RE: [PHP] Security of PHP code
$allowed_path = '/www/sites/mysite/teaching'; $file = realpath($file); if(ereg(^$allowed_path, $file)) { // it's OK } else { // possible attack! } -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 4 iulie 2001 15:29 To: [EMAIL PROTECTED] Subject: Re: [PHP] Security of PHP code ? $allowed_path = /www/sites/mysite/teaching; if (substr($file, 0, str_len($allowed_path)) $allowed_path ) { die(not allowed!); } else { show_source($file); } ? I've missed part of the discussion, but if my understanding of the issue is correct (accepting a filename and path from a visitor to the site to display through a PHP script), then this solution is probably inadequate... If the user passes in a string like /www/sites/mysite/teaching/../../../../etc/passwd, the first part of the string will pass your validity test, but the user may still be able to ascend to a place where files you don't wish to share are stored. A better solution may be to pass the filename through some filter and then concatenate that to your path. For example: if(preg_match(/[^A-Za-z0-9]/, $file)) { die(Invalid filename.); } else { show_source($path . $file); } That's an awefully strict way to do it, but that's my personal preference. If you must accept information that contains a path, perhaps just check for '..' in the user input. Anyways, like I say I could be way off base as far as what the discussion is actually about, and I haven't had near enough coffee this morning, so forgive me if I'm just talking nonsense =) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Security of PHP code
http://php.net/realpath $allowed_path = '/www/sites/mysite/teaching'; $file = realpath($file); if(ereg(^$allowed_path, $file)) { // it's OK } else { // possible attack! } -Original Message- From: Steve Werby [mailto:[EMAIL PROTECTED]] Sent: 5 iulie 2001 02:22 To: Sascha Schumann Cc: Jon Haworth; 'Hankley, Chip'; PHP Mailingliste Subject: Re: [PHP] Security of PHP code Sascha Schumann [EMAIL PROTECTED] wrote: On Wed, 4 Jul 2001, Steve Werby wrote: Jon Haworth [EMAIL PROTECTED] wrote: Yes, I would have thought this would do it: if (strstr($file, /usr/local/apache/htdocs/) { show_source($file); [..] Something along those lines will work. Without some kind of limitations built in, the page will be able to load any file that's world-readable so it's a good idea to limit access to certain directories or hardcode the directory you want to give access to. Imagine someone passing in /usr/local/apache/htdocs/../../../../etc/passwd as path.. Excellent point. In addition to hardcoding the path I would do something to ensure that the file requested does not attempt to bypass that directory. I'd probably use a regex to make sure it doesn't include a / or if I want to serve files from a deeper directory I'd do a regex or use something like strstr() to see if .. is within the filename. Personally, I wouldn't make a script that outputed a file on the server or a script's code *and* allowed the user to dictate what file was accessed. -- Steve Werby President, Befriend Internet Services LLC http://www.befriend.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Security of PHP code
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The only foolproof method for restricting access is to strip forward slashes. In the above example, I can change the file to: /www/sites/mysite/teaching/../../../../etc/passwd And it will be allowed If you were to do this, however: $allowed_path = /www/sites/mysite/teaching; $file = ereg_replace(/,,$file); show_source($allowed_path./.$file); That would block any attempt to trick the server into going into another directory. You could also check for/ remove any instances of .. M@ -BEGIN PGP SIGNATURE- Version: PGPfreeware 7.0.3 for non-commercial use http://www.pgp.com iQA/AwUBO0QmZ6W0/zC+QxWwEQJwEgCgkvHAwNgR+tHvlyWgfefw5tipb24AoPXn QNZ72t51rOmh7dts2zZd0S3p =q64c -END PGP SIGNATURE- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Security of PHP code
Adrian Ciutureanu pressed the little lettered thingies in this order... $allowed_path = '/www/sites/mysite/teaching'; $file = realpath($file); if(ereg(^$allowed_path, $file)) { // it's OK } else { // possible attack! } This is not good code. A user could replace the $file in the URL with this: /www/sites/mysite/teaching/../../../../etc/passwd Since it starts with $allowed_path, your code has just been fooled. The basic problem that I have seen with posts to this thread is the fact that many people do not understand how Unix servers address and/or secure files. If what I have written above doesn't make any sense, please go and pick up a book that covers Unix/Linux security. If you don't, you are inviting a security breach. You may or may not be aware of this, but many hackers know Unix, it's security and it's common vulnerabilities VERY well and they WILL exploit your code if it is exploitable. Simply checking to see if a particular path exists in the URL will NEVER secure this issue. Here's the script that I use: ? require(common.php); $f = ereg_replace(/,,$f); commonHeader($f Source Code); ? table border=1 cellpadding=3 cellspacing=0 bgcolor=#FF trtd ? show_source(./calendar/$f); ? /td/tr /table ? commonFooter(); ? I explicitly declare the path and I delete all forward slashes. This means that if someone tries to send: $f=calendar/../../../.../../../../etc/passwd They instead send: $f=calendar...etcpasswd And the server interprets this as: ./calendar/calendar...etcpasswd The bottom line is that no files outside of the intended directory will ever be viewable through this script, regardless of how clever, smart or devious the user might be. I could have gotten a little more fancy and given warnings if there were forward slashes, but the point is this: If you are allowing real file names to be passed as the parameter, you HAVE to do one of two things: 1) Strip or otherwise block forward slashes and/or consecutive periods. 2) Declare the file path before the show_source() call and disallow consecutive periods (..), forward slashes or both. This is the method used at slashdot. Christopher Ostmo a.k.a. [EMAIL PROTECTED] AppIdeas.com Innovative Application Ideas Meeting cutting edge dynamic web site needs since the dawn of Internet time (1995) For a good time, http://www.AppIdeas.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Security of PHP code
This is a good code. Read http://php.net/realpath -Original Message- From: Christopher Ostmo [mailto:[EMAIL PROTECTED]] Sent: 5 iulie 2001 19:57 To: Adrian Ciutureanu Cc: [EMAIL PROTECTED] Subject: RE: [PHP] Security of PHP code Adrian Ciutureanu pressed the little lettered thingies in this order... $allowed_path = '/www/sites/mysite/teaching'; $file = realpath($file); if(ereg(^$allowed_path, $file)) { // it's OK } else { // possible attack! } This is not good code. A user could replace the $file in the URL with this: /www/sites/mysite/teaching/../../../../etc/passwd Since it starts with $allowed_path, your code has just been fooled. The basic problem that I have seen with posts to this thread is the fact that many people do not understand how Unix servers address and/or secure files. If what I have written above doesn't make any sense, please go and pick up a book that covers Unix/Linux security. If you don't, you are inviting a security breach. You may or may not be aware of this, but many hackers know Unix, it's security and it's common vulnerabilities VERY well and they WILL exploit your code if it is exploitable. Simply checking to see if a particular path exists in the URL will NEVER secure this issue. Here's the script that I use: ? require(common.php); $f = ereg_replace(/,,$f); commonHeader($f Source Code); ? table border=1 cellpadding=3 cellspacing=0 bgcolor=#FF trtd ? show_source(./calendar/$f); ? /td/tr /table ? commonFooter(); ? I explicitly declare the path and I delete all forward slashes. This means that if someone tries to send: $f=calendar/../../../.../../../../etc/passwd They instead send: $f=calendar...etcpasswd And the server interprets this as: ./calendar/calendar...etcpasswd The bottom line is that no files outside of the intended directory will ever be viewable through this script, regardless of how clever, smart or devious the user might be. I could have gotten a little more fancy and given warnings if there were forward slashes, but the point is this: If you are allowing real file names to be passed as the parameter, you HAVE to do one of two things: 1) Strip or otherwise block forward slashes and/or consecutive periods. 2) Declare the file path before the show_source() call and disallow consecutive periods (..), forward slashes or both. This is the method used at slashdot. Christopher Ostmo a.k.a. [EMAIL PROTECTED] AppIdeas.com Innovative Application Ideas Meeting cutting edge dynamic web site needs since the dawn of Internet time (1995) For a good time, http://www.AppIdeas.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Security of PHP code
