e also.
> > -Original Message-
> > From: Christopher Ostmo [mailto:[EMAIL PROTECTED]]
> > Sent: 5 iulie 2001 19:57
> > To: Adrian Ciutureanu
> > Cc: [EMAIL PROTECTED]
> > Subject: RE: [PHP] Security of PHP code
> >
> >
> > Adrian Ciutur
iutureanu
> Cc: [EMAIL PROTECTED]
> Subject: RE: [PHP] Security of PHP code
>
>
> Adrian Ciutureanu pressed the little lettered thingies in
> this order...
>
> > $allowed_path = '/www/sites/mysite/teaching';
> > $file = realpath($file);
&
This is a good code. Read http://php.net/realpath
> -Original Message-
> From: Christopher Ostmo [mailto:[EMAIL PROTECTED]]
> Sent: 5 iulie 2001 19:57
> To: Adrian Ciutureanu
> Cc: [EMAIL PROTECTED]
> Subject: RE: [PHP] Security of PHP code
>
>
> Adrian Ci
Adrian Ciutureanu pressed the little lettered thingies in this order...
> $allowed_path = '/www/sites/mysite/teaching';
> $file = realpath($file);
> if(ereg("^$allowed_path", $file)) {
> // it's OK
> } else {
> // possible attack!
> }
>
This is not good code.
A user could replace the $file i
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
> The only foolproof method for restricting access is to strip
> forward slashes. In the above example, I can change the file to:
> /www/sites/mysite/teaching/../../../../etc/passwd
> And it will be allowed
> If you were to do this, however:
> $al
ED]]
> Sent: 5 iulie 2001 02:22
> To: Sascha Schumann
> Cc: Jon Haworth; 'Hankley, Chip'; PHP Mailingliste
> Subject: Re: [PHP] Security of PHP code
>
>
> "Sascha Schumann" <[EMAIL PROTECTED]> wrote:
> > On Wed, 4 Jul 2001, Steve Werby wrote:
>
2001 15:29
> To: [EMAIL PROTECTED]
> Subject: Re: [PHP] Security of PHP code
>
>
>
> > > $allowed_path = "/www/sites/mysite/teaching";
> >
> > if (substr($file, 0, str_len($allowed_path)) <> $allowed_path )
> > {
> > die("
hello all,
i just recently looked at this thread, so i don't know
what's been discussed before today. i thought i'd
point everyone at:
http://lwn.net/2001/0704/a/study-in-scarlet.php3
however. just came out yesterday. very relevant.
tiger
--
Gerald Timothy Quimpo [EMAIL PR
"Sascha Schumann" <[EMAIL PROTECTED]> wrote:
> On Wed, 4 Jul 2001, Steve Werby wrote:
>
> > "Jon Haworth" <[EMAIL PROTECTED]> wrote:
> > > Yes, I would have thought this would do it:
> > >
> > > if (strstr($file, "/usr/local/apache/htdocs/") {
> > > show_source($file);
> [..]
> > Something along t
Possibilities for improving security on a sourec displayer.
1) Maybe you could restrict your source shower to only look at
particular types of files - maybe the file has to end in ".php"
or ".inc" before it is even considered.
2) Given that something that displays the source needs to re
You guys wouldnt have to worry if you chroot apache and php..
;]
then you cant access anything outside the jail, it works great!
Ryan
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the l
On Wednesday 04 July 2001 16:12, ReDucTor wrote:
> http://sourceforge.net/source.php?page_url=/source.php look at that...
No problem. Have a look at what is done before the show_source () call.
That script *is* safe :)
> > It is not how secure PHP is, it is how well YOU protect it.
> > For exam
Delbono pressed the little lettered thingies in this order...
