RE: [PHP] Security Question
At 2:53 PM -0500 4/8/11, Jay Blanchard wrote: [snip] whats the best way to learn about security in php? [/snip] Study, study, study! Chris Shiflett is a recognized expert on PHP security - http://shiflett.org/ He has a great book on PHP Security - http://www.amazon.com/exec/obidos/ASIN/059600656X/ref=nosim/chrisshiflet t-20 !++ Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Security Question
hey guys/girls, whats the best way to learn about security in php? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Security Question
[snip] whats the best way to learn about security in php? [/snip] Study, study, study! Chris Shiflett is a recognized expert on PHP security - http://shiflett.org/ He has a great book on PHP Security - http://www.amazon.com/exec/obidos/ASIN/059600656X/ref=nosim/chrisshiflet t-20 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Security Question
Best way to learn about security of something is to learn how to break it... On Apr 8, 2011 3:55 PM, Jay Blanchard jblanch...@pocket.com wrote: [snip] whats the best way to learn about security in php? [/snip] Study, study, study! Chris Shiflett is a recognized expert on PHP security - http://shiflett.org/ He has a great book on PHP Security - http://www.amazon.com/exec/obidos/ASIN/059600656X/ref=nosim/chrisshiflet t-20 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question
On Fri, Apr 8, 2011 at 3:24 PM, nighthawk1256 er...@ns.sympatico.ca wrote: hey guys/girls, whats the best way to learn about security in php? Here are some relevant topics to consider: - Validate input (only accept what you're expecting, via GET, POST, and COOKIE, and don't try to fix an invalid value, throw it out.) - Use prepared statements (PDO makes this easy and generalizes quite well across popular DB's.) - Only give the bare minimum permissions required to accomplish a task (e.g., I usually have one SQL user account for reads, and one that allows for reads and writes.) - When errors occur, don't leak important system information to your users. - Hash passwords (with a salt) that are stored so you're never storing the literal value. - If you use an authentication system that's implemented with cookies (sessions-based or custom), all requests should run over https instead of http. - Escape output according to context (html, attribute, or url.) If you google the above topics, you'll find some great sites/blogs that address these topics in detail. Adam P.S. - Or, you can just use my one-file web framework which helps you automatically address all but the https issue above :) Sorry, it's a Friday so I couldn't resist the shameless plug. -- Nephtali: A simple, flexible, fast, and security-focused PHP framework http://nephtaliproject.com
Re: [PHP] security question of ZCE exam
On Tue, Aug 25, 2009 at 00:07, Augusto Flavioafla...@gmail.com wrote: Answers: (choose 2) Error messages will contain sensitive session information Error messages can contain cross site scripting attacks Security risks involved in logging are handled by PHP X Error messages give the perception of insecurity to the user X Error messages can contain data useful to a potential attacker My answers is marked with a X. some clue about this? Yes, and my answers are marked with an X. XBuy a study guide. XDo your own homework. -- /Daniel P. Brown daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ Check out our great hosting and dedicated server deals at http://twitter.com/pilotpig -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] security question of ZCE exam
Hi all, i'm discutting with my friend about this question for 30 min and i do not agree with he. Here is the question: Why is it important from a security perspective to never display PHP error messages directly to the end user, yet always log them? Answers: (choose 2) Error messages will contain sensitive session information Error messages can contain cross site scripting attacks Security risks involved in logging are handled by PHP XError messages give the perception of insecurity to the user XError messages can contain data useful to a potential attacker My answers is marked with a X. some clue about this? thanks Augusto Morais
Re: [PHP] Security question
VamVan vamsee...@gmail.com wrote in message news:12eb8b030901141421u6741b943q396bc784136b7...@mail.gmail.com... On Wed, Jan 14, 2009 at 2:22 PM, Frank Stanovcak blindspot...@comcast.netwrote: This is mostly to make sure I understand how sessions are handled correctly. As far as sessions are concerned the variable data is stored on the server (be it in memory or temp files), and never transmitted accross the net unless output to the page? So this means I should be able to store the username and password for a program in session vars for quick validations, and if I force rentry of the password for sensitive areas (every time) even if someone mannages to spoof the sesid all they will have access to is non sensitive areas? This also assumes I, at least, quick validate at the start of every page immideately after starting the session. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Password should never be stored anywhere in clear text. You can store md5 version in session or database. As long as password is encrypted ure fine and safe. Thanks, V Thanks V So if I store the hash in the db, and in the session var then I should be resonably safe provided I salt the hash prior to storing it? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security question
Frank Stanovcak wrote: VamVan vamsee...@gmail.com wrote in message news:12eb8b030901141421u6741b943q396bc784136b7...@mail.gmail.com... On Wed, Jan 14, 2009 at 2:22 PM, Frank Stanovcak blindspot...@comcast.netwrote: This is mostly to make sure I understand how sessions are handled correctly. As far as sessions are concerned the variable data is stored on the server (be it in memory or temp files), and never transmitted accross the net unless output to the page? So this means I should be able to store the username and password for a program in session vars for quick validations, and if I force rentry of the password for sensitive areas (every time) even if someone mannages to spoof the sesid all they will have access to is non sensitive areas? This also assumes I, at least, quick validate at the start of every page immideately after starting the session. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Password should never be stored anywhere in clear text. You can store md5 version in session or database. As long as password is encrypted ure fine and safe. Thanks, V Thanks V So if I store the hash in the db, and in the session var then I should be resonably safe provided I salt the hash prior to storing it? Yes, but don't use md5. There are lookups available to help someone crack it. Try sha1: http://us3.php.net/sha1 Thank you, Micah Gersten onShore Networks Internal Developer http://www.onshore.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Security question
This is mostly to make sure I understand how sessions are handled correctly. As far as sessions are concerned the variable data is stored on the server (be it in memory or temp files), and never transmitted accross the net unless output to the page? So this means I should be able to store the username and password for a program in session vars for quick validations, and if I force rentry of the password for sensitive areas (every time) even if someone mannages to spoof the sesid all they will have access to is non sensitive areas? This also assumes I, at least, quick validate at the start of every page immideately after starting the session. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security question
On Wed, Jan 14, 2009 at 2:22 PM, Frank Stanovcak blindspot...@comcast.netwrote: This is mostly to make sure I understand how sessions are handled correctly. As far as sessions are concerned the variable data is stored on the server (be it in memory or temp files), and never transmitted accross the net unless output to the page? So this means I should be able to store the username and password for a program in session vars for quick validations, and if I force rentry of the password for sensitive areas (every time) even if someone mannages to spoof the sesid all they will have access to is non sensitive areas? This also assumes I, at least, quick validate at the start of every page immideately after starting the session. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Password should never be stored anywhere in clear text. You can store md5 version in session or database. As long as password is encrypted ure fine and safe. Thanks, V
[PHP] Security Question
Does anyone know a good way to protect a directory that a php script NEEDS to write too? What I'm doing now: 1. create a directory manually myDir 2. chmod 777 myDir 3. password protect the directory with htaccess Is this the best way, or is there something better? Also, is there a way to mkdir or fopen a file dynamically, without pre-creating a directory with 777 permissions? Thanks for the help, Andrew
Re: [PHP] Security Question
Does anyone know a good way to protect a directory that a php script NEEDS to write too? What I'm doing now: 1. create a directory manually myDir 2. chmod 777 myDir 3. password protect the directory with htaccess Is this the best way, or is there something better? You could chmod the file/directory to 700 and change the owner to that of the webserver (presumably the script is being run via the webserver). This has the drawback that anything run from the webserver will have write access to the files. -- Richard Heyes +44 (0)800 0213 172 http://www.websupportsolutions.co.uk Knowledge Base and HelpDesk software that can cut the cost of online support -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question
Andrew Peterson wrote: Does anyone know a good way to protect a directory that a php script NEEDS to write too? What I'm doing now: 1. create a directory manually myDir 2. chmod 777 myDir 3. password protect the directory with htaccess Is this the best way, or is there something better? Also, is there a way to mkdir or fopen a file dynamically, without pre-creating a directory with 777 permissions? Thanks for the help, Andrew Along with what Richard said, you could also move the directory outside of the webroot and not have to worry about the .htaccess file. Nothing but PHP could access the directory contents, and only through your interface could it be access. -- Jim Lucas Some men are born to greatness, some achieve greatness, and some have greatness thrust upon them. Twelfth Night, Act II, Scene V by William Shakespeare -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question, re directory permissions [long answer]
My pleasure, Arno! On 5/22/07, Arno Kuhl [EMAIL PROTECTED] wrote: -Original Message- From: Daniel Brown [mailto:[EMAIL PROTECTED] Sent: 18 May 2007 10:27 To: Al Cc: php-general@lists.php.net Subject: Re: [PHP] Security Question, re directory permissions [long answer] On 5/18/07, Al [EMAIL PROTECTED] wrote: I'm on a shared Linux host and have been wondering about security and directory other [world] permissions. The defaults are 755. The 'others' [world] can read them only. Is there a security hole if a dir on the doc root if a directory has permissions 757? If there is a security problem, what is it? Thanks... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php DISCLAIMER: Bare with me this is a bit of a long answer enjoy! I can't think of any good reason why you'd have 757 for your permissions, first of all. Secondly, yes, there are security holes in having world-writable directories on a shared system. Some scripts require that you have these permissions set, and this is primarily for uploading files. However, better care should be taken by the authors to work around the 777-required permissions. For example, if uploading an image on the web to a web-accessible directory, it could instead be done as follows: Set permissions on [directory] to 777. Run script createdir.php via the web: ? mkdir($dir_name); chmod($dir_name,0700); ? Set permissions on [directory] back to the original permissions (probably 750 or 755). The above example does the following: 1.) Sets the directory to allow everyone to read, write, and execute. 2.) Apache creates a directory and sets permissions so that only it can read, write, and execute what's in there. 3.) Sets the directory back to the original (hopefully secure) permissions. That means that you won't be able to add, remove, or modify anything in that directory, of course, including the directory itself, unless you do so via the web. For example, you won't be able to use FTP to upload to that directory, nor can you delete anything from there via FTP or SSH (unless your host has REALLY screwed something up). Of course, if php_suexec is running, or if you set the SUID on the script, then the scripts will execute as the user they belong to, not as apache/nobody/daemon or whatever Apache is set to run as. This means that the above paragraph does not apply, and even via Apache, it would be as though you had manually placed the files there. This is the most-secure operation as far as that goes, but can lead to problems of privilege escalation if someone is able to create files under the UID of a different user on the system and have suexec run the files. And a basic refresher on Unix permissions as a whole (these NEVER apply to root, who can do anything, anytime, anywhere): SpecialtyUserGroupEveryone # # # # Everyone knows the basics of chmod: - 75 5 `chmod 755 script.php` -rwxr-xr-x script.php - Owner can read, write, and execute - Members of primary group can read and execute (can't write to file) - Everyone else can read and execute (can't write to file) Another example: `chmod 640 script.php` -rw-r- script.php - Owner can read and write (can't execute file) - Members of primary group can read (can't write or execute file) - No one else (again, beside root) can read, write, or execute file Each bit is comprised of a math formula with values as follows: 4 - Read 2 - Write 1 - Execute 0 - No permissions (cannot be added to above numbers in permission bit, of course) So to get the number for the permission bit, simply add the above numbers together to get the sum. For example, if you want the owner of the file to be able read, write, and execute, the group to be able to read and execute, and the rest of the world to only be able to read, you'd do calculate the following: Owner (read, write, execute): 4 + 2 + 1 = 7 Group (read and execute): 4 + 1 = 5 Everyone (read only): 2 Your permissions as above would be 752 (`chmod 752 script.php`). Now, on to the 4-digit permission values you've probably seen elsewhere begin with what's called a 'specialty bit' which allows the owner (or root) to enforce one of the following: 4 - SUID (if executed, runs as owner, with owner permissions) 2 - GUID (if executed, runs as group, with group permissions) 1 - Sticky (if directory, only user can modify
