An observation: I presume (in my code) that $allowed_path is a "root" of
an allowed path. So, files in subfolders of allowed_path are also
allowed.
> -----Original Message-----
> From: Christopher Ostmo [mailto:[EMAIL PROTECTED]]
> Sent: 5 iulie 2001 19:57
> To: Adrian Ciutureanu
> Cc: [EMAIL PROTECTED]
> Subject: RE: [PHP] Security of PHP code
>
>
> Adrian Ciutureanu pressed the little lettered thingies in
> this order...
>
> > $allowed_path = '/www/sites/mysite/teaching';
> > $file = realpath($file);
> > if(ereg("^$allowed_path", $file)) {
> > // it's OK
> > } else {
> > // possible attack!
> > }
> >
>
> This is not good code.
>
> A user could replace the $file in the URL with this:
> /www/sites/mysite/teaching/../../../../etc/passwd
> Since it starts with $allowed_path, your code has just been fooled.
>
> The basic problem that I have seen with posts to this thread
> is the fact
> that many people do not understand how Unix servers address and/or
> secure files. If what I have written above doesn't make any sense,
> please go and pick up a book that covers Unix/Linux security. If you
> don't, you are inviting a security breach. You may or may
> not be aware
> of this, but many hackers know Unix, it's security and it's common
> vulnerabilities VERY well and they WILL exploit your code if it is
> exploitable.
>
> Simply checking to see if a particular path exists in the URL will
> NEVER secure this issue.
>
> Here's the script that I use:
>
> <?
> require("common.php");
> $f = ereg_replace("/","",$f);
> commonHeader("$f Source Code");
> ?>
> <table border="1" cellpadding="3" cellspacing="0" bgcolor="#FFFFFF">
> <tr><td>
> <?
> show_source("./calendar/$f");
> ?>
> </td></tr>
> </table>
> <?
> commonFooter();
> ?>
>
> I explicitly declare the path and I delete all forward
> slashes. This means
> that if someone tries to send:
> $f=calendar/../../../.../../../../etc/passwd
> They instead send:
> $f=calendar...............etcpasswd
> And the server interprets this as:
> ./calendar/calendar...............etcpasswd
>
> The bottom line is that no files outside of the intended
> directory will ever
> be viewable through this script, regardless of how clever, smart or
> devious the user might be.
>
> I could have gotten a little more fancy and given warnings if
> there were
> forward slashes, but the point is this: If you are allowing
> real file names
> to be passed as the parameter, you HAVE to do one of two things:
> 1) Strip or otherwise block forward slashes and/or
> consecutive periods.
> 2) Declare the file path before the show_source() call and disallow
> consecutive periods (".."), forward slashes or both. This is
> the method
> used at slashdot.
>
> Christopher Ostmo
> a.k.a. [EMAIL PROTECTED]
> AppIdeas.com
> Innovative Application Ideas
> Meeting cutting edge dynamic
> web site needs since the
> dawn of Internet time (1995)
>
> For a good time,
> http://www.AppIdeas.com/
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
