l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
August 5: Social gathering
Next Installfest:
TBD
Latest News:
Jul. 4: July, August and September: Security, Photography and Programming for Kids
Page last updated:
2002 Jun 06 21:35

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] php security (was: another php question)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] php security (was: another php question)



On Thu, 6 Jun 2002, Tim Riley wrote:

> An easy way around exposing /etc/anything is to do what Apache does with
> HTML documents: only reference documents inside a relative directory.
> 
> e.g., $file2open = $APPLICATION_HOME_DIRECTORY . $arg[ 1 ]

Then you have to worry about

 $arg[ 1 ] = "../../etc/passwd"

perhaps... (I don't know php... so I offer a perlism...)

 $arg[ 1 ] =~ s/.{2,}\//\//g;

will clean it up?

Untainting is a tricky process.  You might consider maintaining a file of
permissible filenames, and simply confirming that the filename provided is
an exact match with one of them.  Or, just use an ID number in the URL for
the file you want to access.

> 
> Peter Jay Salzman wrote:
> 
> > begin Matt Roper <matt@mattrope.com>
> > > On Thu, Jun 06, 2002 at 11:04:19AM -0700, Peter Jay Salzman wrote:
> > > ...
> > > > is there a way to pass a variable to a php3 href so i can have one file
> > > > that does a reading, but with an argument of which data file to read?
> > > > something like:
> > > >
> > > >
> > > >    Click on your favorite car:
> > > >    <UL>
> > > >    <LI><A href="display_stats.php3" arg="mustang.dat">mustang</A>
> > > >    <LI><A href="display_stats.php3" arg="beetle.dat">beetle</A>
> > > >    ...
> > > >    </UL>
> > > >
> > > > can i do this sort of thing with php3?
> > >
> > > I think what you want is
> > >
> > >     <UL>
> > >     <LI><A href="display_stats.php3?arg=mustang.dat">mustang</A>
> > >     <LI><A href="display_stats.php3?arg=beetle.dat">beetle</A>
> > >     ...
> > >     </UL>
> > >
> > > After doing this, your display_stats page can read the argument from
> > > $arg.  Note that you still need to do some checking to make sure people
> > > don't craft a url like "display_stats.php3?arg=/etc/shadow" -- this can
> > > be a security hole if you use the filename directly without checking it
> > > first.
> >
> > that's really cool -- i didn't know you could do this sort of thing.
> > it's ... "cgi-like".
> >
> > your warning sends chills up my spine, though.
> >
> > i'd check which files are allowed to open, rather than which files are NOT
> > allowed to open (too many files to protect).  something like:
> >
> >    if ($arg != "beetle.dat" && $arg != "mustang.dat" && ... ) {
> >       system("mail -s "funny business on the php page" p@dirac.org");
> >       blah blah blah
> >    }
> >
> > btw, what should "blah blah blah" be?   just an empty return statement?
> > would that be secure?
> >
> > if someone tries something evil, i'd like to be sent email notification.
> > maybe even blacklist the ip address that was doing the monkey business.
> > anyway
> >
> > it never occured to me to check for this.  the prospect of someone
> > forging an url and gaining access to something like /etc/shadow is
> > frightening!
> >
> > actually -- even better -- is there a directive to tell php "you're only
> > allowed to open files in /www/p/Adventuring" or something like that?
> >
> > pete
> >
> > ps- thanks for the warning.  i never would've thought of this!
> > _______________________________________________
> > vox-tech mailing list
> > vox-tech@lists.lugod.org
> > http://lists.lugod.org/mailman/listinfo/vox-tech
> 
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
> 

---------------------------------------------------------------------------
Jeff Newmiller                        The     .....       .....  Go Live...
DCN:<jdnewmil@dcn.davis.ca.us>        Basics: ##.#.       ##.#.  Live Go...
                                      Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
/Software/Embedded Controllers)               .OO#.       .OO#.  rocks...2k
---------------------------------------------------------------------------

_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.