .o]
.o] .o] That is what I meant: It is no PHP, it is how you use PHP.
.o] .o]
.o] .o] DISCLAIMER:
.o] .o] No one's fault (except the programmer) that there was THAT BIG security
.o] hole
.o] .o] on the site.
.o] .o]
.o] .o] -maxim maletsky
.o] .o]
.o] .o]
.o] .o]
.o] .o]
.o] .o] -Original Message-
.o] .o] From: Tim Taubert [mailto:[EMAIL PROTECTED]]
.o] .o] Sent: Wednesday, July 04, 2001 11:58 PM
.o] .o] To: PHP Mailingliste
.o] .o] Subject: RE: [PHP] Security of PHP code
.o] .o]
.o] .o]
.o] .o] you're totally right.. look at this
.o] .o]
.o] .o]
.o] http://www.ssw.uni-linz.ac.at/Teaching/Lectures/Sem/2000/Alexander/source.ph
.o] .o] p3?url=/etc/passwd
.o] .o]
.o] .o] *no comment* and not my site...
.o] .o]
.o] .o] Tim Taubert
.o] .o]
.o] .o] -
.o] .o]Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/
.o] .o] -
.o] .o]
.o] .o] .o] -Original Message-
.o] .o] .o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]]
.o] .o] .o] Sent: Wednesday, July 04, 2001 4:09 PM
.o] .o] .o] To: [EMAIL PROTECTED]; php-general
.o] .o] .o] Subject: RE: [PHP] Security of PHP code
.o] .o] .o]
.o] .o] .o]
.o] .o] .o] SECURE, SECURE.
.o] .o] .o]
.o] .o] .o] It is not how secure PHP is, it is how well YOU protect it.
.o] .o] .o] For example = make this line show_source($file); then go to
.o] .o] .o] your page like
.o] .o] .o] file.php?file=/etc/passwd and you're freaked!
.o] .o] .o]
.o] .o] .o] There is a whole bunch of way to hack your pages if not protected
.o] well
.o] .o] .o] enough, but PHP itself has no vital security problems.
.o] .o] .o]
.o] .o] .o] Try to search the archives for this topic and see what people
.o] .o] .o] think/suggest.
.o] .o] .o] You will find there thousands of tips on what to do to have a
.o] .o] .o] bullet-proof
.o] .o] .o] website. (always of the server is yours).
.o] .o] .o]
.o] .o] .o]
.o] .o] .o] Sincerely,
.o] .o] .o]
.o] .o] .o]  Maxim Maletsky
.o] .o] .o]  Founder, Chief Developer
.o] .o] .o]
.o] .o] .o]  PHPBeginner.com (Where PHP Begins)
.o] .o] .o]  [EMAIL PROTECTED]
.o] .o] .o]  www.phpbeginner.com
.o] .o] .o]
.o] .o] .o]
.o] .o] .o]
.o] .o] .o]
.o] .o] .o] -Original Message-
.o] .o] .o] From: David A Dickson [mailto:[EMAIL PROTECTED]]
.o] .o] .o] Sent: Wednesday, July 04, 2001 10:43 PM
.o] .o] .o] To: php-general
.o] .o] .o] Subject: [PHP] Security of PHP code
.o] .o] .o]
.o] .o] .o]
.o] .o] .o] Is it possible for others to view the php code for pages I have
.o] .o] .o] written? I
.o] .o] .o] thought I heard someone say before that they could write a
.o] .o] .o] simple script to
.o] .o] .o] accomplish this. If anyone knows of any tacticts people might
.o] .o] .o] use to attack
.o] .o] .o] my code please post them hee.
.o] .o] .o]
.o] .o] .o] : David A. Dickson
.o] .o] .o] : [EMAIL PROTECTED]
.o] .o] .o]
.o] .o] .o]
.o] .o] .o]
.o] .o] .o]
.o] .o] .o] Get 250 color business cards for FREE!
.o] .o] .o] http://businesscards.lycos.com/vp/fastpath/
.o] .o] .o]
.o] .o] .o] --
.o] .o] .o] PHP General Mailing List (http://www.php.net/)
.o] .o] .o] To unsubscribe, e-mail: [EMAIL PROTECTED]
.o] .o] .o

RE: [PHP] Security of PHP code

2001-07-04 Thread Tim Taubert


found 2 other servers having the same problem... mailed to the webmasters and admins 
instead of
posting it.. now i feel a little bit better :)

