l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
September 2: Social gathering
Next Installfest:
TBD
Latest News:
Aug. 18: Discounts to "Velocity" in NY; come to tonight's "Photography" talk
Page last updated:
2002 Jun 07 08:28

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] php security (was: another php question)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] php security (was: another php question)



On Thu, 6 Jun 2002, Tim Riley wrote:

> Samuel Merritt wrote:
> 
> > On Thu, Jun 06, 2002 at 02:12:25PM -0700, Tim Riley wrote:
> > >
> > > Matt Roper wrote:
> > >
> > > > With this solution, what keeps people from using something like
> > > > "../../../etc/shadow" as $arg?  You'd probably need to strip out slashes
> > > > and ..'s to be safe...
> > > >
> > > > Matt
> > > >
> > >
> > > Good thinking Matt and Jeff. How about
> > >
> > > $file2open = ( substr( $arg[ 1 ], 0, 1 ) == "." )
> > >                 ? ""
> > >                 : $APPLICATION_HOME_DIRECTORY . $arg[ 1 ];
> > >
> > > This checks the first character for a dot by using the substring function
> > > inside the ternary operator. If someone tries to penetrate your system, file2open
> > > will fail.
> >
> > That's not enough. What about foo/../../../etc/shadow ?
> 
> Samuel, I don't mean to be critical, but the foo directory doesn't exist,
> so this will fail.

If they can figure out _any_ directory name, conceptually they can do
this... foo is a conceptual idea, not an actual directory name.  Further,
how do you know it doesn't exist?  We weren't talking about _your_
particular directory structure.

> Apache uses the DOCUMENT_ROOT mnemonic as its relative
> mount point; therefore /etc/everything is protected. (Try opening
> http://www.lugod.org/etc/passwd or
> http://www.lugod.org/foo/../etc/passwd)

Perhaps in the cutting room you forgot what we _are_ talking about.  Your
URL examples were not what was being considered... what _was_ being
considered was file access from within PHP based on URL arguments that
Apache does not process, as in

 <A href="display_stats.php3?arg=beetle.dat">beetle</A>

where the malicious user attempts to access

http://yoursite.com/cgi-bin/display_stats.php3?arg=images/../../../etc/password

or some variation thereof to learn what usernames to attack.  Since
Peter's PHP code would process the "images/../../../etc/password" portion,
he, not Apache, would be responsible for avoiding going outside his
sandbox.

Though I am not a PHP user, this would strike me as a prime candidate for
a standard feature of this kind of environment.  Looking in the PHP manual
briefly, I find "realpath", which looks like a good candidate tool to help
straighten this mess out and allow simple programmatic confirmation that
the file is in the appropriate area of the filesystem.  There may be even
better library routines... but this seems pretty easy to build a
"die_if_someone_is_hacking()" routine with.

> There are many other ways to prevent unscrupulous Internet
> users from accessing your files; however, they seem complicated.

"A solution should be as simple as possible, but no simpler."
-- Albert Einstein.

---------------------------------------------------------------------------
Jeff Newmiller                        The     .....       .....  Go Live...
DCN:<jdnewmil@dcn.davis.ca.us>        Basics: ##.#.       ##.#.  Live Go...
                                      Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
/Software/Embedded Controllers)               .OO#.       .OO#.  rocks...2k
---------------------------------------------------------------------------


_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!