An observation: I presume (in my code) that $allowed_path is a root of an allowed path. So, files in subfolders of allowed_path are also allowed. -Original Message- From: Christopher Ostmo [mailto:[EMAIL PROTECTED]] Sent: 5 iulie 2001 19:57 To: Adrian Ciutureanu Cc: [EMAIL PROTECTED] Subject: RE: [PHP] Security of PHP code Adrian Ciutureanu pressed the little lettered thingies in this order... $allowed_path = '/www/sites/mysite/teaching'; $file = realpath($file); if(ereg(^$allowed_path, $file)) { // it's OK } else { // possible attack! } This is not good code. A user could replace the $file in the URL with this: /www/sites/mysite/teaching/../../../../etc/passwd Since it starts with $allowed_path, your code has just been fooled. The basic problem that I have seen with posts to this thread is the fact that many people do not understand how Unix servers address and/or secure files. If what I have written above doesn't make any sense, please go and pick up a book that covers Unix/Linux security. If you don't, you are inviting a security breach. You may or may not be aware of this, but many hackers know Unix, it's security and it's common vulnerabilities VERY well and they WILL exploit your code if it is exploitable. Simply checking to see if a particular path exists in the URL will NEVER secure this issue. Here's the script that I use: ? require(common.php); $f = ereg_replace(/,,$f); commonHeader($f Source Code); ? table border=1 cellpadding=3 cellspacing=0 bgcolor=#FF trtd ? show_source(./calendar/$f); ? /td/tr /table ? commonFooter(); ? I explicitly declare the path and I delete all forward slashes. This means that if someone tries to send: $f=calendar/../../../.../../../../etc/passwd They instead send: $f=calendar...etcpasswd And the server interprets this as: ./calendar/calendar...etcpasswd The bottom line is that no files outside of the intended directory will ever be viewable through this script, regardless of how clever, smart or devious the user might be. I could have gotten a little more fancy and given warnings if there were forward slashes, but the point is this: If you are allowing real file names to be passed as the parameter, you HAVE to do one of two things: 1) Strip or otherwise block forward slashes and/or consecutive periods. 2) Declare the file path before the show_source() call and disallow consecutive periods (..), forward slashes or both. This is the method used at slashdot. Christopher Ostmo a.k.a. [EMAIL PROTECTED] AppIdeas.com Innovative Application Ideas Meeting cutting edge dynamic web site needs since the dawn of Internet time (1995) For a good time, http://www.AppIdeas.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Security of PHP code
Adrian Ciutureanu pressed the little lettered thingies in this order... This is a good code. Read http://php.net/realpath You are correct. I was unaware of the addition of the realpath() function to PHP. According to the description of realpath(), using it should close this hole also. -Original Message- From: Christopher Ostmo [mailto:[EMAIL PROTECTED]] Sent: 5 iulie 2001 19:57 To: Adrian Ciutureanu Cc: [EMAIL PROTECTED] Subject: RE: [PHP] Security of PHP code Adrian Ciutureanu pressed the little lettered thingies in this order... $allowed_path = '/www/sites/mysite/teaching'; $file = realpath($file); if(ereg(^$allowed_path, $file)) { // it's OK } else { // possible attack! } This is not good code. A user could replace the $file in the URL with this: /www/sites/mysite/teaching/../../../../etc/passwd Since it starts with $allowed_path, your code has just been fooled. The basic problem that I have seen with posts to this thread is the fact that many people do not understand how Unix servers address and/or secure files. If what I have written above doesn't make any sense, please go and pick up a book that covers Unix/Linux security. If you don't, you are inviting a security breach. You may or may not be aware of this, but many hackers know Unix, it's security and it's common vulnerabilities VERY well and they WILL exploit your code if it is exploitable. Simply checking to see if a particular path exists in the URL will NEVER secure this issue. Here's the script that I use: ? require(common.php); $f = ereg_replace(/,,$f); commonHeader($f Source Code); ? table border=1 cellpadding=3 cellspacing=0 bgcolor=#FF trtd ? show_source(./calendar/$f); ? /td/tr /table ? commonFooter(); ? I explicitly declare the path and I delete all forward slashes. This means that if someone tries to send: $f=calendar/../../../.../../../../etc/passwd They instead send: $f=calendar...etcpasswd And the server interprets this as: ./calendar/calendar...etcpasswd The bottom line is that no files outside of the intended directory will ever be viewable through this script, regardless of how clever, smart or devious the user might be. I could have gotten a little more fancy and given warnings if there were forward slashes, but the point is this: If you are allowing real file names to be passed as the parameter, you HAVE to do one of two things: 1) Strip or otherwise block forward slashes and/or consecutive periods. 2) Declare the file path before the show_source() call and disallow consecutive periods (..), forward slashes or both. This is the method used at slashdot. Christopher Ostmo a.k.a. [EMAIL PROTECTED] AppIdeas.com Innovative Application Ideas Meeting cutting edge dynamic web site needs since the dawn of Internet time (1995) Business Applications: http://www.AppIdeas.com/ Open Source Applications: http://open.AppIdeas.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Security of PHP code
Is it possible for others to view the php code for pages I have written? I thought I heard someone say before that they could write a simple script to accomplish this. If anyone knows of any tacticts people might use to attack my code please post them hee. : David A. Dickson : [EMAIL PROTECTED] Get 250 color business cards for FREE! http://businesscards.lycos.com/vp/fastpath/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Security of PHP code
i think that you can't attack php code because it's a server side scripting language... just with *echo*(and others) you send some code to the browser... i guess it's secure ;) Tim Taubert - Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/ - -Original Message- From: David A Dickson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 04, 2001 3:43 PM To: php-general Subject: [PHP] Security of PHP code Is it possible for others to view the php code for pages I have written? I thought I heard someone say before that they could write a simple script to accomplish this. If anyone knows of any tacticts people might use to attack my code please post them hee. : David A. Dickson : [EMAIL PROTECTED] Get 250 color business cards for FREE! http://businesscards.lycos.com/vp/fastpath/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Security of PHP code
Here is something that happend to me: I forgot to tell Apache that .inc files must be parsed by PHP. All works fine if you include a .inc file, but if somebody guess .inc file name, he can see the content of that file! -Original Message- From: David A Dickson [mailto:[EMAIL PROTECTED]] Sent: 4 iulie 2001 16:43 To: php-general Subject: [PHP] Security of PHP code Is it possible for others to view the php code for pages I have written? I thought I heard someone say before that they could write a simple script to accomplish this. If anyone knows of any tacticts people might use to attack my code please post them hee. : David A. Dickson : [EMAIL PROTECTED] Get 250 color business cards for FREE! http://businesscards.lycos.com/vp/fastpath/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Security of PHP code