Tim Taubert

-
   Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/
-

.o] -Original Message-
.o] From: Tim Taubert [mailto:[EMAIL PROTECTED]]
.o] Sent: Wednesday, July 04, 2001 5:16 PM
.o] To: PHP Mailingliste
.o] Subject: RE: [PHP] Security of PHP code
.o]
.o]
.o] mh i know it was the wrong decision. didn't think about it. already said that. 
feeling
.o] guilty now
.o] *argh*
.o]
.o] Tim Taubert
.o]
.o] -
.o]Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/
.o] -
.o]
.o] .o] -Original Message-
.o] .o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]]
.o] .o] Sent: Wednesday, July 04, 2001 5:17 PM
.o] .o] To: [EMAIL PROTECTED]; PHP Mailingliste
.o] .o] Subject: RE: [PHP] Security of PHP code
.o] .o]
.o] .o]
.o] .o] Just for the respect of the community, Tim, you shouldn't have posted that.
.o] .o] Poor them, they are under the risks, of course the things will be probably
.o] .o] fixed, but if someone cares he might be already in the machine just for the
.o] .o] sake of it.
.o] .o]
.o] .o] -maxim maletsky
.o] .o]
.o] .o]
.o] .o] -Original Message-
.o] .o] From: Tim Taubert [mailto:[EMAIL PROTECTED]]
.o] .o] Sent: Thursday, July 05, 2001 12:09 AM
.o] .o] To: PHP Mailingliste
.o] .o] Subject: RE: [PHP] Security of PHP code
.o] .o]
.o] .o]
.o] .o] oh thanks for the disclaimer ;) forgot it..
.o] .o]
.o] .o] richard: didn't think about it.. but should have done it.. first and last
.o] .o] time i did it *promised*
.o] .o] :)
.o] .o]
.o] .o] Tim Taubert
.o] .o]
.o] .o] -
.o] .o]Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/
.o] .o] -
.o] .o]
.o] .o] .o] -Original Message-
.o] .o] .o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]]
.o] .o] .o] Sent: Wednesday, July 04, 2001 5:09 PM
.o] .o] .o] To: [EMAIL PROTECTED]; PHP Mailingliste
.o] .o] .o] Subject: RE: [PHP] Security of PHP code
.o] .o] .o]
.o] .o] .o]
.o] .o] .o] Yup, I believe you - that's not your site.
.o] .o] .o]
.o] .o] .o] That is what I meant: It is no PHP, it is how you use PHP.
.o] .o] .o]
.o] .o] .o] DISCLAIMER:
.o] .o] .o] No one's fault (except the programmer) that there was THAT BIG security
.o] .o] hole
.o] .o] .o] on the site.
.o] .o] .o]
.o] .o] .o] -maxim maletsky
.o] .o] .o]
.o] .o] .o]
.o] .o] .o]
.o] .o] .o]
.o] .o] .o] -Original Message-
.o] .o] .o] From: Tim Taubert [mailto:[EMAIL PROTECTED]]
.o] .o] .o] Sent: Wednesday, July 04, 2001 11:58 PM
.o] .o] .o] To: PHP Mailingliste
.o] .o] .o] Subject: RE: [PHP] Security of PHP code
.o] .o] .o]
.o] .o] .o]
.o] .o] .o] you're totally right.. look at this
.o] .o] .o]
.o] .o] .o]
.o] .o] censored**
.o] .o] .o]
.o] .o] .o] *no comment* and not my site...
.o] .o] .o]
.o] .o] .o] Tim Taubert
.o] .o] .o]
.o] .o] .o] -
.o] .o] .o]Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/
.o] .o] .o] -
.o] .o] .o]
.o] .o] .o] .o] -Original Message-
.o] .o] .o] .o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]]
.o] .o] .o] .o] Sent: Wednesday, July 04, 2001 4:09 PM
.o] .o] .o] .o] To: [EMAIL PROTECTED]; php-general
.o] .o] .o] .o] Subject: RE: [PHP] Security of PHP code
.o] .o] .o] .o]
.o] .o] .o] .o]
.o] .o] .o] .o] SECURE, SECURE.
.o] .o] .o] .o]
.o] .o] .o] .o] It is not how secure PHP is, it is how well YOU protect it.
.o] .o] .o] .o] For example = make this line show_source($file); then go to
.o] .o] .o] .o] your page like
.o] .o] .o] .o] file.php?file=/etc/passwd and you're freaked!
.o] .o] .o] .o]
.o] .o] .o] .o] There is a whole bunch of way to hack your pages if not protected
.o] .o] well
.o] .o] .o] .o] enough, but PHP itself has no vital security problems.
.o] .o] .o] .o]
.o] .o] .o] .o] Try to search the archives for this topic and see what people
.o] .o] .o] .o] think/suggest.
.o] .o] .o] .o] You will find there thousands of tips on what to do to have a
.o] .o] .o] .o] bullet-proof
.o] .o] .o] .o] website. (always of the server is yours).
.o] .o] .o] .o]
.o] .o] .o] .o]
.o] .o] .o] .o] Sincerely,
.o] .o] .o] .o]
.o] .o] .o] .o]  Maxim Maletsky
.o] .o] .o] .o]  Founder, Chief Developer
.o] .o] .o] .o]
.o] .o] .o] .o]  PHPBeginner.com (Where PHP Begins)
.o] .o] .o] .o]  [EMAIL PROTECTED]
.o] .o] .o] .o]  www.phpbeginner.com
.o] .o] .o] .o]
.o] .o] .o] .o