>
> maybe one could be
>
> $allowed_path = "/www/sites/mysite/teaching";
>
> if (substr($file, 0, str_len($allowed_path)) <> $allowed_path )
> {
> die("not allowed!");
> }
> else
> {
> show_source($file);
> }
> ?>
>
The only foo
Surely the lesson here is to NEVER NEVER NEVER write PHP code which accepts a
filename of any kind as one of its arguments. Yes, it will make some of your
code a bit less versatile and more long winded, but you can bet your bottom
dollar that someone can find a crafty way around whatever syntax
Yes, I supposed there could be that eventuality...
I supposed or hoped that wasn't a valid path.
> /usr/local/apache/htdocs/../../../../etc/passwd as path..
I'm not very practice of paths... actually
> On Wed, 4 Jul 2001, Steve Werby wrote:
>
> > "Jon Haworth" <[EMAIL PROTECTED]> wrote
On Wed, 4 Jul 2001, Steve Werby wrote:
> "Jon Haworth" <[EMAIL PROTECTED]> wrote:
> > Yes, I would have thought this would do it:
> >
> > if (strstr($file, "/usr/local/apache/htdocs/") {
> > show_source($file);
[..]
> Something along those lines will work. Without some kind of limitations
> buil
"Hankley, Chip" <[EMAIL PROTECTED]> writes:
> Is it possible to have such a function on your site w/o giving access to ALL
> of your documents...
On top of everything the other users recommended, you can enable safe
mode. It will protect you from sloppy programming.
--
Arcady Genkin
i=1; while
"Jon Haworth" <[EMAIL PROTECTED]> wrote:
> Yes, I would have thought this would do it:
>
> if (strstr($file, "/usr/local/apache/htdocs/") {
> show_source($file);
> } else {
> echo "File must be in /usr/local/apache/htdocs!";
> }
>
> Modify as appropriate.
>
> Have I missed anything, or will this d
> $allowed_path = "/www/sites/mysite/teaching";
>
> if (substr($file, 0, str_len($allowed_path)) <> $allowed_path )
> {
> die("not allowed!");
> }
> else
> {
> show_source($file);
> }
> ?>
I've missed part of the discussion, but if my understanding of the issue
is correct (accepting a filename
p" <[EMAIL PROTECTED]>
To: "PHP Mailingliste" <[EMAIL PROTECTED]>
Sent: Wednesday, July 04, 2001 8:45 AM
Subject: RE: [PHP] Security of PHP code
> OK,
>
> I'm pretty new to PHP, and have been reading this thread, and am just a
> little freaked.
>
> If
Adrian Ciutureanu pressed the little lettered thingies in this order...
> Here is something that happend to me: I forgot to tell Apache that .inc
> files must be parsed by PHP. All works fine if you include a .inc file, but
> if somebody guess .inc file name, he can see the content of that file!
Jon
-Original Message-
From: Hankley, Chip [mailto:[EMAIL PROTECTED]]
Sent: 04 July 2001 16:46
To: PHP Mailingliste
Subject: RE: [PHP] Security of PHP code
OK,
I'm pretty new to PHP, and have been reading this thread, and am just a
little freaked.
If I understand this right, the on
maybe one could be
$allowed_path )
{
die("not allowed!");
}
else
{
show_source($file);
}
?>
- Original Message -
From: "Hankley, Chip" <[EMAIL PROTECTED]>
To: "PHP Mailingliste" <[EMAIL PROTECTED]>
Sent: Wednesday, July 04, 2001 5:
OK,
I'm pretty new to PHP, and have been reading this thread, and am just a
little freaked.