yes i had this problem too... it's easier to rename your .inc files to .inc.php3 ... so nobody can see your code but the output maybe null or some crazy code... but it's not your php code... Tim Taubert - Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/ - -Original Message- From: Adrian Ciutureanu [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 04, 2001 3:46 PM To: [EMAIL PROTECTED] Cc: php-general Subject: RE: [PHP] Security of PHP code Here is something that happend to me: I forgot to tell Apache that .inc files must be parsed by PHP. All works fine if you include a .inc file, but if somebody guess .inc file name, he can see the content of that file! -Original Message- From: David A Dickson [mailto:[EMAIL PROTECTED]] Sent: 4 iulie 2001 16:43 To: php-general Subject: [PHP] Security of PHP code Is it possible for others to view the php code for pages I have written? I thought I heard someone say before that they could write a simple script to accomplish this. If anyone knows of any tacticts people might use to attack my code please post them hee. : David A. Dickson : [EMAIL PROTECTED] Get 250 color business cards for FREE! http://businesscards.lycos.com/vp/fastpath/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Security of PHP code
The right way to fix this is to add a rule to your Apache configuration that looks like this: Files ~ \.inc$ Order allow,deny Deny from all /Files That will simply prevent any direct access at all to your .inc files. Making the .inc files simply be parsed by PHP could still be a problem as they could be called out of context. -Rasmus On Wed, 4 Jul 2001, Adrian Ciutureanu wrote: Here is something that happend to me: I forgot to tell Apache that .inc files must be parsed by PHP. All works fine if you include a .inc file, but if somebody guess .inc file name, he can see the content of that file! -Original Message- From: David A Dickson [mailto:[EMAIL PROTECTED]] Sent: 4 iulie 2001 16:43 To: php-general Subject: [PHP] Security of PHP code Is it possible for others to view the php code for pages I have written? I thought I heard someone say before that they could write a simple script to accomplish this. If anyone knows of any tacticts people might use to attack my code please post them hee. : David A. Dickson : [EMAIL PROTECTED] Get 250 color business cards for FREE! http://businesscards.lycos.com/vp/fastpath/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Security of PHP code
SECURE, SECURE. It is not how secure PHP is, it is how well YOU protect it. For example = make this line show_source($file); then go to your page like file.php?file=/etc/passwd and you're freaked! There is a whole bunch of way to hack your pages if not protected well enough, but PHP itself has no vital security problems. Try to search the archives for this topic and see what people think/suggest. You will find there thousands of tips on what to do to have a bullet-proof website. (always of the server is yours). Sincerely, Maxim Maletsky Founder, Chief Developer PHPBeginner.com (Where PHP Begins) [EMAIL PROTECTED] www.phpbeginner.com -Original Message- From: David A Dickson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 04, 2001 10:43 PM To: php-general Subject: [PHP] Security of PHP code Is it possible for others to view the php code for pages I have written? I thought I heard someone say before that they could write a simple script to accomplish this. If anyone knows of any tacticts people might use to attack my code please post them hee. : David A. Dickson : [EMAIL PROTECTED] Get 250 color business cards for FREE! http://businesscards.lycos.com/vp/fastpath/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Security of PHP code
http://sourceforge.net/source.php?page_url=/source.php look at that... - Original Message - From: PHPBeginner.com [EMAIL PROTECTED] To: [EMAIL PROTECTED]; php-general [EMAIL PROTECTED] Sent: Thursday, July 05, 2001 12:08 AM Subject: RE: [PHP] Security of PHP code SECURE, SECURE. It is not how secure PHP is, it is how well YOU protect it. For example = make this line show_source($file); then go to your page like file.php?file=/etc/passwd and you're freaked! There is a whole bunch of way to hack your pages if not protected well enough, but PHP itself has no vital security problems. Try to search the archives for this topic and see what people think/suggest. You will find there thousands of tips on what to do to have a bullet-proof website. (always of the server is yours). Sincerely, Maxim Maletsky Founder, Chief Developer PHPBeginner.com (Where PHP Begins) [EMAIL PROTECTED] www.phpbeginner.com -Original Message- From: David A Dickson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 04, 2001 10:43 PM To: php-general Subject: [PHP] Security of PHP code Is it possible for others to view the php code for pages I have written? I thought I heard someone say before that they could write a simple script to accomplish this. If anyone knows of any tacticts people might use to attack my code please post them hee. : David A. Dickson : [EMAIL PROTECTED] Get 250 color business cards for FREE! http://businesscards.lycos.com/vp/fastpath/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Security of PHP code
you're totally right.. look at this http://www.ssw.uni-linz.ac.at/Teaching/Lectures/Sem/2000/Alexander/source.ph p3?url=/etc/passwd *no comment* and not my site... Tim Taubert - Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/ - .o] -Original Message- .o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]] .o] Sent: Wednesday, July 04, 2001 4:09 PM .o] To: [EMAIL PROTECTED]; php-general .o] Subject: RE: [PHP] Security of PHP code .o] .o] .o] SECURE, SECURE. .o] .o] It is not how secure PHP is, it is how well YOU protect it. .o] For example = make this line show_source($file); then go to .o] your page like .o] file.php?file=/etc/passwd and you're freaked! .o] .o] There is a whole bunch of way to hack your pages if not protected well .o] enough, but PHP itself has no vital security problems. .o] .o] Try to search the archives for this topic and see what people .o] think/suggest. .o] You will find there thousands of tips on what to do to have a .o] bullet-proof .o] website. (always of the server is yours). .o] .o] .o] Sincerely, .o] .o] Maxim Maletsky .o] Founder, Chief Developer .o] .o] PHPBeginner.com (Where PHP Begins) .o] [EMAIL PROTECTED] .o] www.phpbeginner.com .o] .o] .o] .o] .o] -Original Message- .o] From: David A Dickson [mailto:[EMAIL PROTECTED]] .o] Sent: Wednesday, July 04, 2001 10:43 PM .o] To: php-general .o] Subject: [PHP] Security of PHP code .o] .o] .o] Is it possible for others to view the php code for pages I have .o] written? I .o] thought I heard someone say before that they could write a .o] simple script to .o] accomplish this. If anyone knows of any tacticts people might .o] use to attack .o] my code please post them hee. .o] .o] : David A. Dickson .o] : [EMAIL PROTECTED] .o] .o] .o] .o] .o] Get 250 color business cards for FREE! .o] http://businesscards.lycos.com/vp/fastpath/ .o] .o] -- .o] PHP General Mailing List (http://www.php.net/) .o] To unsubscribe, e-mail: [EMAIL PROTECTED] .o] For additional commands, e-mail: [EMAIL PROTECTED] .o] To contact the list administrators, e-mail: [EMAIL PROTECTED] .o] .o] .o] .o] -- .o] PHP General Mailing List (http://www.php.net/) .o] To unsubscribe, e-mail: [EMAIL PROTECTED] .o] For additional commands, e-mail: [EMAIL PROTECTED] .o] To contact the list administrators, e-mail: [EMAIL PROTECTED] .o] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Security of PHP code