Re: [PHP] Security Question, re directory permissions
On 5/19/07, itoctopus [EMAIL PROTECTED] wrote: I'm genuinely interested to know with whom you're hosting... No problem, it's www.dapx.com, it hasn't a lot security, safe_mode is off for example. If you know the right stuff from another user on the same server, you can actually do some nice stuff :) Tijnema -- itoctopus - http://www.itoctopus.com Tijnema [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On 5/19/07, Al [EMAIL PROTECTED] wrote: How can anyone, other than the staff, get into my site? Far as I know, other users can't get out of their own domain space and into mine. That's quite easy, especially when you have SSH access. Of course, it will only work with specific settings, and that might be blocked on some hosts, but it works for me. On my host, accounts for domains are just in /home so let's say i have 2 accounts, account a b. their directorys are resp. /home/a /home/b. When i create a diretory with account a at /home/a/dir, and i chmod it 757, i can write a file there from account b. Tijnema Tijnema wrote: On 5/19/07, Al [EMAIL PROTECTED] wrote: But, SSH and telnet, etc. require authentication login-in and all the executables you mentioned [and others] require someone who has access to upload a harmful file to start with. Right? Once they are in there, they can do anything they please anyhow. Al. Well, you were talking about a shared linux host, so other people, from a different account, could just upload files, and if you have a directory with 757, that user could write to it. Tijnema Tijnema ! wrote: On 5/18/07, Al [EMAIL PROTECTED] wrote: How can they write or edit files there without having ftp access or the site's file manager? SSH access? Telnet maybe? PHP script? CGI script? ASP script? There are a lot of possible ways someone can write there. Tijnema Tijnema ! wrote: On 5/18/07, Al [EMAIL PROTECTED] wrote: I'm on a shared Linux host and have been wondering about security and directory other [world] permissions. The defaults are 755. The 'others' [world] can read them only. Is there a security hole if a dir on the doc root if a directory has permissions 757? If there is a security problem, what is it? Thanks... If you have a directory with 757 permissions, world can create new files there. And if you give files 757 (or 646) permissions, then world can edit that file. So if you have a doc dir, you probably don't want extra files there. It's not really a security problem, but if somebody notices it, he might write files there. Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question, re directory permissions
I use Hosting Matters. It is super reliable and solid. itoctopus wrote: I'm genuinely interested to know with whom you're hosting... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Security Question, re directory permissions
I'm on a shared Linux host and have been wondering about security and directory other [world] permissions. The defaults are 755. The 'others' [world] can read them only. Is there a security hole if a dir on the doc root if a directory has permissions 757? If there is a security problem, what is it? Thanks... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question, re directory permissions
On 5/18/07, Al [EMAIL PROTECTED] wrote: I'm on a shared Linux host and have been wondering about security and directory other [world] permissions. The defaults are 755. The 'others' [world] can read them only. Is there a security hole if a dir on the doc root if a directory has permissions 757? If there is a security problem, what is it? Thanks... If you have a directory with 757 permissions, world can create new files there. And if you give files 757 (or 646) permissions, then world can edit that file. So if you have a doc dir, you probably don't want extra files there. It's not really a security problem, but if somebody notices it, he might write files there. Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question, re directory permissions
How can they write or edit files there without having ftp access or the site's file manager? Tijnema ! wrote: On 5/18/07, Al [EMAIL PROTECTED] wrote: I'm on a shared Linux host and have been wondering about security and directory other [world] permissions. The defaults are 755. The 'others' [world] can read them only. Is there a security hole if a dir on the doc root if a directory has permissions 757? If there is a security problem, what is it? Thanks... If you have a directory with 757 permissions, world can create new files there. And if you give files 757 (or 646) permissions, then world can edit that file. So if you have a doc dir, you probably don't want extra files there. It's not really a security problem, but if somebody notices it, he might write files there. Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question, re directory permissions
On 5/18/07, Al [EMAIL PROTECTED] wrote: How can they write or edit files there without having ftp access or the site's file manager? SSH access? Telnet maybe? PHP script? CGI script? ASP script? There are a lot of possible ways someone can write there. Tijnema Tijnema ! wrote: On 5/18/07, Al [EMAIL PROTECTED] wrote: I'm on a shared Linux host and have been wondering about security and directory other [world] permissions. The defaults are 755. The 'others' [world] can read them only. Is there a security hole if a dir on the doc root if a directory has permissions 757? If there is a security problem, what is it? Thanks... If you have a directory with 757 permissions, world can create new files there. And if you give files 757 (or 646) permissions, then world can edit that file. So if you have a doc dir, you probably don't want extra files there. It's not really a security problem, but if somebody notices it, he might write files there. Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question, re directory permissions [long answer]
On 5/18/07, Al [EMAIL PROTECTED] wrote: I'm on a shared Linux host and have been wondering about security and directory other [world] permissions. The defaults are 755. The 'others' [world] can read them only. Is there a security hole if a dir on the doc root if a directory has permissions 757? If there is a security problem, what is it? Thanks... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php DISCLAIMER: Bare with me this is a bit of a long answer enjoy! I can't think of any good reason why you'd have 757 for your permissions, first of all. Secondly, yes, there are security holes in having world-writable directories on a shared system. Some scripts require that you have these permissions set, and this is primarily for uploading files. However, better care should be taken by the authors to work around the 777-required permissions. For example, if uploading an image on the web to a web-accessible directory, it could instead be done as follows: Set permissions on [directory] to 777. Run script createdir.php via the web: ? mkdir($dir_name); chmod($dir_name,0700); ? Set permissions on [directory] back to the original permissions (probably 750 or 755). The above example does the following: 1.) Sets the directory to allow everyone to read, write, and execute. 2.) Apache creates a directory and sets permissions so that only it can read, write, and execute what's in there. 3.) Sets the directory back to the original (hopefully secure) permissions. That means that you won't be able to add, remove, or modify anything in that directory, of course, including the directory itself, unless you do so via the web. For example, you won't be able to use FTP to upload to that directory, nor can you delete anything from there via FTP or SSH (unless your host has REALLY screwed something up). Of course, if php_suexec is running, or if you set the SUID on the script, then the scripts will execute as the user they belong to, not as apache/nobody/daemon or whatever Apache is set to run as. This means that the above paragraph does not apply, and even via Apache, it would be as though you had manually placed the files there. This is the most-secure operation as far as that goes, but can lead to problems of privilege escalation if someone is able to create files under the UID of a different user on the system and have suexec run the files. And a basic refresher on Unix permissions as a whole (these NEVER apply to root, who can do anything, anytime, anywhere): SpecialtyUserGroupEveryone # # # # Everyone knows the basics of chmod: - 75 5 `chmod 755 script.php` -rwxr-xr-x script.php - Owner can read, write, and execute - Members of primary group can read and execute (can't write to file) - Everyone else can read and execute (can't write to file) Another example: `chmod 640 script.php` -rw-r- script.php - Owner can read and write (can't execute file) - Members of primary group can read (can't write or execute file) - No one else (again, beside root) can read, write, or execute file Each bit is comprised of a math formula with values as follows: 4 - Read 2 - Write 1 - Execute 0 - No permissions (cannot be added to above numbers in permission bit, of course) So to get the number for the permission bit, simply add the above numbers together to get the sum. For example, if you want the owner of the file to be able read, write, and execute, the group to be able to read and execute, and the rest of the world to only be able to read, you'd do calculate the following: Owner (read, write, execute): 4 + 2 + 1 = 7 Group (read and execute): 4 + 1 = 5 Everyone (read only): 2 Your permissions as above would be 752 (`chmod 752 script.php`). Now, on to the 4-digit permission values you've probably seen elsewhere begin with what's called a 'specialty bit' which allows the owner (or root) to enforce one of the following: 4 - SUID (if executed, runs as owner, with owner permissions) 2 - GUID (if executed, runs as group, with group permissions) 1 - Sticky (if directory, only user can modify/rename/delete files within; if file, on only *nix systems, keep file in RAM upon delete) Using the same concept and convention as above with the math, you can create single or combination permissions on the specialty bit of the permissions. Some examples: 4755 - Owner can read/write/execute; group and everyone else can
Re: [PHP] Security Question, re directory permissions
But, SSH and telnet, etc. require authentication login-in and all the executables you mentioned [and others] require someone who has access to upload a harmful file to start with. Right? Once they are in there, they can do anything they please anyhow. Al. Tijnema ! wrote: On 5/18/07, Al [EMAIL PROTECTED] wrote: How can they write or edit files there without having ftp access or the site's file manager? SSH access? Telnet maybe? PHP script? CGI script? ASP script? There are a lot of possible ways someone can write there. Tijnema Tijnema ! wrote: On 5/18/07, Al [EMAIL PROTECTED] wrote: I'm on a shared Linux host and have been wondering about security and directory other [world] permissions. The defaults are 755. The 'others' [world] can read them only. Is there a security hole if a dir on the doc root if a directory has permissions 757? If there is a security problem, what is it? Thanks... If you have a directory with 757 permissions, world can create new files there. And if you give files 757 (or 646) permissions, then world can edit that file. So if you have a doc dir, you probably don't want extra files there. It's not really a security problem, but if somebody notices it, he might write files there. Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question, re directory permissions
On 5/19/07, Al [EMAIL PROTECTED] wrote: But, SSH and telnet, etc. require authentication login-in and all the executables you mentioned [and others] require someone who has access to upload a harmful file to start with. Right? Once they are in there, they can do anything they please anyhow. Al. Well, you were talking about a shared linux host, so other people, from a different account, could just upload files, and if you have a directory with 757, that user could write to it. Tijnema Tijnema ! wrote: On 5/18/07, Al [EMAIL PROTECTED] wrote: How can they write or edit files there without having ftp access or the site's file manager? SSH access? Telnet maybe? PHP script? CGI script? ASP script? There are a lot of possible ways someone can write there. Tijnema Tijnema ! wrote: On 5/18/07, Al [EMAIL PROTECTED] wrote: I'm on a shared Linux host and have been wondering about security and directory other [world] permissions. The defaults are 755. The 'others' [world] can read them only. Is there a security hole if a dir on the doc root if a directory has permissions 757? If there is a security problem, what is it? Thanks... If you have a directory with 757 permissions, world can create new files there. And if you give files 757 (or 646) permissions, then world can edit that file. So if you have a doc dir, you probably don't want extra files there. It's not really a security problem, but if somebody notices it, he might write files there. Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question, re directory permissions
