]
Subject: Re: [PHP] Security of PHP code
?
$allowed_path = /www/sites/mysite/teaching;
if (substr($file, 0, str_len($allowed_path)) $allowed_path )
{
die(not allowed!);
}
else
{
show_source($file);
}
?
I've missed part of the discussion, but if my understanding
To: Sascha Schumann
Cc: Jon Haworth; 'Hankley, Chip'; PHP Mailingliste
Subject: Re: [PHP] Security of PHP code
Sascha Schumann [EMAIL PROTECTED] wrote:
On Wed, 4 Jul 2001, Steve Werby wrote:
Jon Haworth [EMAIL PROTECTED] wrote:
Yes, I would have thought this would do
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
The only foolproof method for restricting access is to strip
forward slashes. In the above example, I can change the file to:
/www/sites/mysite/teaching/../../../../etc/passwd
And it will be allowed
If you were to do this, however:
Adrian Ciutureanu pressed the little lettered thingies in this order...
$allowed_path = '/www/sites/mysite/teaching';
$file = realpath($file);
if(ereg(^$allowed_path, $file)) {
// it's OK
} else {
// possible attack!
}
This is not good code.
A user could replace the $file in the URL
This is a good code. Read http://php.net/realpath
-Original Message-
From: Christopher Ostmo [mailto:[EMAIL PROTECTED]]
Sent: 5 iulie 2001 19:57
To: Adrian Ciutureanu
Cc: [EMAIL PROTECTED]
Subject: RE: [PHP] Security of PHP code
Adrian Ciutureanu pressed the little lettered
]
Subject: RE: [PHP] Security of PHP code
Adrian Ciutureanu pressed the little lettered thingies in
this order...
$allowed_path = '/www/sites/mysite/teaching';
$file = realpath($file);
if(ereg(^$allowed_path, $file)) {
// it's OK
} else {
// possible attack
.
-Original Message-
From: Christopher Ostmo [mailto:[EMAIL PROTECTED]]
Sent: 5 iulie 2001 19:57
To: Adrian Ciutureanu
Cc: [EMAIL PROTECTED]
Subject: RE: [PHP] Security of PHP code
Adrian Ciutureanu pressed the little lettered thingies in
this order...
$allowed_path
Is it possible for others to view the php code for pages I have written? I thought I
heard someone say before that they could write a simple script to accomplish this. If
anyone knows of any tacticts people might use to attack my code please post them hee.
: David A. Dickson
: [EMAIL
] | http://www.shogunat.com/rg/
-
-Original Message-
From: David A Dickson [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 04, 2001 3:43 PM
To: php-general
Subject: [PHP] Security of PHP code
Is it possible for others
]]
Sent: 4 iulie 2001 16:43
To: php-general
Subject: [PHP] Security of PHP code
Is it possible for others to view the php code for pages I
have written? I thought I heard someone say before that they
could write a simple script to accomplish this. If anyone
knows of any tacticts people
] Security of PHP code
Here is something that happend to me: I forgot to tell Apache that .inc
files must be parsed by PHP. All works fine if you include a .inc file,
but if somebody guess .inc file name, he can see the content of that
file!
-Original Message-
From: David A Dickson
the content of that
file!
-Original Message-
From: David A Dickson [mailto:[EMAIL PROTECTED]]
Sent: 4 iulie 2001 16:43
To: php-general
Subject: [PHP] Security of PHP code
Is it possible for others to view the php code for pages I
have written? I thought I heard someone say
(Where PHP Begins)
[EMAIL PROTECTED]
www.phpbeginner.com
-Original Message-
From: David A Dickson [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 04, 2001 10:43 PM
To: php-general
Subject: [PHP] Security of PHP code
Is it possible for others to view the php code for pages I have
http://sourceforge.net/source.php?page_url=/source.php look at that...
- Original Message -
From: PHPBeginner.com [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; php-general [EMAIL PROTECTED]
Sent: Thursday, July 05, 2001 12:08 AM
Subject: RE: [PHP] Security of PHP code
SECURE, SECURE
://www.shogunat.com/rg/
-
.o] -Original Message-
.o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]]
.o] Sent: Wednesday, July 04, 2001 4:09 PM
.o] To: [EMAIL PROTECTED]; php-general
.o] Subject: RE: [PHP] Security of PHP code
-
.o] From: Tim Taubert [mailto:[EMAIL PROTECTED]]
.o] Sent: Wednesday, July 04, 2001 4:58 PM
.o] To: PHP Mailingliste
.o] Subject: RE: [PHP] Security of PHP code
.o]
.o]
.o] you're totally right.. look at this
.o]
.o] http://www.ssw.uni-linz.ac.at/Teaching/Lectures/Sem/2000/Alexander/source.ph
]]
Sent: Wednesday, July 04, 2001 11:58 PM
To: PHP Mailingliste
Subject: RE: [PHP] Security of PHP code
you're totally right.. look at this
http://www.ssw.uni-linz.ac.at/Teaching/Lectures/Sem/2000/Alexander/source.ph
p3?url=/etc/passwd
*no comment* and not my site...