mh =) contacted the admin to fix this problem ;) Tim Taubert - Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/ - .o] -Original Message- .o] From: Tim Taubert [mailto:[EMAIL PROTECTED]] .o] Sent: Wednesday, July 04, 2001 4:58 PM .o] To: PHP Mailingliste .o] Subject: RE: [PHP] Security of PHP code .o] .o] .o] you're totally right.. look at this .o] .o] http://www.ssw.uni-linz.ac.at/Teaching/Lectures/Sem/2000/Alexander/source.ph .o] p3?url=/etc/passwd .o] .o] *no comment* and not my site... .o] .o] Tim Taubert .o] .o] - .o]Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/ .o] - .o] .o] .o] -Original Message- .o] .o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]] .o] .o] Sent: Wednesday, July 04, 2001 4:09 PM .o] .o] To: [EMAIL PROTECTED]; php-general .o] .o] Subject: RE: [PHP] Security of PHP code .o] .o] .o] .o] .o] .o] SECURE, SECURE. .o] .o] .o] .o] It is not how secure PHP is, it is how well YOU protect it. .o] .o] For example = make this line show_source($file); then go to .o] .o] your page like .o] .o] file.php?file=/etc/passwd and you're freaked! .o] .o] .o] .o] There is a whole bunch of way to hack your pages if not protected well .o] .o] enough, but PHP itself has no vital security problems. .o] .o] .o] .o] Try to search the archives for this topic and see what people .o] .o] think/suggest. .o] .o] You will find there thousands of tips on what to do to have a .o] .o] bullet-proof .o] .o] website. (always of the server is yours). .o] .o] .o] .o] .o] .o] Sincerely, .o] .o] .o] .o] Maxim Maletsky .o] .o] Founder, Chief Developer .o] .o] .o] .o] PHPBeginner.com (Where PHP Begins) .o] .o] [EMAIL PROTECTED] .o] .o] www.phpbeginner.com .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] -Original Message- .o] .o] From: David A Dickson [mailto:[EMAIL PROTECTED]] .o] .o] Sent: Wednesday, July 04, 2001 10:43 PM .o] .o] To: php-general .o] .o] Subject: [PHP] Security of PHP code .o] .o] .o] .o] .o] .o] Is it possible for others to view the php code for pages I have .o] .o] written? I .o] .o] thought I heard someone say before that they could write a .o] .o] simple script to .o] .o] accomplish this. If anyone knows of any tacticts people might .o] .o] use to attack .o] .o] my code please post them hee. .o] .o] .o] .o] : David A. Dickson .o] .o] : [EMAIL PROTECTED] .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] Get 250 color business cards for FREE! .o] .o] http://businesscards.lycos.com/vp/fastpath/ .o] .o] .o] .o] -- .o] .o] PHP General Mailing List (http://www.php.net/) .o] .o] To unsubscribe, e-mail: [EMAIL PROTECTED] .o] .o] For additional commands, e-mail: [EMAIL PROTECTED] .o] .o] To contact the list administrators, e-mail: [EMAIL PROTECTED] .o] .o] .o] .o] .o] .o] .o] .o] -- .o] .o] PHP General Mailing List (http://www.php.net/) .o] .o] To unsubscribe, e-mail: [EMAIL PROTECTED] .o] .o] For additional commands, e-mail: [EMAIL PROTECTED] .o] .o] To contact the list administrators, e-mail: [EMAIL PROTECTED] .o] .o] .o] .o] .o] -- .o] PHP General Mailing List (http://www.php.net/) .o] To unsubscribe, e-mail: [EMAIL PROTECTED] .o] For additional commands, e-mail: [EMAIL PROTECTED] .o] To contact the list administrators, e-mail: [EMAIL PROTECTED] .o] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Security of PHP code
Yup, I believe you - that's not your site. That is what I meant: It is no PHP, it is how you use PHP. DISCLAIMER: No one's fault (except the programmer) that there was THAT BIG security hole on the site. -maxim maletsky -Original Message- From: Tim Taubert [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 04, 2001 11:58 PM To: PHP Mailingliste Subject: RE: [PHP] Security of PHP code you're totally right.. look at this http://www.ssw.uni-linz.ac.at/Teaching/Lectures/Sem/2000/Alexander/source.ph p3?url=/etc/passwd *no comment* and not my site... Tim Taubert - Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/ - .o] -Original Message- .o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]] .o] Sent: Wednesday, July 04, 2001 4:09 PM .o] To: [EMAIL PROTECTED]; php-general .o] Subject: RE: [PHP] Security of PHP code .o] .o] .o] SECURE, SECURE. .o] .o] It is not how secure PHP is, it is how well YOU protect it. .o] For example = make this line show_source($file); then go to .o] your page like .o] file.php?file=/etc/passwd and you're freaked! .o] .o] There is a whole bunch of way to hack your pages if not protected well .o] enough, but PHP itself has no vital security problems. .o] .o] Try to search the archives for this topic and see what people .o] think/suggest. .o] You will find there thousands of tips on what to do to have a .o] bullet-proof .o] website. (always of the server is yours). .o] .o] .o] Sincerely, .o] .o] Maxim Maletsky .o] Founder, Chief Developer .o] .o] PHPBeginner.com (Where PHP Begins) .o] [EMAIL PROTECTED] .o] www.phpbeginner.com .o] .o] .o] .o] .o] -Original Message- .o] From: David A Dickson [mailto:[EMAIL PROTECTED]] .o] Sent: Wednesday, July 04, 2001 10:43 PM .o] To: php-general .o] Subject: [PHP] Security of PHP code .o] .o] .o] Is it possible for others to view the php code for pages I have .o] written? I .o] thought I heard someone say before that they could write a .o] simple script to .o] accomplish this. If anyone knows of any tacticts people might .o] use to attack .o] my code please post them hee. .o] .o] : David A. Dickson .o] : [EMAIL PROTECTED] .o] .o] .o] .o] .o] Get 250 color business cards for FREE! .o] http://businesscards.lycos.com/vp/fastpath/ .o] .o] -- .o] PHP General Mailing List (http://www.php.net/) .o] To unsubscribe, e-mail: [EMAIL PROTECTED] .o] For additional commands, e-mail: [EMAIL PROTECTED] .o] To contact the list administrators, e-mail: [EMAIL PROTECTED] .o] .o] .o] .o] -- .o] PHP General Mailing List (http://www.php.net/) .o] To unsubscribe, e-mail: [EMAIL PROTECTED] .o] For additional commands, e-mail: [EMAIL PROTECTED] .o] To contact the list administrators, e-mail: [EMAIL PROTECTED] .o] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Security of PHP code
oh thanks for the disclaimer ;) forgot it.. richard: didn't think about it.. but should have done it.. first and last time i did it *promised* :) Tim Taubert - Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/ - .o] -Original Message- .o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]] .o] Sent: Wednesday, July 04, 2001 5:09 PM .o] To: [EMAIL PROTECTED]; PHP Mailingliste .o] Subject: RE: [PHP] Security of PHP code .o] .o] .o] Yup, I believe you - that's not your site. .o] .o] That is what I meant: It is no PHP, it is how you use PHP. .o] .o] DISCLAIMER: .o] No one's fault (except the programmer) that there was THAT BIG security hole .o] on the site. .o] .o] -maxim maletsky .o] .o] .o] .o] .o] -Original Message- .o] From: Tim Taubert [mailto:[EMAIL PROTECTED]] .o] Sent: Wednesday, July 04, 2001 11:58 PM .o] To: PHP Mailingliste .o] Subject: RE: [PHP] Security of PHP code .o] .o] .o] you're totally right.. look at this .o] .o] http://www.ssw.uni-linz.ac.at/Teaching/Lectures/Sem/2000/Alexander/source.ph .o] p3?url=/etc/passwd .o] .o] *no comment* and not my site... .o] .o] Tim Taubert .o] .o] - .o]Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/ .o] - .o] .o] .o] -Original Message- .o] .o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]] .o] .o] Sent: Wednesday, July 04, 2001 4:09 PM .o] .o] To: [EMAIL PROTECTED]; php-general .o] .o] Subject: RE: [PHP] Security of PHP code .o] .o] .o] .o] .o] .o] SECURE, SECURE. .o] .o] .o] .o] It is not how secure PHP is, it is how well YOU protect it. .o] .o] For example = make this line show_source($file); then go to .o] .o] your page like .o] .o] file.php?file=/etc/passwd and you're freaked! .o] .o] .o] .o] There is a whole bunch of way to hack your pages if not protected well .o] .o] enough, but PHP itself has no vital security problems. .o] .o] .o] .o] Try to search the archives for this topic and see what people .o] .o] think/suggest. .o] .o] You will find there thousands of tips on what to do to have a .o] .o] bullet-proof .o] .o] website. (always of the server is yours). .o] .o] .o] .o] .o] .o] Sincerely, .o] .o] .o] .o] Maxim Maletsky .o] .o] Founder, Chief Developer .o] .o] .o] .o] PHPBeginner.com (Where PHP Begins) .o] .o] [EMAIL PROTECTED] .o] .o] www.phpbeginner.com .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] -Original Message- .o] .o] From: David A Dickson [mailto:[EMAIL PROTECTED]] .o] .o] Sent: Wednesday, July 04, 2001 10:43 PM .o] .o] To: php-general .o] .o] Subject: [PHP] Security of PHP code .o] .o] .o] .o] .o] .o] Is it possible for others to view the php code for pages I have .o] .o] written? I .o] .o] thought I heard someone say before that they could write a .o] .o] simple script to .o] .o] accomplish this. If anyone knows of any tacticts people might .o] .o] use to attack .o] .o] my code please post them hee. .o] .o] .o] .o] : David A. Dickson .o] .o] : [EMAIL PROTECTED] .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] Get 250 color business cards for FREE! .o] .o] http://businesscards.lycos.com/vp/fastpath/ .o] .o] .o] .o] -- .o] .o] PHP General Mailing List (http://www.php.net/) .o] .o] To unsubscribe, e-mail: [EMAIL PROTECTED] .o] .o] For additional commands, e-mail: [EMAIL PROTECTED] .o] .o] To contact the list administrators, e-mail: [EMAIL PROTECTED] .o] .o] .o] .o] .o] .o] .o] .o] -- .o] .o] PHP General Mailing List (http://www.php.net/) .o] .o] To unsubscribe, e-mail: [EMAIL PROTECTED] .o] .o] For additional commands, e-mail: [EMAIL PROTECTED] .o] .o] To contact the list administrators, e-mail: [EMAIL PROTECTED] .o] .o] .o] .o] .o] -- .o] PHP General Mailing List (http://www.php.net/) .o] To unsubscribe, e-mail: [EMAIL PROTECTED] .o] For additional commands, e-mail: [EMAIL PROTECTED] .o] To contact the list administrators, e-mail: [EMAIL PROTECTED] .o] .o] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Security of PHP code