How can anyone, other than the staff, get into my site? Far as I know, other users can't get out of their own domain space and into mine. Tijnema wrote: On 5/19/07, Al [EMAIL PROTECTED] wrote: But, SSH and telnet, etc. require authentication login-in and all the executables you mentioned [and others] require someone who has access to upload a harmful file to start with. Right? Once they are in there, they can do anything they please anyhow. Al. Well, you were talking about a shared linux host, so other people, from a different account, could just upload files, and if you have a directory with 757, that user could write to it. Tijnema Tijnema ! wrote: On 5/18/07, Al [EMAIL PROTECTED] wrote: How can they write or edit files there without having ftp access or the site's file manager? SSH access? Telnet maybe? PHP script? CGI script? ASP script? There are a lot of possible ways someone can write there. Tijnema Tijnema ! wrote: On 5/18/07, Al [EMAIL PROTECTED] wrote: I'm on a shared Linux host and have been wondering about security and directory other [world] permissions. The defaults are 755. The 'others' [world] can read them only. Is there a security hole if a dir on the doc root if a directory has permissions 757? If there is a security problem, what is it? Thanks... If you have a directory with 757 permissions, world can create new files there. And if you give files 757 (or 646) permissions, then world can edit that file. So if you have a doc dir, you probably don't want extra files there. It's not really a security problem, but if somebody notices it, he might write files there. Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question, re directory permissions
On Fri, 2007-05-18 at 20:16 -0400, Al wrote: How can anyone, other than the staff, get into my site? Far as I know, other users can't get out of their own domain space and into mine. Bugs in your code, bugs in third-party code, bugs in PHP itself, sometimes they can be abused to take advantage of your server. The less secure everything else is, the greater the advantage that can be taken. Just ask anyone who's had their site defaced. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question, re directory permissions
On 5/19/07, Al [EMAIL PROTECTED] wrote: How can anyone, other than the staff, get into my site? Far as I know, other users can't get out of their own domain space and into mine. That's quite easy, especially when you have SSH access. Of course, it will only work with specific settings, and that might be blocked on some hosts, but it works for me. On my host, accounts for domains are just in /home so let's say i have 2 accounts, account a b. their directorys are resp. /home/a /home/b. When i create a diretory with account a at /home/a/dir, and i chmod it 757, i can write a file there from account b. Tijnema Tijnema wrote: On 5/19/07, Al [EMAIL PROTECTED] wrote: But, SSH and telnet, etc. require authentication login-in and all the executables you mentioned [and others] require someone who has access to upload a harmful file to start with. Right? Once they are in there, they can do anything they please anyhow. Al. Well, you were talking about a shared linux host, so other people, from a different account, could just upload files, and if you have a directory with 757, that user could write to it. Tijnema Tijnema ! wrote: On 5/18/07, Al [EMAIL PROTECTED] wrote: How can they write or edit files there without having ftp access or the site's file manager? SSH access? Telnet maybe? PHP script? CGI script? ASP script? There are a lot of possible ways someone can write there. Tijnema Tijnema ! wrote: On 5/18/07, Al [EMAIL PROTECTED] wrote: I'm on a shared Linux host and have been wondering about security and directory other [world] permissions. The defaults are 755. The 'others' [world] can read them only. Is there a security hole if a dir on the doc root if a directory has permissions 757? If there is a security problem, what is it? Thanks... If you have a directory with 757 permissions, world can create new files there. And if you give files 757 (or 646) permissions, then world can edit that file. So if you have a doc dir, you probably don't want extra files there. It's not really a security problem, but if somebody notices it, he might write files there. Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question, re directory permissions
I guess your comment The less secure everything else is. is the best answer. I'm developing a CMS where logged-in, selected users can create new directories and pages in them. I'm comfortable that my code is secure. I'm using php's ftp functions, with good security, to mkdir and create special files. Guess, I'll go to the trouble to change permissions to create new stuff and then restore them to 755 and 644. Thanks everyone. Robert Cummings wrote: On Fri, 2007-05-18 at 20:16 -0400, Al wrote: How can anyone, other than the staff, get into my site? Far as I know, other users can't get out of their own domain space and into mine. Bugs in your code, bugs in third-party code, bugs in PHP itself, sometimes they can be abused to take advantage of your server. The less secure everything else is, the greater the advantage that can be taken. Just ask anyone who's had their site defaced. Cheers, Rob. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question, re directory permissions
I'm genuinely interested to know with whom you're hosting... -- itoctopus - http://www.itoctopus.com Tijnema [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On 5/19/07, Al [EMAIL PROTECTED] wrote: How can anyone, other than the staff, get into my site? Far as I know, other users can't get out of their own domain space and into mine. That's quite easy, especially when you have SSH access. Of course, it will only work with specific settings, and that might be blocked on some hosts, but it works for me. On my host, accounts for domains are just in /home so let's say i have 2 accounts, account a b. their directorys are resp. /home/a /home/b. When i create a diretory with account a at /home/a/dir, and i chmod it 757, i can write a file there from account b. Tijnema Tijnema wrote: On 5/19/07, Al [EMAIL PROTECTED] wrote: But, SSH and telnet, etc. require authentication login-in and all the executables you mentioned [and others] require someone who has access to upload a harmful file to start with. Right? Once they are in there, they can do anything they please anyhow. Al. Well, you were talking about a shared linux host, so other people, from a different account, could just upload files, and if you have a directory with 757, that user could write to it. Tijnema Tijnema ! wrote: On 5/18/07, Al [EMAIL PROTECTED] wrote: How can they write or edit files there without having ftp access or the site's file manager? SSH access? Telnet maybe? PHP script? CGI script? ASP script? There are a lot of possible ways someone can write there. Tijnema Tijnema ! wrote: On 5/18/07, Al [EMAIL PROTECTED] wrote: I'm on a shared Linux host and have been wondering about security and directory other [world] permissions. The defaults are 755. The 'others' [world] can read them only. Is there a security hole if a dir on the doc root if a directory has permissions 757? If there is a security problem, what is it? Thanks... If you have a directory with 757 permissions, world can create new files there. And if you give files 757 (or 646) permissions, then world can edit that file. So if you have a doc dir, you probably don't want extra files there. It's not really a security problem, but if somebody notices it, he might write files there. Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question
Here is part of my proxie tags to html tags translation array. Looks pretty safe to me. There is other code to recognize paragraphs and lists, etc. $translate_array= array( 'link' = 'a href=http://', '/link' = '/a', 'slink' = 'a href=https://', '/slink'= '/a', 'label' = ' target=_blank', email = 'a href=mailto:', name = \, '/email'= '/a', 'photo' = img class=\floatleft\ alt=\mug\ src=\$scr, '/photo'= '', 'blue-line' = div class=\horzline\/div\n, 'blue_line' = div class=\horzline\/div\n, 'images'= div class=\images\, '/images' = /div\n, 'no_banner' = '', 'no_menu' = '', 'return' = div class=\return\a style=\text-decoration:underline\ href=\$request_url\Return to previous page/a/div\n, ); Jochem Maas wrote: Al wrote: Good point about the 'script evil haxor code here; /script'. That's bad for our users, not the site, per se. what is bad for your users is bad for your site, on top of that the script is running in the context of your domain - all sorts of nasty possibilities that could affect your site. Raw text to html is primarily done with a series of preg_replace() operations. what/how [exactly] the transformation is done determines whether your safe. No include() or exec() allowed near the text. Sounds like I'm in pretty good shape. maybe, maybe not - see above. (do you practice any sports? ;-P) ... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question
Al wrote: Here is part of my proxie tags to html tags translation array. Looks pretty safe to me. There is other code to recognize paragraphs and lists, etc. any 'real' html in the content your 'translating' is still going to be there after translation - and therefore sent to the client, quite impossible to say, with out know the code or the realiability of the content source (e.g. the people that generate the content files) how safe it actually is. I would suggest you go to http://phpsec.org - chances are you learn something that you have yet to consider at this point in time :-) $translate_array= array( 'link'= 'a href=http://', '/link'= '/a', 'slink'= 'a href=https://', '/slink'= '/a', 'label'= ' target=_blank', email= 'a href=mailto:', name= \, '/email'= '/a', 'photo'= img class=\floatleft\ alt=\mug\ src=\$scr, '/photo' = '', 'blue-line'= div class=\horzline\/div\n, 'blue_line'= div class=\horzline\/div\n, 'images'= div class=\images\, '/images'= /div\n, 'no_banner'= '', 'no_menu'= '', 'return'= div class=\return\a style=\text-decoration:underline\ href=\$request_url\Return to previous page/a/div\n, ); Jochem Maas wrote: Al wrote: Good point about the 'script evil haxor code here; /script'. That's bad for our users, not the site, per se. what is bad for your users is bad for your site, on top of that the script is running in the context of your domain - all sorts of nasty possibilities that could affect your site. Raw text to html is primarily done with a series of preg_replace() operations. what/how [exactly] the transformation is done determines whether your safe. No include() or exec() allowed near the text. Sounds like I'm in pretty good shape. maybe, maybe not - see above. (do you practice any sports? ;-P) ... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Security Question
I've got a website on a virtual-host, Apache/Linux system running php scripts. I particular, I've designed a CMS where designated individuals compose and edit text in an html textarea, and then save the raw text in files. Custom [i.e., proxie] tags are used for emphasizing and the formating text [e.g., redRed Text/red]. The raw text is converted to W3C compliant, html code for user rendering. When processing the text, I remove all php start codes [? ?php, etc.] from the text, though it's not obvious to me how the text can be executed when it's treated as pure text sent to the client. Now the question. Does anyone see an obvious security hole? Thanks. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question
Al wrote: I've got a website on a virtual-host, Apache/Linux system running php scripts. I particular, I've designed a CMS where designated individuals compose and edit text in an html textarea, and then save the raw text in files. Custom [i.e., proxie] tags are used for emphasizing and the formating text [e.g., redRed Text/red]. The raw text is converted to W3C compliant, html code for user rendering. When processing the text, I remove all php start codes [? ?php, etc.] from the text, though it's not obvious to me how the text can be executed when it's treated as pure text sent to the client. Now the question. Does anyone see an obvious security hole? if you don't strip out stuff like 'script evil haxor code here; /script' then that's one thing that can bite. it's hard to say what holes there may be without seeing the code that does the conversion from 'raw text' to 'html' . another security issue is whether anyone could overwrite existing 'content' text files on the server - only your CMS should have write access to these. any php code in the files can't be run at all *unless* your using include on the given text files or your running the content of the text files through eval() Thanks. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question
Good point about the 'script evil haxor code here; /script'. That's bad for our users, not the site, per se. Raw text to html is primarily done with a series of preg_replace() operations. No include() or exec() allowed near the text. Sounds like I'm in pretty good shape. Thanks for the help.. Jochem Maas wrote: Al wrote: I've got a website on a virtual-host, Apache/Linux system running php scripts. I particular, I've designed a CMS where designated individuals compose and edit text in an html textarea, and then save the raw text in files. Custom [i.e., proxie] tags are used for emphasizing and the formating text [e.g., redRed Text/red]. The raw text is converted to W3C compliant, html code for user rendering. When processing the text, I remove all php start codes [? ?php, etc.] from the text, though it's not obvious to me how the text can be executed when it's treated as pure text sent to the client. Now the question. Does anyone see an obvious security hole? if you don't strip out stuff like 'script evil haxor code here; /script' then that's one thing that can bite. it's hard to say what holes there may be without seeing the code that does the conversion from 'raw text' to 'html' . another security issue is whether anyone could overwrite existing 'content' text files on the server - only your CMS should have write access to these. any php code in the files can't be run at all *unless* your using include on the given text files or your running the content of the text files through eval() Thanks. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question