Re: [PHP] Security of PHP code

2001-07-04 Thread Delbono



would be really silly if

http://www.php.net/source.php?url=/index.php





- Original Message -
From: Tim Taubert [EMAIL PROTECTED]
To: PHP Mailingliste [EMAIL PROTECTED]
Sent: Wednesday, July 04, 2001 5:27 PM
Subject: RE: [PHP] Security of PHP code


 found 2 other servers having the same problem... mailed to the webmasters
and admins instead of
 posting it.. now i feel a little bit better :)

 Tim Taubert

 -
Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/
 -

 .o] -Original Message-
 .o] From: Tim Taubert [mailto:[EMAIL PROTECTED]]
 .o] Sent: Wednesday, July 04, 2001 5:16 PM
 .o] To: PHP Mailingliste
 .o] Subject: RE: [PHP] Security of PHP code
 .o]
 .o]
 .o] mh i know it was the wrong decision. didn't think about it. already
said that. feeling
 .o] guilty now
 .o] *argh*
 .o]
 .o] Tim Taubert
 .o]
 .o] -
 .o]Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/
 .o] -
 .o]
 .o] .o] -Original Message-
 .o] .o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]]
 .o] .o] Sent: Wednesday, July 04, 2001 5:17 PM
 .o] .o] To: [EMAIL PROTECTED]; PHP Mailingliste
 .o] .o] Subject: RE: [PHP] Security of PHP code
 .o] .o]
 .o] .o]
 .o] .o] Just for the respect of the community, Tim, you shouldn't have
posted that.
 .o] .o] Poor them, they are under the risks, of course the things will be
probably
 .o] .o] fixed, but if someone cares he might be already in the machine
just for the
 .o] .o] sake of it.
 .o] .o]
 .o] .o] -maxim maletsky
 .o] .o]
 .o] .o]
 .o] .o] -Original Message-
 .o] .o] From: Tim Taubert [mailto:[EMAIL PROTECTED]]
 .o] .o] Sent: Thursday, July 05, 2001 12:09 AM
 .o] .o] To: PHP Mailingliste
 .o] .o] Subject: RE: [PHP] Security of PHP code
 .o] .o]
 .o] .o]
 .o] .o] oh thanks for the disclaimer ;) forgot it..
 .o] .o]
 .o] .o] richard: didn't think about it.. but should have done it.. first
and last
 .o] .o] time i did it *promised*
 .o] .o] :)
 .o] .o]
 .o] .o] Tim Taubert
 .o] .o]
 .o]
.o] -
 .o] .o]Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/
 .o]
.o] -
 .o] .o]
 .o] .o] .o] -Original Message-
 .o] .o] .o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]]
 .o] .o] .o] Sent: Wednesday, July 04, 2001 5:09 PM
 .o] .o] .o] To: [EMAIL PROTECTED]; PHP Mailingliste
 .o] .o] .o] Subject: RE: [PHP] Security of PHP code
 .o] .o] .o]
 .o] .o] .o]
 .o] .o] .o] Yup, I believe you - that's not your site.
 .o] .o] .o]
 .o] .o] .o] That is what I meant: It is no PHP, it is how you use PHP.
 .o] .o] .o]
 .o] .o] .o] DISCLAIMER:
 .o] .o] .o] No one's fault (except the programmer) that there was THAT BIG
security
 .o] .o] hole
 .o] .o] .o] on the site.
 .o] .o] .o]
 .o] .o] .o] -maxim maletsky
 .o] .o] .o]
 .o] .o] .o]
 .o] .o] .o]
 .o] .o] .o]
 .o] .o] .o] -Original Message-
 .o] .o] .o] From: Tim Taubert [mailto:[EMAIL PROTECTED]]
 .o] .o] .o] Sent: Wednesday, July 04, 2001 11:58 PM
 .o] .o] .o] To: PHP Mailingliste
 .o] .o] .o] Subject: RE: [PHP] Security of PHP code
 .o] .o] .o]
 .o] .o] .o]
 .o] .o] .o] you're totally right.. look at this
