l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
October 20: Web Application Hacking: How to Make and Break Security on the Web
Next Installfest:
TBD
Latest News:
Oct. 10: LUGOD Installfests coming again soon
Page last updated:
2002 Jun 07 10:15

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] php security (was: another php question)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] php security (was: another php question)



On Fri, 7 Jun 2002, Tim Riley wrote:

> Jeff Newmiller wrote:
> 
> > On Thu, 6 Jun 2002, Tim Riley wrote:
> >
> > > Samuel Merritt wrote:
> > >
> > > > On Thu, Jun 06, 2002 at 02:12:25PM -0700, Tim Riley wrote:
> > > > >
> > > > > Matt Roper wrote:
> > > > >
> > > > > > With this solution, what keeps people from using something like
> > > > > > "../../../etc/shadow" as $arg?  You'd probably need to strip out slashes
> > > > > > and ..'s to be safe...
> > > > > >
> > > > > > Matt
> > > > > >
> > > > >
> > > > > Good thinking Matt and Jeff. How about
> > > > >
> > > > > $file2open = ( substr( $arg[ 1 ], 0, 1 ) == "." )
> > > > >                 ? ""
> > > > >                 : $APPLICATION_HOME_DIRECTORY . $arg[ 1 ];
> > > > >
> > > > > This checks the first character for a dot by using the substring function
> > > > > inside the ternary operator. If someone tries to penetrate your system, file2open
> > > > > will fail.
> > > >
> > > > That's not enough. What about foo/../../../etc/shadow ?
> > >
> > > Samuel, I don't mean to be critical, but the foo directory doesn't exist,
> > > so this will fail.
> >
> > If they can figure out _any_ directory name, conceptually they can do
> > this... foo is a conceptual idea, not an actual directory name. <snip>
> 
> Oh.
> 
> What about:
> 
>  $file2open = ( strstr( $arg[ 1 ], ".." ) )
>                  ? ""
>                  : $APPLICATION_HOME_DIRECTORY . $arg[ 1 ];
> 
> Strstr() is the string search function, and here if it finds two adjacent dots, the
> ternary operator will successfully return an empty filename. Can a hacker
> get out of this jail?

I don't think she could.  However, "myfile..is..ok" is a valid, if
unusual, filename that would cause problems if you or someone else tried
to use it.  The "realpath()" solution would be more robust and less likely
to cause puzzling failures in the future, but would require more cpu
cycles on each access... choose your evil.

[...]

> > Though I am not a PHP user, this would strike me as a prime candidate for
> > a standard feature of this kind of environment.  Looking in the PHP manual
> > briefly, I find "realpath", which looks like a good candidate tool to help
> > straighten this mess out and allow simple programmatic confirmation that
> > the file is in the appropriate area of the filesystem.  There may be even
> > better library routines... but this seems pretty easy to build a
> > "die_if_someone_is_hacking()" routine with.

---------------------------------------------------------------------------
Jeff Newmiller                        The     .....       .....  Go Live...
DCN:<jdnewmil@dcn.davis.ca.us>        Basics: ##.#.       ##.#.  Live Go...
                                      Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
/Software/Embedded Controllers)               .OO#.       .OO#.  rocks...2k
---------------------------------------------------------------------------

_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!