If I understand this right, the only way reason we can view the source code
of those pages is that the web server on which the page resides essentially
has a PHP page somewhere on their site that has some
would be really silly if
http://www.php.net/source.php?url=/index.php
- Original Message -
From: "Tim Taubert" <[EMAIL PROTECTED]>
To: "PHP Mailingliste" <[EMAIL PROTECTED]>
Sent: Wednesday, July 04, 2001 5:27 PM
Subject: RE: [PHP] Security of PH
/
-
.o] -Original Message-
.o] From: Tim Taubert [mailto:[EMAIL PROTECTED]]
.o] Sent: Wednesday, July 04, 2001 5:16 PM
.o] To: PHP Mailingliste
.o] Subject: RE: [PHP] Security of PHP code
.o]
.o]
.o] mh i know it was the wrong
om/rg/
-
.o] -Original Message-
.o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]]
.o] Sent: Wednesday, July 04, 2001 5:17 PM
.o] To: [EMAIL PROTECTED]; PHP Mailingliste
.o] Subject: RE: [PHP] Security of PHP code
.o]
.o]
.o] Just for the respect of the community
: Tim Taubert [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 05, 2001 12:09 AM
To: PHP Mailingliste
Subject: RE: [PHP] Security of PHP code
oh thanks for the disclaimer ;) forgot it..
richard: didn't think about it.. but should have done it.. first and last
time i did it *promised*
:)
T
om/rg/
-
.o] -Original Message-
.o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]]
.o] Sent: Wednesday, July 04, 2001 5:09 PM
.o] To: [EMAIL PROTECTED]; PHP Mailingliste
.o] Subject: RE: [PHP] Security of PHP code
.o]
.
> you're totally right.. look at this
>
> *no comment* and not my site...
What on earth possesed you to post that url?!
Jeez!
--
Richard Heyes
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To c
PROTECTED]]
Sent: Wednesday, July 04, 2001 11:58 PM
To: PHP Mailingliste
Subject: RE: [PHP] Security of PHP code
you're totally right.. look at this
http://www.ssw.uni-linz.ac.at/Teaching/Lectures/Sem/2000/Alexander/source.ph
p3?url=/etc/passwd
*no comment* and not my site.
-
.o] From: Tim Taubert [mailto:[EMAIL PROTECTED]]
.o] Sent: Wednesday, July 04, 2001 4:58 PM
.o] To: PHP Mailingliste
.o] Subject: RE: [PHP] Security of PHP code
.o]
.o]
.o] you're totally right.. look at this
.o]
.o] http://www.ssw.uni-linz.ac.at/Teaching/Lectures/Sem/2000/Alexander/sour
http://www.shogunat.com/rg/
-
.o] -Original Message-
.o] From: PHPBeginner.com [mailto:[EMAIL PROTECTED]]
.o] Sent: Wednesday, July 04, 2001 4:09 PM
.o] To: [EMAIL PROTECTED]; php-general
.o] Subject: RE: [PHP] Security of PHP
http://sourceforge.net/source.php?page_url=/source.php look at that...
- Original Message -
From: PHPBeginner.com <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; php-general <[EMAIL PROTECTED]>
Sent: Thursday, July 05, 2001 12:08 AM
Subject: RE: [PHP] Security of PHP code
SECURE, SECURE.
It is not how secure PHP is, it is how well YOU protect it.
For example = make this line show_source($file); then go to your page like
file.php?file=/etc/passwd and you're freaked!
There is a whole bunch of way to hack your pages if not protected well
enough, but PHP itself has n
The right way to fix this is to add a rule to your Apache configuration
that looks like this:
Order allow,deny
Deny from all
That will simply prevent any direct access at all to your .inc files.
Making the .inc files simply be parsed by PHP could still be a problem as
they could be cal
neral
> Subject: RE: [PHP] Security of PHP code
>
>
> Here is something that happend to me: I forgot to tell Apache that .inc
> files must be parsed by PHP. All works fine if you include a .inc file,
> but if somebody guess .inc file name, he can see the content of that
> file!
&g
Here is something that happend to me: I forgot to tell Apache that .inc
files must be parsed by PHP. All works fine if you include a .inc file,
but if somebody guess .inc file name, he can see the content of that
file!
> -Original Message-
> From: David A Dickson [mailto:[EMAIL PROTECTED]
i think that you can't attack php code because it's a server side scripting
language...
just with *echo*(and others) you send some code to the browser... i guess
it's secure ;)
Tim Taubert
-
Tim Taubert | [EMAIL PROTECTED] |
39 matches
Mail list logo