Tim Taubert
/
-
.o] -Original Message-
.o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]]
.o] Sent: Wednesday, July 04, 2001 5:09 PM
.o] To: [EMAIL PROTECTED]; PHP Mailingliste
.o] Subject: RE: [PHP] Security of PHP code
.o]
.o]
.o
Taubert [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 05, 2001 12:09 AM
To: PHP Mailingliste
Subject: RE: [PHP] Security of PHP code
oh thanks for the disclaimer ;) forgot it..
richard: didn't think about it.. but should have done it.. first and last
time i did it *promised*
:)
Tim Taubert
/
-
.o] -Original Message-
.o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]]
.o] Sent: Wednesday, July 04, 2001 5:17 PM
.o] To: [EMAIL PROTECTED]; PHP Mailingliste
.o] Subject: RE: [PHP] Security of PHP code
.o]
.o]
.o] Just for the respect of the community, Tim
/
-
.o] -Original Message-
.o] From: Tim Taubert [mailto:[EMAIL PROTECTED]]
.o] Sent: Wednesday, July 04, 2001 5:16 PM
.o] To: PHP Mailingliste
.o] Subject: RE: [PHP] Security of PHP code
.o]
.o]
.o] mh i know it was the wrong
would be really silly if
http://www.php.net/source.php?url=/index.php
- Original Message -
From: Tim Taubert [EMAIL PROTECTED]
To: PHP Mailingliste [EMAIL PROTECTED]
Sent: Wednesday, July 04, 2001 5:27 PM
Subject: RE: [PHP] Security of PHP code
found 2 other servers having
OK,
I'm pretty new to PHP, and have been reading this thread, and am just a
little freaked.
If I understand this right, the only way reason we can view the source code
of those pages is that the web server on which the page resides essentially
has a PHP page somewhere on their site that has
]
Sent: Wednesday, July 04, 2001 5:45 PM
Subject: RE: [PHP] Security of PHP code
OK,
I'm pretty new to PHP, and have been reading this thread, and am just a
little freaked.
If I understand this right, the only way reason we can view the source
code
of those pages is that the web server
Message-
From: Hankley, Chip [mailto:[EMAIL PROTECTED]]
Sent: 04 July 2001 16:46
To: PHP Mailingliste
Subject: RE: [PHP] Security of PHP code
OK,
I'm pretty new to PHP, and have been reading this thread, and am just a
little freaked.
If I understand this right, the only way reason we can view
than shown when
accessed through a web browser.
-Original Message-
From: David A Dickson [mailto:[EMAIL PROTECTED]]
Sent: 4 iulie 2001 16:43
To: php-general
Subject: [PHP] Security of PHP code
Is it possible for others to view the php code for pages I
have written? I
]
To: PHP Mailingliste [EMAIL PROTECTED]
Sent: Wednesday, July 04, 2001 8:45 AM
Subject: RE: [PHP] Security of PHP code
OK,
I'm pretty new to PHP, and have been reading this thread, and am just a
little freaked.
If I understand this right, the only way reason we can view the source
code
?
$allowed_path = /www/sites/mysite/teaching;
if (substr($file, 0, str_len($allowed_path)) $allowed_path )
{
die(not allowed!);
}
else
{
show_source($file);
}
?
I've missed part of the discussion, but if my understanding of the issue
is correct (accepting a filename and path from
Jon Haworth [EMAIL PROTECTED] wrote:
Yes, I would have thought this would do it:
if (strstr($file, /usr/local/apache/htdocs/) {
show_source($file);
} else {
echo File must be in /usr/local/apache/htdocs!;
}
Modify as appropriate.
Have I missed anything, or will this do the trick?
On Wed, 4 Jul 2001, Steve Werby wrote:
Jon Haworth [EMAIL PROTECTED] wrote:
Yes, I would have thought this would do it:
if (strstr($file, /usr/local/apache/htdocs/) {
show_source($file);
[..]
Something along those lines will work. Without some kind of limitations
built in, the page
Yes, I supposed there could be that eventuality...
I supposed or hoped that wasn't a valid path.
/usr/local/apache/htdocs/../../../../etc/passwd as path..
I'm not very practice of paths... actually
On Wed, 4 Jul 2001, Steve Werby wrote:
Jon Haworth [EMAIL PROTECTED] wrote:
Surely the lesson here is to NEVER NEVER NEVER write PHP code which accepts a
filename of any kind as one of its arguments. Yes, it will make some of your
code a bit less versatile and more long winded, but you can bet your bottom
dollar that someone can find a crafty way around whatever
Delbono pressed the little lettered thingies in this order...
maybe one could be
?
$allowed_path = /www/sites/mysite/teaching;
if (substr($file, 0, str_len($allowed_path)) $allowed_path )
{
die(not allowed!);
}
else
{
show_source($file);
}
?
The only foolproof method for
On Wednesday 04 July 2001 16:12, ReDucTor wrote:
http://sourceforge.net/source.php?page_url=/source.php look at that...
No problem. Have a look at what is done before the show_source () call.
That script *is* safe :)
It is not how secure PHP is, it is how well YOU protect it.
For example
Possibilities for improving security on a sourec displayer.
1) Maybe you could restrict your source shower to only look at
particular types of files - maybe the file has to end in .php
or .inc before it is even considered.
2) Given that something that displays the source needs to read
Sascha Schumann [EMAIL PROTECTED] wrote:
On Wed, 4 Jul 2001, Steve Werby wrote:
Jon Haworth [EMAIL PROTECTED] wrote:
Yes, I would have thought this would do it:
if (strstr($file, /usr/local/apache/htdocs/) {
show_source($file);
[..]
Something along those lines will work.
hello all,
i just recently looked at this thread, so i don't know
what's been discussed before today. i thought i'd
point everyone at:
http://lwn.net/2001/0704/a/study-in-scarlet.php3
however. just came out yesterday. very relevant.
tiger
--
Gerald Timothy Quimpo [EMAIL
Hankley, Chip [EMAIL PROTECTED] writes:
Is it possible to have such a function on your site w/o giving access to ALL
of your documents...
On top of everything the other users recommended, you can enable safe
mode. It will protect you from sloppy programming.
--
Arcady Genkin
i=1; while 1,
38 matches
Mail list logo