Al wrote: Good point about the 'script evil haxor code here; /script'. That's bad for our users, not the site, per se. what is bad for your users is bad for your site, on top of that the script is running in the context of your domain - all sorts of nasty possibilities that could affect your site. Raw text to html is primarily done with a series of preg_replace() operations. what/how [exactly] the transformation is done determines whether your safe. No include() or exec() allowed near the text. Sounds like I'm in pretty good shape. maybe, maybe not - see above. (do you practice any sports? ;-P) ... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security question
void session_set_cookie_params ( int lifetime [, string path [, string domain [, bool secure [, bool httponly ) The bool secure part of that means you can set your cookie parameters such that your cookies are sent/received only over SSL connections. Only available since PHP 4.0.4 On Thu, November 23, 2006 12:42 pm, Alain Roger wrote: Hi Richard, Could you be more precise on your suggestion You may want to use http://session_set_cookie_params to require the your SSL cookie ONLY go through SSL, though. i suppose you mean to use the SID in the address. I've never done this before and i'd be very glad to learn how to do it and to use it efficiently. Do you have any tutorial or help to suggest me regarding this topic ? thanks a lot, ALain -- Some people have a gift link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security question
Robert Cummings wrote: On Thu, 2006-11-23 at 09:56 +0530, Sumeet wrote: Western, Matthew wrote: where did u learn all the stuff?... ;-) Maybe reading the manual? thanks matthew, maybe we should all refer to forum and google Teach a man to fish... Cheers, Rob. Give a man a fish and you feed him for a day. Hand him a fully charged electric eel and chances are he won't bother you again. Cheers -- David Robley I don't want the world, I just want your half. Today is Boomtime, the 35th day of The Aftermath in the YOLD 3172. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security question
There are a few ways of working you should adpot early as they protect against a range of security problems. Some examples: 1. Always initialised your variables. 2. If you can, turn off register_globals, or code defensively if you can't. 3. Always mistrust incoming data, validate, check contents and clean. 4. Buy and read PHP Security (O'Reilly). On 11/23/06, David Robley [EMAIL PROTECTED] wrote: Robert Cummings wrote: On Thu, 2006-11-23 at 09:56 +0530, Sumeet wrote: Western, Matthew wrote: where did u learn all the stuff?... ;-) Maybe reading the manual? thanks matthew, maybe we should all refer to forum and google Teach a man to fish... Cheers, Rob. Give a man a fish and you feed him for a day. Hand him a fully charged electric eel and chances are he won't bother you again. Cheers -- David Robley I don't want the world, I just want your half. Today is Boomtime, the 35th day of The Aftermath in the YOLD 3172. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- http://www.web-buddha.co.uk
Re: [PHP] security question
On Wed, 2006-11-22 at 22:45 -0600, Larry Garfield wrote: On Wednesday 22 November 2006 22:38, Robert Cummings wrote: maybe we should all refer to forum and google Teach a man to fish... And you lose your monopoly on fisheries. Yeah, but I got Park Place and Boardwalk!!! *nyah nyah* :B Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security question
Sorry didn't quite get that finished - hit send by accident ( and had
it go to one person, instead of to the list ).
Few quick tips - not all strictly security related, but may affect security.
Develop with E_ALL. Good code can run under E_ALL without complaining.
On your development build, E_ALL errors should be echoed to the
screen, whilst in a production enviornment, they should be logged (
and checked regularly by ( or emailed to ) the administrator ).
Don't allow include files to execute if called. Everything in an
included file should either be an assignment ( to a static value - not
the return value of a function), or inside a function.
In an included file:
?php
// ok
$variable = Value;
// unsafe - attacker if he can execute your include files directly
// can cause the getValue() function to be run, outside your defined
// enviornment.
$variable = getValue();
function thisfunc(){
// ok - inside function
$variable = getValue();
}
?
of course as well as this, your include files should be (a) outside
your web directory, and (b) protected by a Deny to all in your
Apache config file ( or similar equivlent for other webservers ) and
.htaccess.
These are all of course different layers of security. You work on the
assumption that an attacker can get through any one of them, but hope
that they can't get through them all.
These aren't hard and fast rules - they're just techniques that I use
myself. Just because someone else doesn't use these techniques,
doesn't mean that their techniques are any worse than mine.
Rory
On 11/23/06, Robert Cummings [EMAIL PROTECTED] wrote:
On Wed, 2006-11-22 at 22:45 -0600, Larry Garfield wrote:
On Wednesday 22 November 2006 22:38, Robert Cummings wrote:
maybe we should all refer to forum and google
Teach a man to fish...
And you lose your monopoly on fisheries.
Yeah, but I got Park Place and Boardwalk!!! *nyah nyah* :B
Cheers,
Rob.
--
..
| InterJinn Application Framework - http://www.interjinn.com |
::
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`'
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] security question
Hi, Now that i finished the client side of the web application i would like to improve the security of my administration side of this web application. My web hoster support a shared SSL protocol, however i would like to do more than simply use the SSL... I've heard that cookies and sessions can be easily hacked...so what do you use to secure your web page. which methods ? thanks a lot Alain Windows XP SP2 PostgreSQL 8.1.4 Apache 2.0.58 PHP 5
Re: [PHP] security question
On Wed, November 22, 2006 11:20 am, Alain Roger wrote: Now that i finished the client side of the web application i would like to improve the security of my administration side of this web application. My web hoster support a shared SSL protocol, however i would like to do more than simply use the SSL... I think the amazing thing is that you just used simply and SSL in the same sentence... :-) SSL is a VERY safe way to ensure that the data traveling from the browser to the server, and data going back from server to browser, is secure in transit. SSL is pretty much the armored truck ploughing its way through the Internet, shedding bullets like a duck sheds water. I've heard that cookies and sessions can be easily hacked...so what do you use to secure your web page. which methods ? With SSL in place, you have reduced your vulnerabilities to, essentially, the endpoints of the communication: who has access to the browser/client who has access to the webhost/server The sentence cookies can be easily hacked is true in the sense that anybody who can get ahold of your laptop/desktop can add cookie files. Or, if they can run a virus on it, they can install any cookie files they like, for any site. There is very very very little you can do to secure the computers of your users, even your admin users. Probably your best bet is to EDUCATE those users, as early and often as you can, about safe computer practices. You should also be very careful to use sensible things in your Cookies -- Actually, with PHP, you should send JUST ONE cookie for your entire site, and track everything else you need in your $_SESSION data. Okay, if you've installed some forum software or something, maybe integrating its authentication into your main login is a Bad Idea, so you can have extra cookies for the forum. Though most forum software comes with its own whole new set of Security issues. :-( The sessions getting hacked generally mostly boils down to the session getting hijacked by a compromised client/browser (see above), or somebody who already can login to the webhost/server -- at which point the sesssion itself is a tiny part of a much bigger problem, which is the whole SERVER is compromised. My best advice would be to use *ONE* session_start() in a single include file, probably the same way you are doing your DB connection, and let PHP experts worry about the mechanics of sending a good cookie. You may want to use http://session_set_cookie_params to require the your SSL cookie ONLY go through SSL, though. You then only need to focus on the parts of the process that you scripted in PHP. Your authentication, for example, should be simple and straightforward enough that you can sit down and test it in an afternoon and be absolutely certain that you can't manage to get through to anything you shouldn't, without a valid username/password. Other things to consider: Educate users about what is or isn't a Good Password. Attempt to steer users away from using Bad Passwords. Read this site over and over until you internalize it: http://phpsec.org/ And, just a general note, not directed at the question/post/Alain: Security is not something one can just slap on to the site after one finishes it -- It has to be a living breathing process that is in symbiosis with the life-cycle of the project. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security question
Alain Roger wrote: I've heard that cookies and sessions can be easily hacked...so what do you use to secure your web page. which methods ? If you want to be secure, don't trust anything. Cookies are easily modified by a user, so never store anything sensitive in there without masking it well. Personally, I don't like $_SESSION either, 'cause it doesn't work across clustered servers by default, and isn't usually terribly secure on a shared web host. I tend to use hashed data in the cookie for anything that needs to be semi-secure, and store everything sensitive in a database, one-way hashed wherever possible. jon -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security question
dear richard, yours was an amazing reply... simple and true and well written... where did u learn all the stuff?... ;-) anyway. is there a step by step process for checking if your site is secure?... i know you would say to get a hacker or something... but as a programmer, i would like to know (some) more info... i use GET instead of POST for most of the forms... even in a shopping cart or admin panel... do u think that is risky? one the biggest threat is sql injections and now xml injections... but can u give some more info... like what commands do i need to use and what part of the website do i need to check?... what is penetration and black box testing for a php website? is there any software for this kind of testing... some part of the process can be automated... like grabbing all the links or urls and purposely bombarding them with sql statements. if i do the same from a professional, what should be a average cost for testing a website for security?... also Security is not something one can just slap on to the site after one finishes it -- It has to be a living breathing process that is in symbiosis with the life-cycle of the project. that is a beautiful statement... thanks a lot... sumeet Richard Lynch wrote: On Wed, November 22, 2006 11:20 am, Alain Roger wrote: Now that i finished the client side of the web application i would like to improve the security of my administration side of this web application. My web hoster support a shared SSL protocol, however i would like to do more than simply use the SSL... I think the amazing thing is that you just used simply and SSL in the same sentence... :-) SSL is a VERY safe way to ensure that the data traveling from the browser to the server, and data going back from server to browser, is secure in transit. SSL is pretty much the armored truck ploughing its way through the Internet, shedding bullets like a duck sheds water. Security is not something one can just slap on to the site after one finishes it -- It has to be a living breathing process that is in symbiosis with the life-cycle of the project. -- Thanking You Sumeet Shroff http://www.prateeksha.com Web Designers and PHP / Mysql Ecommerce Development, Mumbai India -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security question
Western, Matthew wrote: where did u learn all the stuff?... ;-) Maybe reading the manual? thanks matthew, maybe we should all refer to forum and google, and stop posting in this forum can u please start first... thanks anyway...mani needed some silly sarcastic comments to get past my day. -- Thanking You Sumeet Shroff http://www.prateeksha.com Web Designers and PHP / Mysql Ecommerce Development, Mumbai India -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security question
On Thu, 2006-11-23 at 09:56 +0530, Sumeet wrote: Western, Matthew wrote: where did u learn all the stuff?... ;-) Maybe reading the manual? thanks matthew, maybe we should all refer to forum and google Teach a man to fish... Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security question