Just for the respect of the community, Tim, you shouldn't have posted that. Poor them, they are under the risks, of course the things will be probably fixed, but if someone cares he might be already in the machine just for the sake of it. -maxim maletsky -Original Message- From: Tim Taubert [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 12:09 AM To: PHP Mailingliste Subject: RE: [PHP] Security of PHP code oh thanks for the disclaimer ;) forgot it.. richard: didn't think about it.. but should have done it.. first and last time i did it *promised* :) Tim Taubert - Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/ - .o] -Original Message- .o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]] .o] Sent: Wednesday, July 04, 2001 5:09 PM .o] To: [EMAIL PROTECTED]; PHP Mailingliste .o] Subject: RE: [PHP] Security of PHP code .o] .o] .o] Yup, I believe you - that's not your site. .o] .o] That is what I meant: It is no PHP, it is how you use PHP. .o] .o] DISCLAIMER: .o] No one's fault (except the programmer) that there was THAT BIG security hole .o] on the site. .o] .o] -maxim maletsky .o] .o] .o] .o] .o] -Original Message- .o] From: Tim Taubert [mailto:[EMAIL PROTECTED]] .o] Sent: Wednesday, July 04, 2001 11:58 PM .o] To: PHP Mailingliste .o] Subject: RE: [PHP] Security of PHP code .o] .o] .o] you're totally right.. look at this .o] .o] http://www.ssw.uni-linz.ac.at/Teaching/Lectures/Sem/2000/Alexander/source.ph .o] p3?url=/etc/passwd .o] .o] *no comment* and not my site... .o] .o] Tim Taubert .o] .o] - .o]Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/ .o] - .o] .o] .o] -Original Message- .o] .o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]] .o] .o] Sent: Wednesday, July 04, 2001 4:09 PM .o] .o] To: [EMAIL PROTECTED]; php-general .o] .o] Subject: RE: [PHP] Security of PHP code .o] .o] .o] .o] .o] .o] SECURE, SECURE. .o] .o] .o] .o] It is not how secure PHP is, it is how well YOU protect it. .o] .o] For example = make this line show_source($file); then go to .o] .o] your page like .o] .o] file.php?file=/etc/passwd and you're freaked! .o] .o] .o] .o] There is a whole bunch of way to hack your pages if not protected well .o] .o] enough, but PHP itself has no vital security problems. .o] .o] .o] .o] Try to search the archives for this topic and see what people .o] .o] think/suggest. .o] .o] You will find there thousands of tips on what to do to have a .o] .o] bullet-proof .o] .o] website. (always of the server is yours). .o] .o] .o] .o] .o] .o] Sincerely, .o] .o] .o] .o] Maxim Maletsky .o] .o] Founder, Chief Developer .o] .o] .o] .o] PHPBeginner.com (Where PHP Begins) .o] .o] [EMAIL PROTECTED] .o] .o] www.phpbeginner.com .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] -Original Message- .o] .o] From: David A Dickson [mailto:[EMAIL PROTECTED]] .o] .o] Sent: Wednesday, July 04, 2001 10:43 PM .o] .o] To: php-general .o] .o] Subject: [PHP] Security of PHP code .o] .o] .o] .o] .o] .o] Is it possible for others to view the php code for pages I have .o] .o] written? I .o] .o] thought I heard someone say before that they could write a .o] .o] simple script to .o] .o] accomplish this. If anyone knows of any tacticts people might .o] .o] use to attack .o] .o] my code please post them hee. .o] .o] .o] .o] : David A. Dickson .o] .o] : [EMAIL PROTECTED] .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] Get 250 color business cards for FREE! .o] .o] http://businesscards.lycos.com/vp/fastpath/ .o] .o] .o] .o] -- .o] .o] PHP General Mailing List (http://www.php.net/) .o] .o] To unsubscribe, e-mail: [EMAIL PROTECTED] .o] .o] For additional commands, e-mail: [EMAIL PROTECTED] .o] .o] To contact the list administrators, e-mail: [EMAIL PROTECTED] .o] .o] .o] .o] .o] .o] .o] .o] -- .o] .o] PHP General Mailing List (http://www.php.net/) .o] .o] To unsubscribe, e-mail: [EMAIL PROTECTED] .o] .o] For additional commands, e-mail: [EMAIL PROTECTED] .o] .o] To contact the list administrators, e-mail: [EMAIL PROTECTED] .o] .o] .o] .o] .o] -- .o] PHP General Mailing List (http://www.php.net/) .o] To unsubscribe, e-mail: [EMAIL PROTECTED] .o] For additional commands, e-mail: [EMAIL PROTECTED] .o] To contact the list administrators, e-mail: [EMAIL PROTECTED] .o] .o] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Security of PHP code
mh i know it was the wrong decision. didn't think about it. already said that. feeling guilty now *argh* Tim Taubert - Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/ - .o] -Original Message- .o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]] .o] Sent: Wednesday, July 04, 2001 5:17 PM .o] To: [EMAIL PROTECTED]; PHP Mailingliste .o] Subject: RE: [PHP] Security of PHP code .o] .o] .o] Just for the respect of the community, Tim, you shouldn't have posted that. .o] Poor them, they are under the risks, of course the things will be probably .o] fixed, but if someone cares he might be already in the machine just for the .o] sake of it. .o] .o] -maxim maletsky .o] .o] .o] -Original Message- .o] From: Tim Taubert [mailto:[EMAIL PROTECTED]] .o] Sent: Thursday, July 05, 2001 12:09 AM .o] To: PHP Mailingliste .o] Subject: RE: [PHP] Security of PHP code .o] .o] .o] oh thanks for the disclaimer ;) forgot it.. .o] .o] richard: didn't think about it.. but should have done it.. first and last .o] time i did it *promised* .o] :) .o] .o] Tim Taubert .o] .o] - .o]Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/ .o] - .o] .o] .o] -Original Message- .o] .o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]] .o] .o] Sent: Wednesday, July 04, 2001 5:09 PM .o] .o] To: [EMAIL PROTECTED]; PHP Mailingliste .o] .o] Subject: RE: [PHP] Security of PHP code .o] .o] .o] .o] .o] .o] Yup, I believe you - that's not your site. .o] .o] .o] .o] That is what I meant: It is no PHP, it is how you use PHP. .o] .o] .o] .o] DISCLAIMER: .o] .o] No one's fault (except the programmer) that there was THAT BIG security .o] hole .o] .o] on the site. .o] .o] .o] .o] -maxim maletsky .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] -Original Message- .o] .o] From: Tim Taubert [mailto:[EMAIL PROTECTED]] .o] .o] Sent: Wednesday, July 04, 2001 11:58 PM .o] .o] To: PHP Mailingliste .o] .o] Subject: RE: [PHP] Security of PHP code .o] .o] .o] .o] .o] .o] you're totally right.. look at this .o] .o] .o] .o] .o] http://www.ssw.uni-linz.ac.at/Teaching/Lectures/Sem/2000/Alexander/source.ph .o] .o] p3?url=/etc/passwd .o] .o] .o] .o] *no comment* and not my site... .o] .o] .o] .o] Tim Taubert .o] .o] .o] .o] - .o] .o]Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/ .o] .o] - .o] .o] .o] .o] .o] -Original Message- .o] .o] .o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]] .o] .o] .o] Sent: Wednesday, July 04, 2001 4:09 PM .o] .o] .o] To: [EMAIL PROTECTED]; php-general .o] .o] .o] Subject: RE: [PHP] Security of PHP code .o] .o] .o] .o] .o] .o] .o] .o] .o] SECURE, SECURE. .o] .o] .o] .o] .o] .o] It is not how secure PHP is, it is how well YOU protect it. .o] .o] .o] For example = make this line show_source($file); then go to .o] .o] .o] your page like .o] .o] .o] file.php?file=/etc/passwd and you're freaked! .o] .o] .o] .o] .o] .o] There is a whole bunch of way to hack your pages if not protected .o] well .o] .o] .o] enough, but PHP itself has no vital security problems. .o] .o] .o] .o] .o] .o] Try to search the archives for this topic and see what people .o] .o] .o] think/suggest. .o] .o] .o] You will find there thousands of tips on what to do to have a .o] .o] .o] bullet-proof .o] .o] .o] website. (always of the server is yours). .o] .o] .o] .o] .o] .o] .o] .o] .o] Sincerely, .o] .o] .o] .o] .o] .o] Maxim Maletsky .o] .o] .o] Founder, Chief Developer .o] .o] .o] .o] .o] .o] PHPBeginner.com (Where PHP Begins) .o] .o] .o] [EMAIL PROTECTED] .o] .o] .o] www.phpbeginner.com .