RE: [PHP] session security issue
Sean,
That is a very interesting suggestion. How would you call that using PHP?
Thanks,
David Price
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of Sean C. McCarthy
Sent: Tuesday, August 14, 2001 6:12 AM
To: Christian Dechery
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] session security issue
Hi,
For security use SSL and get the SSLSession ID instead. This cannot be
fooled since it is based in PK handshake and with simetric encryption.
Sean C. McCarthy
SCI, S.L. (www.sci-spain.com)
Christian Dechery wrote:
I have pages that uses session for security that looks something like
this:
?php
session_start();
if( !isset($uid) )
{
include(include/auth.inc.php);
auth_user();
}
more code...
?
so $uid tells me if the user is logged on or not...
but what if somebody calls the script directly from the address bar like
this: http://server/script.php?uid=10
wouldn't this be a security problem?
. Christian Dechery (lemming)
. http://www.tanamesa.com.br
. Gaita-L Owner / Web Developer
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] new one is it ??
Well, you could send the junk data to micro$oft instead.
-Original Message-
From: Scott Brown [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 13, 2001 7:52 AM
To: 'scott [gts]'; [EMAIL PROTECTED]
Subject: RE: [PHP] new one is it ??
Unfortunately, you're punishing the infected person, rather than the
instigator of the worm.
I've read of people developing perl scriptlets that basically hold the
connection open as long as possible by fooling the other side into thinking
that it's got a host it's infecting... thereby slowing down the propagation
of the worm. The numbers I saw indicated that with version 1 of the worm,
and it's 100 threads, holding a connection as long as possible before timing
out (which is what, 5 minutes?) slows the propagation of the worm 265,000%
But (personally) I dont think it's appropriate to lash back against an
infected machine (though a quick why dont you patch your @#(*)( machines
to the network owner has been known to occur on occasion when I get hit by
many many servers within a given netblock).
-Original Message-
From: scott [gts] [mailto:[EMAIL PROTECTED]]
Sent: Monday, August 13, 2001 10:38 AM
To: php
Subject: RE: [PHP] new one is it ??
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
what about something like this ?
(just configure apache to have PHP handle *.ida files)
?
// this is so our script won't time out
set_time_limit(0);
// how many bytes of junk to generate
$jsize = 1024 * 10;
// how many times to print $junk
$jout = 1;
// generate some random junk
$n = 0;
while ($n++ $jsize) {
$junk .= chr( rand(1,200) );
}
$i = 0;
while ( $i++ $jout ) {
print $junk;
}
?
-Original Message-
From: Tim [mailto:[EMAIL PROTECTED]]
Subject: Re: [PHP] new one is it ??
Boy that looks familiar...my (apache) logs are full of 'em.
I wonder if we can make a PHP script called default.ida
that sends back
a big chunk of data and causes the worm to get a buffer
overflow? :) :)
- Tim (glad I don't run IIS :)
On 13 Aug 2001 22:27:06 +0800, Mark Lo wrote:
208.251.146.123 - - [13/Aug/2001:22:24:27 +0800] GET
/default.ida?N
NN
NN
NN
NN
NN
N%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u909
0%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0
000%u00=a
HTTP/1.0 400 333 - - -
-BEGIN PGP SIGNATURE-
Version: PGPfreeware 7.0.3 for non-commercial use http://www.pgp.com
iQA/AwUBO3fmM8aXTGgZdrSUEQKRAgCgrGf+r6Fma17L39tEVp8lwanC+FwAoJlz
l7k1s47s8EdDHnM+jLZzDuL2
=z2GG
-END PGP SIGNATURE-
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail:
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] array + checkbox
Hey, what is the deal with those read receipts? Do you really what one from every person that reads your messages? -Original Message- From: Tijmen Hennink [mailto:[EMAIL PROTECTED]] Sent: Monday, August 06, 2001 2:09 AM To: [EMAIL PROTECTED] Subject: Re: [PHP] array + checkbox Some extra debuginfo. When I'm submitting a page where the checkbox is not set in the beginning and in same page an checkbox that is initially set to checked I can see that the first is not set and the second is set. But this is the strange part, if I changed the 2 checkboxes I still get the same output. - Original Message - From: Tijmen Hennink [EMAIL PROTECTED] To: Jason Murray [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, August 06, 2001 10:40 AM Subject: Re: [PHP] array + checkbox Sorry, I've copied some old code. It was already INPUT TYPE=checkbox name=voorraad[] - Original Message - From: Jason Murray [EMAIL PROTECTED] To: 'Tijmen Hennink' [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, August 06, 2001 10:37 AM Subject: RE: [PHP] array + checkbox I've the following weird problem. I have a form which contains an array with values of some checkboxes. This is the HTML-part: INPUT TYPE=checkbox name=voorraad checked if checked or INPUT TYPE=checkbox name=voorraad Try INPUT TYPE=checkbox name=voorraad[] maybe...? Jason -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] mod_ssl php4
Jason, I'm using PHP4, mod_ssl, and apache 1.3.20 on a test box and a production server without any problems. David Price -Original Message- From: Jason Rennie [mailto:[EMAIL PROTECTED]] Sent: Saturday, July 21, 2001 7:02 AM To: [EMAIL PROTECTED] Subject: [PHP] mod_ssl php4 Hi all, Are there any known problems with php4, modssl and apache 1.3.20 ? I looked around but all of the information was dated. Jason -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] System() and PGP
I have been trying to run PGP commands within PHP with the system() function. PGP is installed on the web server, and all the commands work fine when I'm su'ed as the nobody user (the web server user). I can use this command to encrypt messages: system(pgp -ea $plainTxt 'David Price [EMAIL PROTECTED]'); without any problems. But when I try, system(pgp); I don't get any output. It should display the general help text. I can run other commands like ls and ps without any problems as well. Does anyone know what is going on here? Thanks for your help, David Price -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] PHP security FAQ