On Wednesday 22 November 2006 22:38, Robert Cummings wrote: maybe we should all refer to forum and google Teach a man to fish... And you lose your monopoly on fisheries. -- Larry Garfield AIM: LOLG42 [EMAIL PROTECTED] ICQ: 6817012 If nature has made any one thing less susceptible than all others of exclusive property, it is the action of the thinking power called an idea, which an individual may exclusively possess as long as he keeps it to himself; but the moment it is divulged, it forces itself into the possession of every one, and the receiver cannot dispossess himself of it. -- Thomas Jefferson -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Security question
Hi list I've got a concern for a user add/edit form. Right now when the user is logged in, I put its id in the session. Then when the user edits his details I put the id in the form and when it comes back I verify if the id matches the one in the session. Is it possible for someone who does not have access to the server to edit arbitary accounts? With kind regards Andy -- Now listening to Top! Radio Live www.topradio.be/stream on amaroK Geek code: www.vlaamse-kern.com/geek Registered Linux User No 379093 If life was for sale, what would be its price? www.vlaamse-kern.com/sas/ for free php utilities -- pgpWGI97TkKdb.pgp Description: PGP signature
Re: [PHP] Security question
Andy Pieters napisał(a): Is it possible for someone who does not have access to the server to edit arbitary accounts? well this depends on the forum You use, there're many many exploits out there. The best way to know is to try and keep up with places like the bugtraq@securityfocus.com list, or other security websites/mailing lists and such. -- Best wishes Łukasz -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security question
On Wednesday 07 December 2005 08:57, Łukasz Hejnak wrote: The best way to know is to try and keep up with places like the bugtraq@securityfocus.com list, or other security websites/mailing lists and such. It isn't a forum, it is software I write myself. -- Now listening to Top! Radio Live www.topradio.be/stream on amaroK Geek code: www.vlaamse-kern.com/geek Registered Linux User No 379093 If life was for sale, what would be its price? www.vlaamse-kern.com/sas/ for free php utilities -- pgpkC5xo4fmtq.pgp Description: PGP signature
RE: [PHP] Security question
Hi Andy, On 12/7/05, Andy Pieters [EMAIL PROTECTED] wrote: Right now when the user is logged in, I put its id in the session. Then when the user edits his details I put the id in the form and when it comes back I verify if the id matches the one in the session. Well, is session data saved in a secure place on the server side? Read Form Processing and Sessions sections in the PHP Security Guide http://phpsec.org/projects/guide/ Regards, Ahmed
[PHP] security question... man in the middle attacks
hey... anybody here have a serious background in security, or with 'man in the middle attacks'??? in particular, i'm trying to get my hands around ways of preventing a server/browser app to be susceptible to a 'man in the middle attack' serious pointers would be helpful. searching across google hasn't turned up any examples of how this can be accomplished... thanks -bruce [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] security question... man in the middle attacks
your questions are on point... if you're going to really talk about doing transactions... it appears to me that you really need to solve this. www.passmarksecurity.com claims to have solved this.. although i'm not sure i agree with them.. for one, i can't find a thorough independent analysis, for two, from what i can tell... they rely on the server app getting information from the browser. their approach appears to depend on their belief that the intermediary (fake) app can't be in the middle, therefore they'll only get valid information from the 'real' browser... as far as i can tell, their solution is to look at certain information (mac address/headers/etc...) that they're inclined to believe can't be altered/spoofed. i'm not buying it as far as i can tell... you essentially need multiple information streams on the client(browser) machine coming from the server... in actuality, i can envision the following... master server customer client / \ /\ biz server --- customer browser the customer and the biz server talk to each other the customer client and master server talk to each other the customer client and browser are on the same machine the idea would be for the client app to be abel to 'get/see' the url that the biz server app is sending for return requests. the client app would then go back to the master server to 'determine' if the url/ip address is corect for the given site. this can be accomplished fairly quickly by polling random dns servers at the master level. if the majority of the polled dns servers return the same address as the one from the biz server, we can assume that the biz server is giving the correct url/ip addresses.. this could be done for every request. this kind of approach would be pretty difficult to corrupt, unless the client app where somehow mangled/forged. you could determine if the client was ever screwed with by using an SMS type of system via the cell phone... -bruce -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, November 21, 2005 8:34 PM To: [EMAIL PROTECTED] Subject: RE: [PHP] security question... man in the middle attacks 'man in the middle' relates to any interception/redirection and I see I was looking at it more as a hacker posing as the user interacting with a legitmate site rather than the user interacting with a bogus site. Two sides to a similar coin. real site bogus user - bogus site - real user the session ID issue I was talking about helps prevent a bogus user from posing as a legitimate one because only the real-site and the real-user should know the session ID being used but then again, it could be intercepted. I think there's more to it than I'm explaining, but it's not coming to me right now. My apologies for not being more specific. Definitely check out Chris Shiflett's site: http://shiflett.org/ (I got un-lazy for a moment to look it up).. he might have something in there somewhere. I think what you're talking about is going to be kind of tricky because more so than other security issues, this issue seems more susceptible to measure/countermeasure type things. You could use a secure connection, but what happens if the hacker gets a certificate for their bogus site? What happens if they mask the URL so it appears to be coming from the legitmate site? I'm wondering how often the scenario you're talking about will come into play though. Seems that unless someone hacks your site and puts in some bogus URLs that drag your legit users away from your legit site, the only way someone's going to get lured into this situation is if someone is posting bogus URLs somewhere else.. like on online forums or something saying Come see Bruce's website! and going to a totally different URL posing as yours. In which case you can really only rely on your user's intelligence to NOT fall for it. Anyway, just some things to ponder while you find a real answer. :) I have some experience with security issues, but wouldn't necessarily call myself an 'expert'. Working on it though. -TG = = = Original message = = = i'm not sure i see how this would affect a man in the middle attack... a man in the middle attack, for the purpose of this thread is the insertion of a clone/fake web app between the user's browaser and the original web site... i'm looking for ways/solutions that will prevent a fake/clone site from redirecting the user, or intercepting the user/initial site traffic... original fake user site ---site - browser in this case a fake site could look like the original site, intercepting the communication between the original/user. how can it be detected, can it really be prevented? as far as i can tell, what ever the original might send to the user's browser, can simply be intercepted by the fake site
Re: [PHP] security question...??
how many of you actually attempt to verify that the browser being used by the client is indeed a legitimate (non-hacked) browser? I think you need to clearly define what a legitimate browser is. In my opinion, the ambiguity in your question is the root cause of the disorganization in this particular thread. If you mean that you want to prevent a naive user from using software that is written by a malicious user, then current protocols and standards don't support what you want to do. Where the rubber meets the road is an HTTP transaction, and HTTP is a well-known protocol. Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security question...??
On 6/20/05, bruce [EMAIL PROTECTED] wrote: hi... a number of you write apache/web/server apps that deal with secure information.. in doing some research it occured to me that a potential weak link is on the client side, regarding the browser? how many of you actually attempt to verify that the browser being used by the client is indeed a legitimate (non-hacked) browser?? or is there even a way to do this? No. or should i just go back to sleep..?? Yes thanks -bruce [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] security question...??
hi... a number of you write apache/web/server apps that deal with secure information.. in doing some research it occured to me that a potential weak link is on the client side, regarding the browser? how many of you actually attempt to verify that the browser being used by the client is indeed a legitimate (non-hacked) browser?? or is there even a way to do this? or should i just go back to sleep..?? thanks -bruce [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Security Question with my password protected login script...
Hello all,
I have the following script called login.inc which I include at the
beginning of each page on my customer control panel. Basically it checks to
see if a session has been created with user details and if it has it carries
on with the rest of the page and if not the login screen is printed.
My question is, how secure is this? I have the password, username etc in a
MYSQL database but I haven't encrypted it (don't know how)
Should I have login.inc in a folder below my public_html directory?
I have removed some details such as passwords and swapped that with question
marks.
Many thanks,
Ian Gray
Here is the code?
?
session_start(); // start session.
if(!isset($username) | !isset($password)) {
// escape from php mode.
?
html xmlns=http://www.w3.org/1999/xhtml;
head
meta http-equiv=Content-Type content=text/html; charset=iso-8859-1 /
titleCustomer Login/title
link href=login.css rel=stylesheet type=text/css /
script language=JavaScript type=text/javascript
/head
body onLoad=self.focus();document.customerlogin.username.focus()
form action=?=$PHP_SELF??if($QUERY_STRING){ echo?. $QUERY_STRING;}?
method=POST name=customerlogin id=customerlogin
table width=500 height=320 border=1 align=center cellpadding=0
cellspacing=0 bordercolor=#33 background=images/login.jpg
tr
td valign=toptable width=500 border=0 cellspacing=0
cellpadding=0
tr
td bgcolor=#343399div align=rightimg src=images/cl.jpg
alt=Customer Logingt;gt;gt; width=400 height=40 //div/td
/tr
tr
tdpnbsp;/p
pnbsp;/p/td
/tr
tr
td class=textydiv align=centerCustomer control panel. Please
enter
your username and password into the boxes below:/div/td
/tr
tr
tdtable width=300 border=0 align=center cellpadding=0
cellspacing=5
tr
tdnbsp;/td
tdnbsp;/td
/tr
tr
td class=blueyUsername:/td
tdinput name=username type=text class=formy/td
/tr
tr
td class=blueyPassword:/td
tdinput name=password type=password class=formy/td
/tr
tr
tdnbsp;/td
td
div align=center
input type=submit class=formy
value=Logingt;gt;gt;
/div/td/tr
/table/td
/tr
tr
tdnbsp;/td
/tr
/table/td
/tr
/table/form
/body
/html
?
exit();
}
// If all is well so far.
session_register(IIDD);
session_register(firstname);
session_register(username);
session_register(password); // register username and password as session
variables.
// Here you would check the supplied username and password against your
database to see if they exist.
// For example, a MySQL Query, your method may differ.
$link = mysql_connect(?, ?, ?) or die(Could not
connect);
mysql_select_db(s??) or die(Could not select database);
$sql = mysql_query(SELECT customerID, password, firstname FROM
customer_details WHERE username = '$username');
$fetch_em = mysql_fetch_array($sql);
$numrows = mysql_num_rows($sql);
if($numrows != 0 $password == $fetch_em[password]) {
$valid_user = 1;
}
else {
$valid_user = 0;
}
$firstname = $fetch_em[firstname];
$IIDD = $fetch_em[customerID];
// If the username exists and pass is correct, don't pop up the login code
again.
// If info can't be found or verified
if (!($valid_user))
{
session_unset(); // Unset session variables.
session_destroy(); // End Session we created earlier.
// escape from php mode.
?
html xmlns=http://www.w3.org/1999/xhtml;
head
meta http-equiv=Content-Type content=text/html; charset=iso-8859-1 /
titleCustomer Login/title
link href=login.css rel=stylesheet type=text/css /
/head
body
br /
form action=?=$PHP_SELF??if($QUERY_STRING){ echo?. $QUERY_STRING;}?
method=POST
table width=500 height=320 border=1 align=center cellpadding=0
cellspacing=0 bordercolor=#33 background=images/login.jpg
tr
td valign=toptable width=500 border=0 cellspacing=0
cellpadding=0
tr
td bgcolor=#343399div align=rightimg src=images/cl.jpg
alt=Customer Logingt;gt;gt; width=400 height=40 //div/td
/tr
tr
tdpnbsp;/p
pnbsp;/p/td
/tr
tr
td class=textydiv align=centerIncorrect username and/or
password. Please enter correct ones to log in:/div/td
/tr
tr
tdtable width=300 border=0 align=center cellpadding=0
cellspacing=5
tr
tdnbsp;/td
tdnbsp;/td
/tr
tr
td class=blueyUsername:/td
tdinput name=username type=text class=formy/td
/tr
tr
td class=blueyPassword:/td
tdinput name=password type=password class=formy/td
/tr
tr
tdnbsp;/td
td
div align=center
input type=submit class=formy
value=Logingt;gt;gt;
/div/td/tr
/table/td
Re: [PHP] Security Question with my password protected login script...