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] -Original Message- .o] .o] .o] From: David A Dickson [mailto:[EMAIL PROTECTED]] .o] .o] .o] Sent: Wednesday, July 04, 2001 10:43 PM .o] .o] .o] To: php-general .o] .o] .o] Subject: [PHP] Security of PHP code .o] .o] .o] .o] .o] .o] .o] .o] .o] Is it possible for others to view the php code for pages I have .o] .o] .o] written? I .o] .o] .o] thought I heard someone say before that they could write a .o] .o] .o] simple script to .o] .o] .o] accomplish this. If anyone knows of any tacticts people might .o] .o] .o] use to attack .o] .o] .o] my code please post them hee. .o] .o] .o] .o] .o] .o] : David A. Dickson .o] .o] .o] : [EMAIL PROTECTED] .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] Get 250 color business cards for FREE! .o] .o] .o] http://businesscards.lycos.com/vp/fastpath/ .o] .o] .o] .o] .o] .o] -- .o] .o] .o] PHP General Mailing List (http://www.php.net/) .o] .o] .o] To unsubscribe, e-mail: [EMAIL PROTECTED] .o] .o] .o
RE: [PHP] Security of PHP code
found 2 other servers having the same problem... mailed to the webmasters and admins instead of posting it.. now i feel a little bit better :) Tim Taubert - Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/ - .o] -Original Message- .o] From: Tim Taubert [mailto:[EMAIL PROTECTED]] .o] Sent: Wednesday, July 04, 2001 5:16 PM .o] To: PHP Mailingliste .o] Subject: RE: [PHP] Security of PHP code .o] .o] .o] mh i know it was the wrong decision. didn't think about it. already said that. feeling .o] guilty now .o] *argh* .o] .o] Tim Taubert .o] .o] - .o]Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/ .o] - .o] .o] .o] -Original Message- .o] .o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]] .o] .o] Sent: Wednesday, July 04, 2001 5:17 PM .o] .o] To: [EMAIL PROTECTED]; PHP Mailingliste .o] .o] Subject: RE: [PHP] Security of PHP code .o] .o] .o] .o] .o] .o] Just for the respect of the community, Tim, you shouldn't have posted that. .o] .o] Poor them, they are under the risks, of course the things will be probably .o] .o] fixed, but if someone cares he might be already in the machine just for the .o] .o] sake of it. .o] .o] .o] .o] -maxim maletsky .o] .o] .o] .o] .o] .o] -Original Message- .o] .o] From: Tim Taubert [mailto:[EMAIL PROTECTED]] .o] .o] Sent: Thursday, July 05, 2001 12:09 AM .o] .o] To: PHP Mailingliste .o] .o] Subject: RE: [PHP] Security of PHP code .o] .o] .o] .o] .o] .o] oh thanks for the disclaimer ;) forgot it.. .o] .o] .o] .o] richard: didn't think about it.. but should have done it.. first and last .o] .o] time i did it *promised* .o] .o] :) .o] .o] .o] .o] Tim Taubert .o] .o] .o] .o] - .o] .o]Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/ .o] .o] - .o] .o] .o] .o] .o] -Original Message- .o] .o] .o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]] .o] .o] .o] Sent: Wednesday, July 04, 2001 5:09 PM .o] .o] .o] To: [EMAIL PROTECTED]; PHP Mailingliste .o] .o] .o] Subject: RE: [PHP] Security of PHP code .o] .o] .o] .o] .o] .o] .o] .o] .o] Yup, I believe you - that's not your site. .o] .o] .o] .o] .o] .o] That is what I meant: It is no PHP, it is how you use PHP. .o] .o] .o] .o] .o] .o] DISCLAIMER: .o] .o] .o] No one's fault (except the programmer) that there was THAT BIG security .o] .o] hole .o] .o] .o] on the site. .o] .o] .o] .o] .o] .o] -maxim maletsky .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] -Original Message- .o] .o] .o] From: Tim Taubert [mailto:[EMAIL PROTECTED]] .o] .o] .o] Sent: Wednesday, July 04, 2001 11:58 PM .o] .o] .o] To: PHP Mailingliste .o] .o] .o] Subject: RE: [PHP] Security of PHP code .o] .o] .o] .o] .o] .o] .o] .o] .o] you're totally right.. look at this .o] .o] .o] .o] .o] .o] .o] .o] censored** .o] .o] .o] .o] .o] .o] *no comment* and not my site... .o] .o] .o] .o] .o] .o] Tim Taubert .o] .o] .o] .o] .o] .o] - .o] .o] .o]Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/ .o] .o] .o] - .o] .o] .o] .o] .o] .o] .o] -Original Message- .o] .o] .o] .o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]] .o] .o] .o] .o] Sent: Wednesday, July 04, 2001 4:09 PM .o] .o] .o] .o] To: [EMAIL PROTECTED]; php-general .o] .o] .o] .o] Subject: RE: [PHP] Security of PHP code .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] SECURE, SECURE. .o] .o] .o] .o] .o] .o] .o] .o] It is not how secure PHP is, it is how well YOU protect it. .o] .o] .o] .o] For example = make this line show_source($file); then go to .o] .o] .o] .o] your page like .o] .o] .o] .o] file.php?file=/etc/passwd and you're freaked! .o] .o] .o] .o] .o] .o] .o] .o] There is a whole bunch of way to hack your pages if not protected .o] .o] well .o] .o] .o] .o] enough, but PHP itself has no vital security problems. .o] .o] .o] .o] .o] .o] .o] .o] Try to search the archives for this topic and see what people .o] .o] .o] .o] think/suggest. .o] .o] .o] .o] You will find there thousands of tips on what to do to have a .o] .o] .o] .o] bullet-proof .o] .o] .o] .o] website. (always of the server is yours). .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] Sincerely, .o] .o] .o] .o] .o] .o] .o] .o] Maxim Maletsky .o] .o] .o] .o] Founder, Chief Developer .o] .o] .o] .o] .o] .o] .o] .o] PHPBeginner.com (Where PHP Begins) .o] .o] .o] .o] [EMAIL PROTECTED] .o] .o] .o] .o] www.phpbeginner.com .o] .o] .o] .o] .o] .o] .o] .o
Re: [PHP] Security of PHP code
would be really silly if http://www.php.net/source.php?url=/index.php - Original Message - From: Tim Taubert [EMAIL PROTECTED] To: PHP Mailingliste [EMAIL PROTECTED] Sent: Wednesday, July 04, 2001 5:27 PM Subject: RE: [PHP] Security of PHP code found 2 other servers having the same problem... mailed to the webmasters and admins instead of posting it.. now i feel a little bit better :) Tim Taubert - Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/ - .o] -Original Message- .o] From: Tim Taubert [mailto:[EMAIL PROTECTED]] .o] Sent: Wednesday, July 04, 2001 5:16 PM .o] To: PHP Mailingliste .o] Subject: RE: [PHP] Security of PHP code .o] .o] .o] mh i know it was the wrong decision. didn't think about it. already said that. feeling .o] guilty now .o] *argh* .o] .o] Tim Taubert .o] .o] - .o]Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/ .o] - .o] .o] .o] -Original Message- .o] .o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]] .o] .o] Sent: Wednesday, July 04, 2001 5:17 PM .o] .o] To: [EMAIL PROTECTED]; PHP Mailingliste .o] .o] Subject: RE: [PHP] Security of PHP code .o] .o] .o] .o] .o] .o] Just for the respect of the community, Tim, you shouldn't have posted that. .o] .o] Poor them, they are under the risks, of course the things will be probably .o] .o] fixed, but if someone cares he might be already in the machine just for the .o] .o] sake of it. .o] .o] .o] .o] -maxim maletsky .o] .o] .o] .o] .o] .o] -Original Message- .o] .o] From: Tim Taubert [mailto:[EMAIL PROTECTED]] .o] .o] Sent: Thursday, July 05, 2001 12:09 AM .o] .o] To: PHP Mailingliste .o] .o] Subject: RE: [PHP] Security of PHP code .o] .o] .o] .o] .o] .o] oh thanks for the disclaimer ;) forgot it.. .o] .o] .o] .o] richard: didn't think about it.. but should have done it.. first and last .o] .o] time i did it *promised* .o] .o] :) .o] .o] .o] .o] Tim Taubert .o] .o] .o] .o] - .o] .o]Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/ .o] .o] - .o] .o] .o] .o] .o] -Original Message- .o] .o] .o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]] .o] .o] .o] Sent: Wednesday, July 04, 2001 5:09 PM .o] .o] .o] To: [EMAIL PROTECTED]; PHP Mailingliste .o] .o] .o] Subject: RE: [PHP] Security of PHP code .o] .o] .o] .o] .o] .o] .o] .o] .o] Yup, I believe you - that's not your site. .o] .o] .o] .o] .o] .o] That is what I meant: It is no PHP, it is how you use PHP. .o] .o] .o] .o] .o] .o] DISCLAIMER: .o] .o] .o] No one's fault (except the programmer) that there was THAT BIG security .o] .o] hole .o] .o] .o] on the site. .o] .o] .o] .o] .o] .o] -maxim maletsky .