l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
April 21: Google Glass
Next Installfest:
TBD
Latest News:
Mar. 18: Google Glass at LUGOD's April meeting
Page last updated:
2002 Jun 06 12:49

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] php security (was: another php question)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] php security (was: another php question)



An easy way around exposing /etc/anything is to do what Apache does with
HTML documents: only reference documents inside a relative directory.

e.g., $file2open = $APPLICATION_HOME_DIRECTORY . $arg[ 1 ]

Peter Jay Salzman wrote:

> begin Matt Roper <matt@mattrope.com>
> > On Thu, Jun 06, 2002 at 11:04:19AM -0700, Peter Jay Salzman wrote:
> > ...
> > > is there a way to pass a variable to a php3 href so i can have one file
> > > that does a reading, but with an argument of which data file to read?
> > > something like:
> > >
> > >
> > >    Click on your favorite car:
> > >    <UL>
> > >    <LI><A href="display_stats.php3" arg="mustang.dat">mustang</A>
> > >    <LI><A href="display_stats.php3" arg="beetle.dat">beetle</A>
> > >    ...
> > >    </UL>
> > >
> > > can i do this sort of thing with php3?
> >
> > I think what you want is
> >
> >     <UL>
> >     <LI><A href="display_stats.php3?arg=mustang.dat">mustang</A>
> >     <LI><A href="display_stats.php3?arg=beetle.dat">beetle</A>
> >     ...
> >     </UL>
> >
> > After doing this, your display_stats page can read the argument from
> > $arg.  Note that you still need to do some checking to make sure people
> > don't craft a url like "display_stats.php3?arg=/etc/shadow" -- this can
> > be a security hole if you use the filename directly without checking it
> > first.
>
> that's really cool -- i didn't know you could do this sort of thing.
> it's ... "cgi-like".
>
> your warning sends chills up my spine, though.
>
> i'd check which files are allowed to open, rather than which files are NOT
> allowed to open (too many files to protect).  something like:
>
>    if ($arg != "beetle.dat" && $arg != "mustang.dat" && ... ) {
>       system("mail -s "funny business on the php page" p@dirac.org");
>       blah blah blah
>    }
>
> btw, what should "blah blah blah" be?   just an empty return statement?
> would that be secure?
>
> if someone tries something evil, i'd like to be sent email notification.
> maybe even blacklist the ip address that was doing the monkey business.
> anyway
>
> it never occured to me to check for this.  the prospect of someone
> forging an url and gaining access to something like /etc/shadow is
> frightening!
>
> actually -- even better -- is there a directive to tell php "you're only
> allowed to open files in /www/p/Adventuring" or something like that?
>
> pete
>
> ps- thanks for the warning.  i never would've thought of this!
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech

_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.