Ian Gray wrote:
Hello all,
My question is, how secure is this? I have the password, username etc in
a
MYSQL database but I haven't encrypted it (don't know how)
The MySQL 'password' function at http://mysql.com would work.
For something that is portable to non MySQL systems, you can use
http://php.net/crypt
Should I have login.inc in a folder below my public_html directory?
Ideally, *NO* you should not.
It should be a in a directory that is *NOT* below your public_html directory.
Make a directory called 'includes' or 'php' or something similar that is
*NEXT* to your public_html directory.
Then, using either .htaccess and:
php_value include_path ./:/complete/path/from/root/of/server/to/includes
or perhaps http://php.net/set_include_path or http://php.net/set_ini you
want to convince PHP that the directory you just created is in your
include_path.
I have removed some details such as passwords and swapped that with
question
marks.
Good!
?
session_start(); // start session.
if(!isset($username) | !isset($password)) {
This should be || and not |, really.
// escape from php mode.
?
html xmlns=http://www.w3.org/1999/xhtml;
...
/html
?
exit();
}
// If all is well so far.
session_register(IIDD);
session_register(firstname);
session_register(username);
session_register(password); // register username and password as session
variables.
Not such a good idea, maybe.
They end up being in a file that *ANY* PHP script on your server can use.
If you are on a shared server, that means *EVERY* other user on your
machine that has access to PHP can read the username and password from
your session files.
What you might consider is storing their PHPSESSID into a table in your
database with their username. You then can look them up with the PHPSESID
that will be given back to you from their browser on each page. Also
store the date/time, and update it to now() in every script/page.
Anything older than X minutes, you should consider an expired login, and
force them back to logging in again.
// Here you would check the supplied username and password against your
database to see if they exist.
// For example, a MySQL Query, your method may differ.
$link = mysql_connect(?, ?, ?) or die(Could not
connect);
mysql_select_db(s??) or die(Could not select database);
$sql = mysql_query(SELECT customerID, password, firstname FROM
customer_details WHERE username = '$username');
If you use MySQL's 'password' function, you can do like:
SELECT customer_ID, password = password('$password'), firstname FROM ...
You'll get either 1 or 0 if their password matches the encrypted version
in your database, but you won't actually have their password stored in the
database, and that's Good.
If you want to use crypt, something more like:
SELECT ..., password, ... FROM ...;
.
.
.
if (crypt($password, substr($fetch_em[password], 0, 2)) ==
$fetch_em[password]){
$valid_user = 1;
}
else{
$valid_user = 0;
}
$fetch_em = mysql_fetch_array($sql);
$numrows = mysql_num_rows($sql);
if($numrows != 0 $password == $fetch_em[password]) {
$valid_user = 1;
}
else {
$valid_user = 0;
}
$firstname = $fetch_em[firstname];
$IIDD = $fetch_em[customerID];
// If the username exists and pass is correct, don't pop up the login code
again.
// If info can't be found or verified
if (!($valid_user))
{
session_unset(); // Unset session variables.
session_destroy(); // End Session we created earlier.
// escape from php mode.
?
html xmlns=http://www.w3.org/1999/xhtml;
...
/html
?
exit();
}
?
Since all the HTML in the two places I put ... is the same (right?) then
that should be an include file, so you can't get them out of sync.
Better yet, would be to re-structure your page so that the first form is
just not there, and you only TRY to log in if (isset($_POST['username']))
So your page is more like this:
?php
if (isset($_POST['username'])){
//check if they are kosher, and decide on $valid_user setting
}
if (!$valid_user){
?
HTMLlogin form/HTML
?php
exit;
}
?
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question with my password protected login script...
Richard Lynch wrote: Ian Gray wrote: My question is, how secure is this? I have the password, username etc in a MYSQL database but I haven't encrypted it (don't know how) The MySQL 'password' function at http://mysql.com would work. For something that is portable to non MySQL systems, you can use http://php.net/crypt You should not use the MySQL PASSWORD() function within your own applications. MD5() is a good alternative as it's implemented in many programs including PHP and MySQL. Other suggestions were good, though. :) -- ---John Holmes... Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/ php|architect: The Magazine for PHP Professionals www.phparch.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Security Question (from Chris's OSCON 2004 talk)
Hi folks. Thanks to all for the replies to my question about security on shared hosting the other day. I've contacted my hosting provider and they will be fixing the issues I've pointed out to them. I've got a question about a section of Chris's article on PHP security from his OSCON 2004 talk. When talking about protecting database credentials, Chris mentions creating a file (readable only by root) with the following: SetEnv DB_USER myuser SetEnv DB_PASS mypass and then using this: Include /path/to/secret-stuff in the httpd.conf file such that they show up in your $_SERVER array. I assume that the include directive would be declared inside the section of the httpd.conf file which defines everything for my site? This is probably a stupid question but I want to make sure of what I'm asking my hosting provider before I send my email. I'm also going to be asking them to set another environment variable, INC_PATH, and then I'll use this to reference the files which I'm including from outside my webroot, such that even if someone reads the files within my webroot, they won't see either the db username or password, nor will they see the path from which I am including sensitive files. Thoughts? Cheers and TIA, Pablo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Security Question (from Chris's OSCON 2004 talk)
Hi folks. Sorry if this gets posted twice, but I sent it originally almost an hour ago and it hasn't shown up on the list yet. Thanks to all for the replies to my question about security on shared hosting the other day. I've contacted my hosting provider and they will be fixing the issues I've pointed out to them. I've got a question about a section of Chris's article on PHP security from his OSCON 2004 talk. When talking about protecting database credentials, Chris mentions creating a file (readable only by root) with the following: SetEnv DB_USER myuser SetEnv DB_PASS mypass and then using this: Include /path/to/secret-stuff in the httpd.conf file such that they show up in your $_SERVER array. I assume that the include directive would be declared inside the section of the httpd.conf file which defines everything for my site? This is probably a stupid question but I want to make sure of what I'm asking my hosting provider before I send my email. I'm also going to be asking them to set another environment variable, INC_PATH, and then I'll use this to reference the files which I'm including from outside my webroot, such that even if someone reads the files within my webroot, they won't see either the db username or password, nor will they see the path from which I am including sensitive files. Thoughts? Cheers and TIA, Pablo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question (from Chris's OSCON 2004 talk)
--- Pablo Gosse [EMAIL PROTECTED] wrote: I've got a question about a section of Chris's article on PHP security from his OSCON 2004 talk. When talking about protecting database credentials, Chris mentions creating a file (readable only by root) with the following: SetEnv DB_USER myuser SetEnv DB_PASS mypass and then using this: Include /path/to/secret-stuff in the httpd.conf file such that they show up in your $_SERVER array. The credit for this approach belongs to David Sklar and Adam Trachtenberg, not me. I just happen to think it's a good approach. :-) I know you weren't explicitly giving me credit, but I wanted to make sure. I assume that the include directive would be declared inside the section of the httpd.conf file which defines everything for my site? Yes, and I think this is a point that I left out. I probably thought it was obvious, but many people have emailed me about this. If the Apache Include directive given is not within your VirtualHost block or otherwise restricted to one user, then every user on the server can access that data. So, you want to make sure this directive only applies to you. I'm also going to be asking them to set another environment variable, INC_PATH, and then I'll use this to reference the files which I'm including from outside my webroot, such that even if someone reads the files within my webroot, they won't see either the db username or password, nor will they see the path from which I am including sensitive files. Thoughts? This is obscurity, which can be somewhat helpful, but don't rely on this for any sort of protection. While it's true that someone can't easily determine where you have your modules stored, this discovery isn't challenging enough to be considered a safeguard. I think it's best to keep anything that you consider sensitive in the database (this is for shared hosts only, mind you), and use the technique described above to protect your database access credentials. Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly HTTP Developer's Handbook - Sams Coming December 2004http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question (from Chris's OSCON 2004 talk)
On Friday 01 October 2004 00:59, Pablo Gosse wrote: When talking about protecting database credentials, Chris mentions creating a file (readable only by root) with the following: SetEnv DB_USER myuser SetEnv DB_PASS mypass and then using this: Include /path/to/secret-stuff in the httpd.conf file such that they show up in your $_SERVER array. I assume that the include directive would be declared inside the section of the httpd.conf file which defines everything for my site? This is probably a stupid question but I want to make sure of what I'm asking my hosting provider before I send my email. You can also have the following inside your virtual hosts containers: php_value mysql.default_host localhost php_value mysql.default_user db_user_name php_value mysql.default_password db_passwd Then simply use: $link = mysql_connect(); to connect to your database. Obviously your host should make sure httpd.conf is readable only by root. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* Grelb's Reminder: Eighty percent of all people consider themselves to be above average drivers. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Security Question
On 20 February 2004 22:29, Ed Lazor wrote: PHP include statements default to the current directory. If the path to my PHP files is /home/osmosis/public_html, why would users visiting my site occasionally get an error that the include file wasn't found in /home/budguy/public_html? It's like PHP is somehow confused and running my script with the account settings (and permissions, possibly) for another user on my host provider's server. If that's true, wouldn't this quality as a security issue? They use open_basedir for security. Isn't that part of PHP? They're running the latest version of PHP (4.3.4). This looks like http://bugs.php.net/bug.php?id=25753 to me, which has only recently been marked as fixed and I don't believe has made it into an official release yet. Cheers! Mike - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Beckett Park, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Security Question
PHP include statements default to the current directory. If the path to my PHP files is /home/osmosis/public_html, why would users visiting my site occasionally get an error that the include file wasn't found in /home/budguy/public_html? It's like PHP is somehow confused and running my script with the account settings (and permissions, possibly) for another user on my host provider's server. If that's true, wouldn't this quality as a security issue? They use open_basedir for security. Isn't that part of PHP? They're running the latest version of PHP (4.3.4). Thanks, -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Security Question
Ed Lazor mailto:[EMAIL PROTECTED] on Friday, February 20, 2004 2:29 PM said: It's like PHP is somehow confused and running my script with the account settings (and permissions, possibly) for another user on my host provider's server. If that's true, wouldn't this quality as a security issue? not wanting to sound rude or anything, but have you emailed your host about this yet? chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Security Question
You're not being rude. I contacted them immediately about the script errors and described what seemed to be a security hole. The tech I spoke with didn't know what I was talking about, so I asked them to notify the owner of the problem and that I'd research it more and let them know of anything I find. I received email shortly thereafter saying that they disabled open_basedir on the server in response. -Ed -Original Message- It's like PHP is somehow confused and running my script with the account settings (and permissions, possibly) for another user on my host provider's server. If that's true, wouldn't this quality as a security issue? not wanting to sound rude or anything, but have you emailed your host about this yet? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Security Question
Hello, I'm trying to develop a secure web based application and my only tools are php, mysql, and a SSL connection. Does anyone know of any good references for this kind of development? What I really need to do is to make sure that given users only gain access to the parts of the application they are given rights to. I'm not sure if I need to pass their user information along from page to page or if I should set a cookie or whatever else would be appropriate. I also want people to be bounced back to the login page if they enter a direct URL to part of the application without logging in first, and I also want people to be able to log out. Thanks, Thomas Andersen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security Question
On Thu, 18 Dec 2003 10:43:14 -0500, you wrote: I'm trying to develop a secure web based application and my only tools are php, mysql, and a SSL connection. Does anyone know of any good references for this kind of development? What I really need to do is to make sure that given users only gain access to the parts of the application they are given rights to. I'm not sure if I need to pass their user information along from page to page or if I should set a cookie or whatever else would be appropriate. Read up about sessions. Essentially, a session is a random token which is sent to the client (normally as a cookie), and is associated with a collection of data server-side. You can safely store sensitive data (userids, privilege levels, etc) in the session because they never leave the server. http://www.php.net/manual/en/ref.session.php I also want people to be bounced back to the login page if they enter a direct URL to part of the application without logging in first, and I also want people to be able to log out. include() a file at the top of every page that checks for the existence of a valid session. If no session is present, use header(Location:) to bounce the user back to the login page and exit(). -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] security question
Can anyone think of any security caveats with regard to turning output_buffering on? I can't, but it's too hot to think straight these days Tnx. -- Paul Chvostek [EMAIL PROTECTED] it.canadahttp://www.it.ca/ Free PHP web hosting!http://www.it.ca/web/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security question with PHP on Unix / Linux.