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] -Original Message- .o] .o] .o] From: Tim Taubert [mailto:[EMAIL PROTECTED]] .o] .o] .o] Sent: Wednesday, July 04, 2001 11:58 PM .o] .o] .o] To: PHP Mailingliste .o] .o] .o] Subject: RE: [PHP] Security of PHP code .o] .o] .o] .o] .o] .o] .o] .o] .o] you're totally right.. look at this .o] .o] .o] .o] .o] .o] .o] .o] censored** .o] .o] .o] .o] .o] .o] *no comment* and not my site... .o] .o] .o] .o] .o] .o] Tim Taubert .o] .o] .o] .o] .o] .o] - .o] .o] .o]Tim Taubert | [EMAIL PROTECTED] | http://www.shogunat.com/rg/ .o] .o] .o] - .o] .o] .o] .o] .o] .o] .o] -Original Message- .o] .o] .o] .o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]] .o] .o] .o] .o] Sent: Wednesday, July 04, 2001 4:09 PM .o] .o] .o] .o] To: [EMAIL PROTECTED]; php-general .o] .o] .o] .o] Subject: RE: [PHP] Security of PHP code .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] .o] SECURE, SECURE. .o] .o] .o] .o] .o] .o] .o] .o] It is not how secure PHP is, it is how well YOU protect it. .o] .o] .o] .o] For example = make this line show_source($file); then go to .o] .o] .o] .o] your page like .o] .o] .o] .o] file.php?file=/etc/passwd and you're freaked! .o] .o] .o] .o] .o] .o] .o] .o] There is a whole bunch of way to hack your pages if not protected .o] .o] well .o] .o] .o] .o] enough, but PHP itself has no vital security problems. .o] .o] .o] .o] .o] .o] .o] .o] Try to search the archives for this topic and see what people .o] .o] .o] .o] think/suggest. .o] .o] .o] .o] You will find there thousands of tips on what to do to have a .o] .o] .o] .o] bullet
RE: [PHP] Security of PHP code
OK, I'm pretty new to PHP, and have been reading this thread, and am just a little freaked. If I understand this right, the only way reason we can view the source code of those pages is that the web server on which the page resides essentially has a PHP page somewhere on their site that has some variation of: ?show_source($file);? as it's content, right? While I can see the utility of that for some situations (teaching...examples, etc.), it seems like a huge potential for security breaches. Is it possible to have such a function on your site w/o giving access to ALL of your documents... Chip -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Security of PHP code
maybe one could be ? $allowed_path = /www/sites/mysite/teaching; if (substr($file, 0, str_len($allowed_path)) $allowed_path ) { die(not allowed!); } else { show_source($file); } ? - Original Message - From: Hankley, Chip [EMAIL PROTECTED] To: PHP Mailingliste [EMAIL PROTECTED] Sent: Wednesday, July 04, 2001 5:45 PM Subject: RE: [PHP] Security of PHP code OK, I'm pretty new to PHP, and have been reading this thread, and am just a little freaked. If I understand this right, the only way reason we can view the source code of those pages is that the web server on which the page resides essentially has a PHP page somewhere on their site that has some variation of: ?show_source($file);? as it's content, right? While I can see the utility of that for some situations (teaching...examples, etc.), it seems like a huge potential for security breaches. Is it possible to have such a function on your site w/o giving access to ALL of your documents... Chip -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Security of PHP code
Yes, I would have thought this would do it: if (strstr($file, /usr/local/apache/htdocs/) { show_source($file); } else { echo File must be in /usr/local/apache/htdocs!; } Modify as appropriate. Have I missed anything, or will this do the trick? Cheers Jon -Original Message- From: Hankley, Chip [mailto:[EMAIL PROTECTED]] Sent: 04 July 2001 16:46 To: PHP Mailingliste Subject: RE: [PHP] Security of PHP code OK, I'm pretty new to PHP, and have been reading this thread, and am just a little freaked. If I understand this right, the only way reason we can view the source code of those pages is that the web server on which the page resides essentially has a PHP page somewhere on their site that has some variation of: ?show_source($file);? as it's content, right? While I can see the utility of that for some situations (teaching...examples, etc.), it seems like a huge potential for security breaches. Is it possible to have such a function on your site w/o giving access to ALL of your documents... Chip -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Security of PHP code
Adrian Ciutureanu pressed the little lettered thingies in this order... Here is something that happend to me: I forgot to tell Apache that .inc files must be parsed by PHP. All works fine if you include a .inc file, but if somebody guess .inc file name, he can see the content of that file! If this is a concern, either name your include files with a valid PHP extension (i.e. .php) or add the following line to an .htaccess file: AddType application/x-httpd-php .inc This will make the web server treat your .inc files as though they were PHP files and the source would be parsed rather than shown when accessed through a web browser. -Original Message- From: David A Dickson [mailto:[EMAIL PROTECTED]] Sent: 4 iulie 2001 16:43 To: php-general Subject: [PHP] Security of PHP code Is it possible for others to view the php code for pages I have written? I thought I heard someone say before that they could write a simple script to accomplish this. If anyone knows of any tacticts people might use to attack my code please post them hee. : David A. Dickson : [EMAIL PROTECTED] Anyone who has access to the server on which your server is hosted can view the source of your site by using the show_source() or highlight_file() functions unless your hosting provider disables those commands. It doesn't really take a simple script, just a simple function: ? show_source(/path/to/your/file.php); ? To make matters worse, most hosting providers fail to chroot jail logins (a chroot jailed login cannot traverse the directory structure UP from its own home directory). This common, but poor policy allows anyone with access to the same server as yours to view your files through the shell or even download them by FTP. They may not overwrite your files, but they CAN view them. There are two solutions if this is an important issue to you: 1) Get a dedicated server. This is kind of spendy, but accomplishes the goal. 2) Only do business with providers that will (even if you have to request it) disable these commands AND chroot jail all logins. Have fun... Christopher Ostmo a.k.a. [EMAIL PROTECTED] AppIdeas.com Meeting cutting edge dynamic web site needs For a good time, http://www.AppIdeas.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Security of PHP code
I use something that accomplishes the same (displays the source of a file), but doesn't accept the file name as a parameter. The script is also in a directory with a password and is restricted by ip. Not perfect, but alot better. - Original Message - From: Hankley, Chip [EMAIL PROTECTED] To: PHP Mailingliste [EMAIL PROTECTED] Sent: Wednesday, July 04, 2001 8:45 AM Subject: RE: [PHP] Security of PHP code OK, I'm pretty new to PHP, and have been reading this thread, and am just a little freaked. If I understand this right, the only way reason we can view the source code of those pages is that the web server on which the page resides essentially has a PHP page somewhere on their site that has some variation of: ?show_source($file);? as it's content, right? While I can see the utility of that for some situations (teaching...examples, etc.), it seems like a huge potential for security breaches. Is it possible to have such a function on your site w/o giving access to ALL of your documents... Chip -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Security of PHP code