 .o] .o] .o]
 .o] .o] .o]
 .o] .o] censored**
 .o] .o] .o]
 .o] .o] .o] *no comment* and not my site...
 .o] .o] .o]
 .o] .o] .o] Tim Taubert
 .o] .o] .o]
 .o] .o]
.o] -
 .o] .o] .o]Tim Taubert | [EMAIL PROTECTED] |
http://www.shogunat.com/rg/
 .o] .o]
.o] -
 .o] .o] .o]
 .o] .o] .o] .o] -Original Message-
 .o] .o] .o] .o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]]
 .o] .o] .o] .o] Sent: Wednesday, July 04, 2001 4:09 PM
 .o] .o] .o] .o] To: [EMAIL PROTECTED]; php-general
 .o] .o] .o] .o] Subject: RE: [PHP] Security of PHP code
 .o] .o] .o] .o]
 .o] .o] .o] .o]
 .o] .o] .o] .o] SECURE, SECURE.
 .o] .o] .o] .o]
 .o] .o] .o] .o] It is not how secure PHP is, it is how well YOU protect
it.
 .o] .o] .o] .o] For example = make this line show_source($file); then go
to
 .o] .o] .o] .o] your page like
 .o] .o] .o] .o] file.php?file=/etc/passwd and you're freaked!
 .o] .o] .o] .o]
 .o] .o] .o] .o] There is a whole bunch of way to hack your pages if not
protected
 .o] .o] well
 .o] .o] .o] .o] enough, but PHP itself has no vital security problems.
 .o] .o] .o] .o]
 .o] .o] .o] .o] Try to search the archives for this topic and see what
people
 .o] .o] .o] .o] think/suggest.
 .o] .o] .o] .o] You will find there thousands of tips on what to do to
have a
 .o] .o] .o] .o] bullet

RE: [PHP] Security of PHP code

2001-07-04 Thread Hankley, Chip


OK,

I'm pretty new to PHP, and have been reading this thread, and am just a
little freaked.

If I understand this right, the only way reason we can view the source code
of those pages is that the web server on which the page resides essentially
has a PHP page somewhere on their site that has some variation of:

?show_source($file);?

as it's content, right?

While I can see the utility of that for some situations
(teaching...examples, etc.), it seems like a huge potential for security
breaches.

Is it possible to have such a function on your site w/o giving access to ALL
of your documents...

Chip

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] Security of PHP code

2001-07-04 Thread Delbono



maybe one could be

?
$allowed_path  = /www/sites/mysite/teaching;

if (substr($file, 0, str_len($allowed_path))  $allowed_path )
{
die(not allowed!);
}
else
{
show_source($file);
}
?





- Original Message -
From: Hankley, Chip [EMAIL PROTECTED]
To: PHP Mailingliste [EMAIL PROTECTED]
Sent: Wednesday, July 04, 2001 5:45 PM
Subject: RE: [PHP] Security of PHP code


 OK,

 I'm pretty new to PHP, and have been reading this thread, and am just a
 little freaked.

 If I understand this right, the only way reason we can view the source
code
 of those pages is that the web server on which the page resides
essentially
 has a PHP page somewhere on their site that has some variation of:

 ?show_source($file);?

 as it's content, right?

 While I can see the utility of that for some situations
 (teaching...examples, etc.), it seems like a huge potential for security
 breaches.

 Is it possible to have such a function on your site w/o giving access to
ALL
 of your documents...