Ananth Kesari [EMAIL PROTECTED] wrote... : Thanks for your inputs. Will proceed from here. Well, if you did not know, NetWare is an operating system brought out by Novell. I know :) We are working on porting PHP onto NetWare. In fact, we already have ported PHP 4.2.3 onto NetWare and we have synched up our souces for the 4.3 branch. Interesting. Are you working with the php-dev team or on your own? -- Maxim Maletsky [EMAIL PROTECTED] Maxim Maletsky [EMAIL PROTECTED] 02/04/03 08:45PM Ananth Kesari [EMAIL PROTECTED] wrote... : I am working on porting PHP onto NetWare. What exactly do you mean? I am newbie to Unix / Linux systems and at this point of time, I am trying to understand the way security is implemented for PHP on Unix / Linux. I mean, how are the different users distinguished from Unix / Linux. From PHP's point of view, every PHP process will run as apache's process, with apache's user. Most often `nobody' or `apache'. Do they get to login into the Unix / Linux system? No. Do they have separate data space for each user? No. Only sessions, if you use them. Sessions have their own unique IDs and are stored in a certain directory by default. A database solution can also be implemented. What is the API that is used to login to Unix / Linux. There is no login to the Unix / Linux. You might write one on your own, if you wish, but that would be your thing. PHP as it is, logs nobody to the Linux, it runs everybody's request as Apache's user. User may enter his username and password on the browser, but how do they get translated onto the Unix / Linux box? Whatever inputted to the broswer, is send to your script. Stays up to you to decide what to do with the user/pass. Basically, you would usually store the credentials in a database and then authenticate the users against the database, not Linux Shell itself. Since I am a newbie, I may have misunderstood some concepts here. Most of them. PHP is a programming language, not a shell interface or something. Stays up to you what to do once user runs your PHP script. -- Maxim Maletsky [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Security question with PHP on Unix / Linux.
Hi, I am working on porting PHP onto NetWare. At this point of time, I am trying to understand the way security is implemented for PHP on Unix / Linux. I mean, how are the different users distinguished from Unix / Linux. Do they get to login into the Unix / Linux system? Do they have separate data space for each user? What is the API that is used to login to Unix / Linux. User may enter his username and password on the browser, but how do they get translated onto the Unix / Linux box? Your help in this is appreciated. Thanks, Ananth. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Security question with PHP on Unix / Linux.
Hi, I mailed this earlier, but got no response. Maybe it went unnoticed. So, resending it again. Please read below. Your help in this is appreciated. Thanks, Ananth. Hi, I am working on porting PHP onto NetWare. I am newbie to Unix / Linux systems and at this point of time, I am trying to understand the way security is implemented for PHP on Unix / Linux. I mean, how are the different users distinguished from Unix / Linux. Do they get to login into the Unix / Linux system? Do they have separate data space for each user? What is the API that is used to login to Unix / Linux. User may enter his username and password on the browser, but how do they get translated onto the Unix / Linux box? Since I am a newbie, I may have misunderstood some concepts here. Can someone help me in understanding this correctly? Also, can you point me to any documentation on PHP security on Unix systems. I want some in-depth technical stuff upto what calls are made etc. Your help in this is appreciated. Thanks, Ananth. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security question with PHP on Unix / Linux.
Ananth Kesari [EMAIL PROTECTED] wrote... : I am working on porting PHP onto NetWare. What exactly do you mean? I am newbie to Unix / Linux systems and at this point of time, I am trying to understand the way security is implemented for PHP on Unix / Linux. I mean, how are the different users distinguished from Unix / Linux. From PHP's point of view, every PHP process will run as apache's process, with apache's user. Most often `nobody' or `apache'. Do they get to login into the Unix / Linux system? No. Do they have separate data space for each user? No. Only sessions, if you use them. Sessions have their own unique IDs and are stored in a certain directory by default. A database solution can also be implemented. What is the API that is used to login to Unix / Linux. There is no login to the Unix / Linux. You might write one on your own, if you wish, but that would be your thing. PHP as it is, logs nobody to the Linux, it runs everybody's request as Apache's user. User may enter his username and password on the browser, but how do they get translated onto the Unix / Linux box? Whatever inputted to the broswer, is send to your script. Stays up to you to decide what to do with the user/pass. Basically, you would usually store the credentials in a database and then authenticate the users against the database, not Linux Shell itself. Since I am a newbie, I may have misunderstood some concepts here. Most of them. PHP is a programming language, not a shell interface or something. Stays up to you what to do once user runs your PHP script. -- Maxim Maletsky [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security question with PHP on Unix / Linux.
Ananth, For starters, you are probably on the wrong list - the PHP developers list is probably where you should be asking this question. Second, PHP runs through the web server, so the user is the same user the web server, usually nobody, although that depends on the how the web server is installed. No one is encouraged to all access to the underlying system through the web server, although the exec() function allows execution of some commands. I can't help you much more than that, and I believe the other list will be more fruitful. Regards - Miles Thompson At 07:54 AM 2/4/2003 -0700, Ananth Kesari wrote: Hi, I mailed this earlier, but got no response. Maybe it went unnoticed. So, resending it again. Please read below. Your help in this is appreciated. Thanks, Ananth. Hi, I am working on porting PHP onto NetWare. I am newbie to Unix / Linux systems and at this point of time, I am trying to understand the way security is implemented for PHP on Unix / Linux. I mean, how are the different users distinguished from Unix / Linux. Do they get to login into the Unix / Linux system? Do they have separate data space for each user? What is the API that is used to login to Unix / Linux. User may enter his username and password on the browser, but how do they get translated onto the Unix / Linux box? Since I am a newbie, I may have misunderstood some concepts here. Can someone help me in understanding this correctly? Also, can you point me to any documentation on PHP security on Unix systems. I want some in-depth technical stuff upto what calls are made etc. Your help in this is appreciated. Thanks, Ananth. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security question with PHP on Unix / Linux.
--- Miles Thompson [EMAIL PROTECTED] wrote: Ananth, For starters, you are probably on the wrong list - the PHP developers list is probably where you should be asking this question. Please do not go around saying this. We have enough problems with these types of posts winding up on php-dev as it is. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security question with PHP on Unix / Linux.
Thanks for your inputs. Will proceed from here. Well, if you did not know, NetWare is an operating system brought out by Novell. We are working on porting PHP onto NetWare. In fact, we already have ported PHP 4.2.3 onto NetWare and we have synched up our souces for the 4.3 branch. Thanks, Ananth. Maxim Maletsky [EMAIL PROTECTED] 02/04/03 08:45PM Ananth Kesari [EMAIL PROTECTED] wrote... : I am working on porting PHP onto NetWare. What exactly do you mean? I am newbie to Unix / Linux systems and at this point of time, I am trying to understand the way security is implemented for PHP on Unix / Linux. I mean, how are the different users distinguished from Unix / Linux. From PHP's point of view, every PHP process will run as apache's process, with apache's user. Most often `nobody' or `apache'. Do they get to login into the Unix / Linux system? No. Do they have separate data space for each user? No. Only sessions, if you use them. Sessions have their own unique IDs and are stored in a certain directory by default. A database solution can also be implemented. What is the API that is used to login to Unix / Linux. There is no login to the Unix / Linux. You might write one on your own, if you wish, but that would be your thing. PHP as it is, logs nobody to the Linux, it runs everybody's request as Apache's user. User may enter his username and password on the browser, but how do they get translated onto the Unix / Linux box? Whatever inputted to the broswer, is send to your script. Stays up to you to decide what to do with the user/pass. Basically, you would usually store the credentials in a database and then authenticate the users against the database, not Linux Shell itself. Since I am a newbie, I may have misunderstood some concepts here. Most of them. PHP is a programming language, not a shell interface or something. Stays up to you what to do once user runs your PHP script. -- Maxim Maletsky [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security question with PHP on Unix / Linux.
Thanks for your inputs. Will proceed from here. Well, I first posted this query on this list. But seeing no response, I thought probably it should have gone into PHP-dev list. When I posted there, I was discouraged to post such mails there. So, I came back to the general list. Thanks, Ananth. Miles Thompson [EMAIL PROTECTED] 02/04/03 08:32PM Ananth, For starters, you are probably on the wrong list - the PHP developers list is probably where you should be asking this question. Second, PHP runs through the web server, so the user is the same user the web server, usually nobody, although that depends on the how the web server is installed. No one is encouraged to all access to the underlying system through the web server, although the exec() function allows execution of some commands. I can't help you much more than that, and I believe the other list will be more fruitful. Regards - Miles Thompson At 07:54 AM 2/4/2003 -0700, Ananth Kesari wrote: Hi, I mailed this earlier, but got no response. Maybe it went unnoticed. So, resending it again. Please read below. Your help in this is appreciated. Thanks, Ananth. Hi, I am working on porting PHP onto NetWare. I am newbie to Unix / Linux systems and at this point of time, I am trying to understand the way security is implemented for PHP on Unix / Linux. I mean, how are the different users distinguished from Unix / Linux. Do they get to login into the Unix / Linux system? Do they have separate data space for each user? What is the API that is used to login to Unix / Linux. User may enter his username and password on the browser, but how do they get translated onto the Unix / Linux box? Since I am a newbie, I may have misunderstood some concepts here. Can someone help me in understanding this correctly? Also, can you point me to any documentation on PHP security on Unix systems. I want some in-depth technical stuff upto what calls are made etc. Your help in this is appreciated. Thanks, Ananth. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] security question regarding including files..