Setting the open_basedir in the Apache conf file for each virtual host should do the trick. At least on my server, with php_admin_value open_basedir /home/david set under the section for my domain I can't see any files outside my home directory. With safe_mode turned on, I think that even prevents users from uploading to their directories. Hope this helps, David Price -Original Message- From: cp@unknown [mailto:cp@unknown]On Behalf Of Christian Politz Sent: Monday, July 09, 2001 10:15 AM To: [EMAIL PROTECTED] Subject: [PHP] PHP security FAQ Hi, i have a question concerning PHP and virtual hosting. Is it still true that we need Apache's suExec mechanism to protect the users against each other in a virtual domain setup? I think with open_basedir i can prevent users from (over)writing other users files. And with safe_mode on i can prevent evil things like system(cat /etc/passwd); And when i set the directory permissions like rwx-x dom1user/www/domain1.com rwx-x dom2user/www/domain2.com (the directories in domain-tree (eg htdocs, cgi-bin) can have other permissions) i can prevent that the users read out foreign directories. So i can't see any reason why i shouldn't use the module version of PHP for a multiple domain setup. Or did i miss something? I would be really happy to hear your opinions. Thanks in advance, Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] PHP and Windows XP
Windows XP is the combination of the two lines. -Original Message- From: Young C. Fan [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 28, 2001 5:00 AM To: [EMAIL PROTECTED] Subject: Re: [PHP] PHP and Windows XP elias [EMAIL PROTECTED] wrote in message 9heq8k$e6$[EMAIL PROTECTED]">news:9heq8k$e6$[EMAIL PROTECTED]... Why not? if it works with WinME and PWS, I suppose it will with XP too. I was under the impression that XP is the next in line after Win 2000, not the 95/98/Me line. Young snip -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Stopping stolen / spoofed / linked sessions
Adam, They way I got around this was to create a session key using a MD5 hash of the session id and the user's IP address. The username, session id and session key are then stored in a MySQL table. Every time the user loads a page I want secure, it re-creates the session key and checks to make sure it matches the information stored in the database. If that works, then it checks another table to determine if the user has access to the page or not. I know that the IP address can be spoofed, but I'm not sending the session id in the url, so no one knows what it is and without the session id the session key can not be spoofed. Hope this helps, David Price -Original Message- From: adam (dahamsta) [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 27, 2001 10:39 AM To: [EMAIL PROTECTED] Subject: [PHP] Stopping stolen / spoofed / linked sessions [Please copy replies off-list.] I want to use PHP4 sessions for authentication, but I'm having difficulty understanding how to get around users spoofing, stealing or linking sessions. Here's an example: Alice sends Bob a link from a site she's logged into. Alice has cookies turned off in her browser, so the session id will be in the URL she sends Bob. Eve intercepts the message, follows the link and now she can take over Alice's session, and any data that is associated with that session. For that matter, Bob can do the same thing. I can think of lots of ways around this, but most of them are kludges that don't really cut it. I can store a second authentication value in a cookie, but that would require cookies, which isn't acceptable. I could propogate a second authentication variable in the URL, but that's a lot of hassle and defeats the purpose of PHP sessions. I can check the HTTP_REFERER to see if the user came from my own site, but that can be spoofed. I can log and check the users IP address, but that can't be relied upon. Is there any reliable way around this? Am I missing something obvious? Cheers, adam -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] PHP PGP
It is possible, but I have not found any good tutorials on the subject. There is one on Web Monkey at this address: http://hotwired.lycos.com/webmonkey/programming/php/tutorials/tutorial1.html All the commands were wrong for the PGP version (6.5) that was loaded on my web server. I found that the following worked: 1. Make sure you know where PGP is located on the server. Try a whereis pgp. On my system it was installed in /usr/bin. 2. Make sure the nobody (or the user the web server runs as) user has a home directory defined in your passwd file. This will cause problems when you setup the key ring. (do not define a shell for this user!) 3. Copy an ASCII version of your public key into a file that the nobody user can access. 4. su into the nobody account 5. Create a signing key for the nobody user this this command: pgp -kg There is no need to create an encryption key. 6. Add your public key to nobody's keying with this command: pgp -ka /path/to/your/public/key 7. Assign an trust level to the key: pgp -ke 'Usuerid' If you don't know the userid for the key use pgp -kvv to find out 8. Sign the key with: pgp -ks 'your user id' -u 'their userid' Then the form and php script in the Web monkey tutorial should work. Let me know if this helps and good luck. David Price -Original Message- From: Pepe Lopez [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 28, 2001 7:06 AM To: [EMAIL PROTECTED] Subject: [PHP] PHP PGP Hi there, I want to encrypt mails coming from my webform with pgp. Is it possible? regards, Lopez -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] sending attachments with mail
There are a few scripts listed at http://www.hotscripts.com/PHP/Scripts_and_Programs/Email_Systems/Email_Utili ties/ that might do what you want. David Price -Original Message- From: Mark Wouters [mailto:[EMAIL PROTECTED]] Sent: Saturday, May 19, 2001 3:10 PM To: [EMAIL PROTECTED] Subject: [PHP] sending attachements with mail Nobody knows if it's possible to send attachements with mail()?? Thanks, -- Mark Wouters eXpanded Media Web Designer Parijsstraat 74, B-3000 Leuven - Louvain Tel: +32 (16) 31.10.12 Fax: +32 (16) 31.10.19 E-mail: [EMAIL PROTECTED] URL: http://www.expandedmedia.be -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