 Chip

 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 To contact the list administrators, e-mail: [EMAIL PROTECTED]




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

RE: [PHP] Security of PHP code

2001-07-04 Thread Jon Haworth


Yes, I would have thought this would do it:

if (strstr($file, /usr/local/apache/htdocs/) {
show_source($file);
} else {
echo File must be in /usr/local/apache/htdocs!;
}

Modify as appropriate.

Have I missed anything, or will this do the trick?


Cheers
Jon


-Original Message-
From: Hankley, Chip [mailto:[EMAIL PROTECTED]]
Sent: 04 July 2001 16:46
To: PHP Mailingliste
Subject: RE: [PHP] Security of PHP code


OK,

I'm pretty new to PHP, and have been reading this thread, and am just a
little freaked.

If I understand this right, the only way reason we can view the source code
of those pages is that the web server on which the page resides essentially
has a PHP page somewhere on their site that has some variation of:

?show_source($file);?

as it's content, right?

While I can see the utility of that for some situations
(teaching...examples, etc.), it seems like a huge potential for security
breaches.

Is it possible to have such a function on your site w/o giving access to ALL
of your documents...

Chip

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

RE: [PHP] Security of PHP code

2001-07-04 Thread Christopher Ostmo


Adrian Ciutureanu pressed the little lettered thingies in this order...

 Here is something that happend to me: I forgot to tell Apache that .inc
 files must be parsed by PHP. All works fine if you include a .inc file, but
 if somebody guess .inc file name, he can see the content of that file!
 

If this is a concern, either name your include files with a valid PHP 
extension (i.e. .php) or add the following line to an .htaccess file:
AddType application/x-httpd-php .inc
This will make the web server treat your .inc files as though they were 
PHP files and the source would be parsed rather than shown when 
accessed through a web browser.

  -Original Message-
  From: David A Dickson [mailto:[EMAIL PROTECTED]]
  Sent: 4 iulie 2001 16:43
  To: php-general
  Subject: [PHP] Security of PHP code
  
  
  Is it possible for others to view the php code for pages I 
  have written? I thought I heard someone say before that they 
  could write a simple script to accomplish this. If anyone 
  knows of any tacticts people might use to attack my code 
  please post them hee.
  
  : David A. Dickson
  : [EMAIL PROTECTED]

Anyone who has access to the server on which your server is hosted 
can view the source of your site by using the show_source() or 
highlight_file() functions unless your hosting provider disables those 
commands.

It doesn't really take a simple script, just a simple function:
? show_source(/path/to/your/file.php); ?

To make matters worse, most hosting providers fail to chroot jail logins 
(a chroot jailed login cannot traverse the directory structure UP from its 
own home directory). This common, but poor policy allows anyone with 
access to the same server as yours to view your files through the shell 
or even download them by FTP.  They may not overwrite your files, but 
they CAN view them.

There are two solutions if this is an important issue to you:
1) Get a dedicated server.  This is kind of spendy, but accomplishes the 
goal.
2) Only do business with providers that will (even if you have to request 
it) disable these commands AND chroot jail all logins.

Have fun...

Christopher Ostmo
a.k.a. [EMAIL PROTECTED]
AppIdeas.com
Meeting cutting edge dynamic
web site needs

For a good time,
http://www.AppIdeas.com/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] Security of PHP code

2001-07-04 Thread Tyrone Mills

I use something that accomplishes the same (displays the source of a file),
but doesn't accept the file name as a parameter. The script is also in a
directory with a password and is restricted by ip. Not perfect, but alot
better.

- Original Message -
From: Hankley, Chip [EMAIL PROTECTED]
To: PHP Mailingliste [EMAIL PROTECTED]
Sent: Wednesday, July 04, 2001 8:45 AM
Subject: RE: [PHP] Security of PHP code

 OK,

 I'm pretty new to PHP, and have been reading this thread, and am just a
 little freaked.

 If I understand this right, the only way reason we can view the source
code
 of those pages is that the web server on which the page resides
essentially
 has a PHP page somewhere on their site that has some variation of:

 ?show_source($file);?

 as it's content, right?

 While I can see the utility of that for some situations
 (teaching...examples, etc.), it seems like a huge potential for security
 breaches.

 Is it possible to have such a function on your site w/o giving access to
ALL
 of your documents...