I want to give my users the ability to submit a URL to a database, then when they pull up their page, their photo is included .. what I'm worried about is them pointing the link to some malicious code or something.. Obviously I can validate the file extension (.gif or .jpg) .. and I'm going to force the files to be stored offsite - they dont get to upload anything to the server. I'm just a bit paranoid about this, so I'm hoping someone more security-minded can tell me what to watch out for, what to check, if I'm missing anything.. Thanks, Chad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security question regarding including files..
I guess you use some webserver, let's take apache. Apache's mime.conf has set several extensions, also php extensions. So only .php, .php3, .php4 files will be parsed by php. Chad Day wrote: I want to give my users the ability to submit a URL to a database, then when they pull up their page, their photo is included .. what I'm worried about is them pointing the link to some malicious code or something.. Obviously I can validate the file extension (.gif or .jpg) .. and I'm going to force the files to be stored offsite - they dont get to upload anything to the server. I'm just a bit paranoid about this, so I'm hoping someone more security-minded can tell me what to watch out for, what to check, if I'm missing anything.. Thanks, Chad -- IPv6 + TCPA + wrecked Palladium server = NO COFFE! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security question regarding including files..
--- Chad Day [EMAIL PROTECTED] wrote: I want to give my users the ability to submit a URL to a database, then when they pull up their page, their photo is included .. what I'm worried about is them pointing the link to some malicious code or something.. Your instincts serve you well. There are two types of attacks to worry about in this situation, depending on who can see this image. If only the user who submitted the URL can see it, then your users only risk CSRF attacks, which are not very common (yet) but are very dangerous. If everyone can see the image, then your application is also at risk of XSS. If you realize that an embedded image is requested separately by a Web client, you can see that this basically allows an attacker the opportunity of forcing another user to visit a URL of the attacker's choice. For example, consider an image that looks like this: img src=http://bookstore.xxx/buy.php?book=httphandbook; A browser will try to load that image by sending a request for that URL to bookstore.xxx. So, every user who happens to have a prior relationship with bookstore.xxx (maybe they have one-click ordering) will unknowingly purchase HTTP Developer's Handbook. All the victim will see is a broken image. Even if you check for file extensions, the attacker can have a URL that looks legitimate but is really a PHP script in disguise (their Apache treates .jpg as PHP, for example) and uses header(Location: ...) to redirect to the URL mentioned above. Also, this same attack can be used against one of your users to make them unknowingly submit such a URL to your site. Thus, even if you only show the image to the user who submitted it, that user may still be a victim. For more information on CSRF, check out http://www.tux.org/~peterw/csrf.txt. For more information on XSS, check out http://httpd.apache.org/info/css-security/ and http://www.cert.org/advisories/CA-2000-02.html. My advice would be to require human intervention in the way of a moderation system. Even with this, a URL that returns an image today may not tomorrow. A safer alternative might be to host the images yourself, so that you can check that they are in fact images. Good luck. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security question regarding including files..
Chris Shiflett wrote: --- Chad Day [EMAIL PROTECTED] wrote: I want to give my users the ability to submit a URL to a database, then when they pull up their page, their photo is included .. what I'm worried about is them pointing the link to some malicious code or something.. Your instincts serve you well. There are two types of attacks to worry about in this situation, depending on who can see this image. If only the user who submitted the URL can see it, then your users only risk CSRF attacks, which are not very common (yet) but are very dangerous. If everyone can see the image, then your application is also at risk of XSS. If you realize that an embedded image is requested separately by a Web client, you can see that this basically allows an attacker the opportunity of forcing another user to visit a URL of the attacker's choice. For example, consider an image that looks like this: img src=http://bookstore.xxx/buy.php?book=httphandbook; I agree that there are risks - but I do think this can be done safely if you make sure the user cannot insert javascript into the page, there isn't much cross site scripting that can be done. and make sure they can't insert quotes which would end the quoted string in the html page. is there really any site which will accept a book order based an a sigle GET ? I guess stripping the query string would be safest... but its a balance betwwen security and functionality ... -- Sean -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security question regarding including files..
On Wednesday 22 January 2003 01:40, Sean Burlington wrote: is there really any site which will accept a book order based an a sigle GET ? Amazon makes a big deal of their one-click shopping feature. It's so good they've even patented it. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * /* We are drowning in information but starved for knowledge. -- John Naisbitt, Megatrends */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security question regarding including files..
Gibbs, Liam - SXIA wrote: I agree that there are risks - but I do think this can be done safely Couldn't you just check the submitted URL and find out if it's a gif or jpeg? I don't think even PHP-enabled servers will run a gif or jpeg. please send replies to the list ... and you cant tell what type of file will be returned by the url it is easy to set up a server to treat a file named foo.gif as a php file (or whatever) even if you tested the url by attemting to download the file it would be easy to write a script that would return an innocent gif to requests originating for the webservers ip address - and anything else to the rest of the world. I'm not sure what harm could be done by this though. if a broswer attempts to load an image reference by an img tag - but finds an unsuitable type of data - I would expect it simply to ignore it... but this would be worth testing. -- Sean -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security question regarding including files..
--- Sean Burlington [EMAIL PROTECTED] wrote: I'm not sure what harm could be done by this though. if a broswer attempts to load an image reference by an img tag - but finds an unsuitable type of data - I would expect it simply to ignore it... I sent a response about this earlier, but you should research CSRF and XSS. It does not matter that the browser shows a broken image if it has already sent the HTTP request. There is no special HTTP request for checking whether the Content-Type is really an image without the receiving Web server taking any action. A GET is a GET. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security question regarding including files..
--- Sean Burlington [EMAIL PROTECTED] wrote: is there really any site which will accept a book order based an a sigle GET? Well, yes, but that is not the point really. The example of the img tag is just one way you can forge an HTTP request from another user (the victim). Also consider that many people create sites with PHP with register_globals set to on. Even when these people go to great lengths to validate all incoming data and to identify the user, this does not defend against CSRF. The data being sent is valid data, and the user sending it is the authenticated user. That is the danger. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] security question regarding including files..
Chris Shiflett wrote: --- Sean Burlington [EMAIL PROTECTED] wrote: I'm not sure what harm could be done by this though. if a broswer attempts to load an image reference by an img tag - but finds an unsuitable type of data - I would expect it simply to ignore it... I sent a response about this earlier, but you should research CSRF and XSS. It does not matter that the browser shows a broken image if it has already sent the HTTP request. There is no special HTTP request for checking whether the Content-Type is really an image without the receiving Web server taking any action. A GET is a GET. hmmm but what does this have to do with the site allowing users to include links to images this is a security problem for the site that allows you to place purchase orders with a single click. what difference does it make that img links are placed by users ? I could just as easily trick users into making GET requests by puting dodgy img links in a pgae that I control ... I only initiate a small proportion of the requests my browser makes - in fact I go to some trouble to stop some of the requests happening as I don't like to see so many ads - I filter outgoing requests via squid. There are problems in the way the internet is designed and in misconcepotions as to how it works - but if we all code for absolute security we end up disconnecting from the web entirely. -- Sean -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Security question: getenv()
Happy Friday! I don't know anything about the innards of the PHP/Apache relationship. I am wondering if there is a security advantage to using the getenv() function to access an environment variable, instead of using the $HTTP_SERVER_VARS array, or, if register_globals is on, the global version of the variable. Using $SERVER_NAME as an example, and assuming register_globals is on, if $foo = gentenv(SERVER_NAME); $bar = $HTTP_SERVER_VARS[SERVER_NAME]; are $foo, $bar and $SERVER_NAME guaranteed to have the same value? Can a cracker poison one of these but not the other? Does getenv() get the value from Apache or PHP's namespace? You know what I'm getting at, right? ;) TIA Happy Friday! Kirk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] security question
Tried this. Get an error from my host: open_basedir restriction in effect. I'm new at this. Do you know what this means and is there a work around? -Original Message- From: Alexander Deruwe [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 17, 2001 3:28 PM To: [EMAIL PROTECTED] Subject: Re: [PHP] security question On Wednesday 17 October 2001 19:14, Daniel Goldin wrote: But I need to protect the files themselves. Is their a way to protect the files without adding another level of authorization when someone does access them from the browser? Move these text files one directory below the server root. E.g: /www/myserver is the root, so you create a directory /www/text-files. This can then never be accessed from a webbrowser, but PHP can still find them. Alexander -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Security Question
In a lot of PHP code that I have seen, there are lines such as this:
mysql_connect('localhost', 'mysql_login()', 'mysql_password()');
that is used to hide the login and password from someone should they
somehow view the code instead of the output of the PHP file. My question
is, how do I set up those functions mysql_login and mysql_password? Are
they just standard functions defined in a header someplace? Or is this even
the best, most secure way of handling it?
Ryan Shrout
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Security Question
somehow view the code instead of the output of the PHP file. My question is, how do I set up those functions mysql_login and mysql_password? Are they just standard functions defined in a header someplace? Or is this even the best, most secure way of handling it? Include your login and password from an includefile which is outside your HTML directory. Bye, B. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] security question
Hello there, I'm posting a username and a password with: input type="hidden" name="username" value="?php echo $username ?" input type="hidden" name="password" value="?php echo $password ?" When I check $HTTP_POST_VARS I can see the values as they're plain text. Is this still safe to do or should I encrypt the strings before posting them between pages? Thanks for your help. -Original Message- From: Brian V Bonini [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 13 February 2001 11:07 AM To: PHP Lists Subject: [PHP] serialize/deserialize data What exactly does serialize/deserialize data mean? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] security question
I think you should encrypt (crypt). On Tue, 13 Feb 2001, Marc Aragnou wrote: Hello there, I'm posting a username and a password with: input type="hidden" name="username" value="?php echo $username ?" input type="hidden" name="password" value="?php echo $password ?" When I check $HTTP_POST_VARS I can see the values as they're plain text. Is this still safe to do or should I encrypt the strings before posting them between pages? Thanks for your help. -Original Message- From: Brian V Bonini [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 13 February 2001 11:07 AM To: PHP Lists Subject: [PHP] serialize/deserialize data What exactly does serialize/deserialize data mean? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] security question
if you are using these values to check for user login across multpile pages on your site (i.e you want the user to login at one place and you are passing the login info to all the other pages on the site using the hidden fields ) you should take a look at the concept of user sessions take a look at the phplib session management, tutorials on sessions at www.phpbuilder.com (I am not very sure bnut I recall they had one) and the session functions in the php manual. hope that helps Ankur Verma HCL Technologies A1CD, Sec -16 Noida, UP India - Original Message - From: "Marc Aragnou" [EMAIL PROTECTED] To: "PHP Lists" [EMAIL PROTECTED] Sent: Tuesday, February 13, 2001 6:00 AM Subject: [PHP] security question Hello there, I'm posting a username and a password with: input type="hidden" name="username" value="?php echo $username ?" input type="hidden" name="password" value="?php echo $password ?" When I check $HTTP_POST_VARS I can see the values as they're plain text. Is this still safe to do or should I encrypt the strings before posting them between pages? Thanks for your help. -Original Message- From: Brian V Bonini [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 13 February 2001 11:07 AM To: PHP Lists Subject: [PHP] serialize/deserialize data What exactly does serialize/deserialize data mean? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