? $allowed_path = /www/sites/mysite/teaching; if (substr($file, 0, str_len($allowed_path)) $allowed_path ) { die(not allowed!); } else { show_source($file); } ? I've missed part of the discussion, but if my understanding of the issue is correct (accepting a filename and path from a visitor to the site to display through a PHP script), then this solution is probably inadequate... If the user passes in a string like /www/sites/mysite/teaching/../../../../etc/passwd, the first part of the string will pass your validity test, but the user may still be able to ascend to a place where files you don't wish to share are stored. A better solution may be to pass the filename through some filter and then concatenate that to your path. For example: if(preg_match(/[^A-Za-z0-9]/, $file)) { die(Invalid filename.); } else { show_source($path . $file); } That's an awefully strict way to do it, but that's my personal preference. If you must accept information that contains a path, perhaps just check for '..' in the user input. Anyways, like I say I could be way off base as far as what the discussion is actually about, and I haven't had near enough coffee this morning, so forgive me if I'm just talking nonsense =) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Security of PHP code
Jon Haworth [EMAIL PROTECTED] wrote: Yes, I would have thought this would do it: if (strstr($file, /usr/local/apache/htdocs/) { show_source($file); } else { echo File must be in /usr/local/apache/htdocs!; } Modify as appropriate. Have I missed anything, or will this do the trick? Something along those lines will work. Without some kind of limitations built in, the page will be able to load any file that's world-readable so it's a good idea to limit access to certain directories or hardcode the directory you want to give access to. -- Steve Werby President, Befriend Internet Services LLC http://www.befriend.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Security of PHP code
On Wed, 4 Jul 2001, Steve Werby wrote: Jon Haworth [EMAIL PROTECTED] wrote: Yes, I would have thought this would do it: if (strstr($file, /usr/local/apache/htdocs/) { show_source($file); [..] Something along those lines will work. Without some kind of limitations built in, the page will be able to load any file that's world-readable so it's a good idea to limit access to certain directories or hardcode the directory you want to give access to. Imagine someone passing in /usr/local/apache/htdocs/../../../../etc/passwd as path.. - Sascha Experience IRCG http://schumann.cx/http://schumann.cx/ircg -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Security of PHP code
Yes, I supposed there could be that eventuality... I supposed or hoped that wasn't a valid path. /usr/local/apache/htdocs/../../../../etc/passwd as path.. I'm not very practice of paths... actually On Wed, 4 Jul 2001, Steve Werby wrote: Jon Haworth [EMAIL PROTECTED] wrote: Yes, I would have thought this would do it: if (strstr($file, /usr/local/apache/htdocs/) { show_source($file); [..] Something along those lines will work. Without some kind of limitations built in, the page will be able to load any file that's world-readable so it's a good idea to limit access to certain directories or hardcode the directory you want to give access to. Imagine someone passing in /usr/local/apache/htdocs/../../../../etc/passwd as path.. - Sascha Experience IRCG http://schumann.cx/http://schumann.cx/ircg -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Security of PHP code
Surely the lesson here is to NEVER NEVER NEVER write PHP code which accepts a filename of any kind as one of its arguments. Yes, it will make some of your code a bit less versatile and more long winded, but you can bet your bottom dollar that someone can find a crafty way around whatever syntax checking you do. Cheers -- Phil Driscoll -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Security of PHP code
Delbono pressed the little lettered thingies in this order... maybe one could be ? $allowed_path = /www/sites/mysite/teaching; if (substr($file, 0, str_len($allowed_path)) $allowed_path ) { die(not allowed!); } else { show_source($file); } ? The only foolproof method for restricting access is to strip forward slashes. In the above example, I can change the file to: /www/sites/mysite/teaching/../../../../etc/passwd And it will be allowed If you were to do this, however: $allowed_path = /www/sites/mysite/teaching; $file = ereg_replace(/,,$file); show_source($allowed_path./.$file); That would block any attempt to trick the server into going into another directory. You would have to create separate show_source() calls or separate scripts for each directory that you wish to allow, but nobody will ever get your /etc/passwd file. Christopher Ostmo a.k.a. [EMAIL PROTECTED] AppIdeas.com Meeting cutting edge dynamic web site needs For a good time, http://www.AppIdeas.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Security of PHP code
On Wednesday 04 July 2001 16:12, ReDucTor wrote: http://sourceforge.net/source.php?page_url=/source.php look at that... No problem. Have a look at what is done before the show_source () call. That script *is* safe :) It is not how secure PHP is, it is how well YOU protect it. For example = make this line show_source($file); then go to your page like file.php?file=/etc/passwd and you're freaked! -- Christian Reiniger LGDC Webmaster (http://lgdc.sunsite.dk/) Pretty cool, the kind of power information technology puts in our hands these days. - Securityfocus on probing 3600 hosts for known problems in 3 weeks -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Security of PHP code
Possibilities for improving security on a sourec displayer. 1) Maybe you could restrict your source shower to only look at particular types of files - maybe the file has to end in .php or .inc before it is even considered. 2) Given that something that displays the source needs to read the file, maybe it could just look for some kind of marker that would have to appear within the first N lines of a file, otherwise it would be rejected. For example, every file that could be displayed might need to look like this: ?php //DISPLAYABLE ... At 16:54 4/07/2001 +0100, Jon Haworth wrote: Yes, I would have thought this would do it: if (strstr($file, /usr/local/apache/htdocs/) { show_source($file); } else { echo File must be in /usr/local/apache/htdocs!; } - Brian White Step Two Designs Pty Ltd - SGML, XML HTML Consultancy Phone: +612-93197901 Web: http://www.steptwo.com.au/ Email: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Security of PHP code
Sascha Schumann [EMAIL PROTECTED] wrote: On Wed, 4 Jul 2001, Steve Werby wrote: Jon Haworth [EMAIL PROTECTED] wrote: Yes, I would have thought this would do it: if (strstr($file, /usr/local/apache/htdocs/) { show_source($file); [..] Something along those lines will work. Without some kind of limitations built in, the page will be able to load any file that's world-readable so it's a good idea to limit access to certain directories or hardcode the directory you want to give access to. Imagine someone passing in /usr/local/apache/htdocs/../../../../etc/passwd as path.. Excellent point. In addition to hardcoding the path I would do something to ensure that the file requested does not attempt to bypass that directory. I'd probably use a regex to make sure it doesn't include a / or if I want to serve files from a deeper directory I'd do a regex or use something like strstr() to see if .. is within the filename. Personally, I wouldn't make a script that outputed a file on the server or a script's code *and* allowed the user to dictate what file was accessed. -- Steve Werby President, Befriend Internet Services LLC http://www.befriend.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Security of PHP code
hello all, i just recently looked at this thread, so i don't know what's been discussed before today. i thought i'd point everyone at: http://lwn.net/2001/0704/a/study-in-scarlet.php3 however. just came out yesterday. very relevant. tiger -- Gerald Timothy Quimpo [EMAIL PROTECTED] Entia non sunt multiplicanda praetere necessitatem Mene sakhet ur-seveh -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Security of PHP code
Hankley, Chip [EMAIL PROTECTED] writes: Is it possible to have such a function on your site w/o giving access to ALL of your documents... On top of everything the other users recommended, you can enable safe mode. It will protect you from sloppy programming. -- Arcady Genkin i=1; while 1, hilb(i); i=i+1; end -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]