 Chip

 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 To contact the list administrators, e-mail: [EMAIL PROTECTED]

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] Security of PHP code

2001-07-04 Thread james



 ?
 $allowed_path  = /www/sites/mysite/teaching;

 if (substr($file, 0, str_len($allowed_path))  $allowed_path )
 {
 die(not allowed!);
 }
 else
 {
 show_source($file);
 }
 ?

I've missed part of the discussion, but if my understanding of the issue
is correct (accepting a filename and path from a visitor to the site to
display through a PHP script), then this solution is probably
inadequate...

If the user passes in a string like
/www/sites/mysite/teaching/../../../../etc/passwd, the first part of the
string will pass your validity test, but the user may still be able to
ascend to a place where files you don't wish to share are stored.

A better solution may be to pass the filename through some filter and then
concatenate that to your path. For example:

if(preg_match(/[^A-Za-z0-9]/, $file)) {
die(Invalid filename.);
}
else {
show_source($path . $file);
}

That's an awefully strict way to do it, but that's my personal preference.
If you must accept information that contains a path, perhaps just check
for '..' in the user input.

Anyways, like I say I could be way off base as far as what the discussion
is actually about, and I haven't had near enough coffee this morning, so
forgive me if I'm just talking nonsense =)


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] Security of PHP code

2001-07-04 Thread Steve Werby


Jon Haworth [EMAIL PROTECTED] wrote:
 Yes, I would have thought this would do it:

 if (strstr($file, /usr/local/apache/htdocs/) {
 show_source($file);
 } else {
 echo File must be in /usr/local/apache/htdocs!;
 }

 Modify as appropriate.

 Have I missed anything, or will this do the trick?

Something along those lines will work.  Without some kind of limitations
built in, the page will be able to load any file that's world-readable so
it's a good idea to limit access to certain directories or hardcode the
directory you want to give access to.

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] Security of PHP code

2001-07-04 Thread Sascha Schumann


On Wed, 4 Jul 2001, Steve Werby wrote:

 Jon Haworth [EMAIL PROTECTED] wrote:
  Yes, I would have thought this would do it:
 
  if (strstr($file, /usr/local/apache/htdocs/) {
  show_source($file);
[..]
 Something along those lines will work.  Without some kind of limitations
 built in, the page will be able to load any file that's world-readable so
 it's a good idea to limit access to certain directories or hardcode the
 directory you want to give access to.

Imagine someone passing in
/usr/local/apache/htdocs/../../../../etc/passwd as path..

- Sascha Experience IRCG
  http://schumann.cx/http://schumann.cx/ircg


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] Security of PHP code

2001-07-04 Thread Delbono


Yes, I supposed there could be that eventuality...

I supposed or hoped that wasn't a valid path.
 /usr/local/apache/htdocs/../../../../etc/passwd as path..

I'm not very practice of paths... actually






 On Wed, 4 Jul 2001, Steve Werby wrote:

  Jon Haworth [EMAIL PROTECTED] wrote:
   Yes, I would have thought this would do it:
  
   if (strstr($file, /usr/local/apache/htdocs/) {
   show_source($file);
 [..]
  Something along those lines will work.  Without some kind of limitations
  built in, the page will be able to load any file that's world-readable
so
  it's a good idea to limit access to certain directories or hardcode the
  directory you want to give access to.

 Imagine someone passing in
 /usr/local/apache/htdocs/../../../../etc/passwd as path..

 - Sascha Experience IRCG
   http://schumann.cx/http://schumann.cx/ircg


 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 To contact the list administrators, e-mail: [EMAIL PROTECTED]




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] Security of PHP code

2001-07-04 Thread Phil Driscoll


Surely the lesson here is to NEVER NEVER NEVER write PHP code which accepts a 
filename of any kind as one of its arguments. Yes, it will make some of your 
code a bit less versatile and more long winded, but you can bet your bottom 
dollar that someone can find a crafty way around whatever syntax checking you 
do.

Cheers
-- 
Phil Driscoll

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] Security of PHP code

2001-07-04 Thread Christopher Ostmo


Delbono pressed the little lettered thingies in this order...

 
 maybe one could be
 
 ?
 $allowed_path  = /www/sites/mysite/teaching;
 
 if (substr($file, 0, str_len($allowed_path))  $allowed_path )
 {
 die(not allowed!);
 }
 else
 {
 show_source($file);
 }
 ?
 

The only foolproof method for restricting access is to strip forward 
slashes.  In the above example, I can change the file to:
/www/sites/mysite/teaching/../../../../etc/passwd
And it will be allowed
If you were to do this, however:
$allowed_path = /www/sites/mysite/teaching;
$file = ereg_replace(/,,$file);
show_source($allowed_path./.$file);
That would block any attempt to trick the server into going into another 
directory.

You would have to create separate show_source() calls or separate 
scripts for each directory that you wish to allow, but nobody will ever get 
your /etc/passwd file.

Christopher Ostmo
a.k.a. [EMAIL PROTECTED]
AppIdeas.com
Meeting cutting edge dynamic
web site needs

For a good time,
http://www.AppIdeas.com/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] Security of PHP code

2001-07-04 Thread Christian Reiniger


On Wednesday 04 July 2001 16:12, ReDucTor wrote:
 http://sourceforge.net/source.php?page_url=/source.php look at that...

No problem. Have a look at what is done before the show_source () call. 
That script *is* safe :)

  It is not how secure PHP is, it is how well YOU protect it.
  For example = make this line show_source($file); then go to your page
  like file.php?file=/etc/passwd and you're freaked!

-- 
Christian Reiniger
LGDC Webmaster (http://lgdc.sunsite.dk/)

Pretty cool, the kind of power information technology puts in our hands
these days.

- Securityfocus on probing 3600 hosts for known problems in 3 weeks

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

RE: [PHP] Security of PHP code

2001-07-04 Thread Brian White



Possibilities for improving security on a sourec displayer.

1) Maybe you could restrict your source shower to only look at
particular types of files - maybe the file has to end in .php
or .inc before it is even considered.

2) Given that something that displays the source needs to read the file,
maybe it could just look for some kind of marker that would
have to appear within the first N lines of a file, otherwise it
would be rejected. For example, every file that could be displayed
might need to look like this:

?php
   //DISPLAYABLE
...


At 16:54 4/07/2001 +0100, Jon Haworth wrote:
Yes, I would have thought this would do it:

if (strstr($file, /usr/local/apache/htdocs/) {
 show_source($file);
} else {
 echo File must be in /usr/local/apache/htdocs!;
}

-
Brian White
Step Two Designs Pty Ltd - SGML, XML  HTML Consultancy
Phone: +612-93197901
Web:   http://www.steptwo.com.au/
Email: [EMAIL PROTECTED]


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] Security of PHP code

2001-07-04 Thread Steve Werby


Sascha Schumann [EMAIL PROTECTED] wrote:
 On Wed, 4 Jul 2001, Steve Werby wrote:

  Jon Haworth [EMAIL PROTECTED] wrote:
   Yes, I would have thought this would do it:
  
   if (strstr($file, /usr/local/apache/htdocs/) {
   show_source($file);
 [..]
  Something along those lines will work.  Without some kind of limitations
  built in, the page will be able to load any file that's world-readable
so
  it's a good idea to limit access to certain directories or hardcode the
  directory you want to give access to.

 Imagine someone passing in
 /usr/local/apache/htdocs/../../../../etc/passwd as path..

Excellent point.  In addition to hardcoding the path I would do something to
ensure that the file requested does not attempt to bypass that directory.
I'd probably use a regex to make sure it doesn't include a / or if I want
to serve files from a deeper directory I'd do a regex or use something like
strstr() to see if .. is within the filename.  Personally, I wouldn't make
a script that outputed a file on the server or a script's code *and* allowed
the user to dictate what file was accessed.

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] Security of PHP code

2001-07-04 Thread Tiger Quimpo


hello all,

i just recently looked at this thread, so i don't know
what's been discussed before today.  i thought i'd
point everyone at:

   http://lwn.net/2001/0704/a/study-in-scarlet.php3

however.  just came out yesterday.  very relevant.

tiger
-- 
Gerald Timothy Quimpo   [EMAIL PROTECTED]
Entia non sunt multiplicanda praetere necessitatem
 Mene sakhet ur-seveh


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] Security of PHP code

2001-07-04 Thread Arcady Genkin


Hankley, Chip [EMAIL PROTECTED] writes:

 Is it possible to have such a function on your site w/o giving access to ALL
 of your documents...

On top of everything the other users recommended, you can enable safe
mode.  It will protect you from sloppy programming.
-- 
Arcady Genkin
i=1; while 1, hilb(i); i=i+1; end

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

38 matches

Mail list logo