Adrian Ciutureanu pressed the little lettered thingies in this order...
> This is a good code. Read http://php.net/realpath
>
You are correct. I was unaware of the addition of the realpath() function
to PHP. According to the description of realpath(), using it should close
this hole also.
> > -----Original Message-----
> > From: Christopher Ostmo [mailto:[EMAIL PROTECTED]]
> > Sent: 5 iulie 2001 19:57
> > To: Adrian Ciutureanu
> > Cc: [EMAIL PROTECTED]
> > Subject: RE: [PHP] Security of PHP code
> >
> >
> > Adrian Ciutureanu pressed the little lettered thingies in
> > this order...
> >
> > > $allowed_path = '/www/sites/mysite/teaching';
> > > $file = realpath($file);
> > > if(ereg("^$allowed_path", $file)) {
> > > // it's OK
> > > } else {
> > > // possible attack!
> > > }
> > >
> >
> > This is not good code.
> >
> > A user could replace the $file in the URL with this:
> > /www/sites/mysite/teaching/../../../../etc/passwd
> > Since it starts with $allowed_path, your code has just been fooled.
> >
> > The basic problem that I have seen with posts to this thread
> > is the fact
> > that many people do not understand how Unix servers address and/or
> > secure files. If what I have written above doesn't make any sense,
> > please go and pick up a book that covers Unix/Linux security. If you
> > don't, you are inviting a security breach. You may or may not be aware
> > of this, but many hackers know Unix, it's security and it's common
> > vulnerabilities VERY well and they WILL exploit your code if it is
> > exploitable.
> >
> > Simply checking to see if a particular path exists in the URL will
> > NEVER secure this issue.
> >
> > Here's the script that I use:
> >
> > <?
> > require("common.php");
> > $f = ereg_replace("/","",$f);
> > commonHeader("$f Source Code");
> > ?>
> > <table border="1" cellpadding="3" cellspacing="0" bgcolor="#FFFFFF">
> > <tr><td> <? show_source("./calendar/$f"); ?> </td></tr> </table> <?
> > commonFooter(); ?>
> >
> > I explicitly declare the path and I delete all forward
> > slashes. This means
> > that if someone tries to send:
> > $f=calendar/../../../.../../../../etc/passwd
> > They instead send:
> > $f=calendar...............etcpasswd
> > And the server interprets this as:
> > ./calendar/calendar...............etcpasswd
> >
> > The bottom line is that no files outside of the intended
> > directory will ever
> > be viewable through this script, regardless of how clever, smart or
> > devious the user might be.
> >
> > I could have gotten a little more fancy and given warnings if
> > there were
> > forward slashes, but the point is this: If you are allowing
> > real file names
> > to be passed as the parameter, you HAVE to do one of two things:
> > 1) Strip or otherwise block forward slashes and/or
> > consecutive periods.
> > 2) Declare the file path before the show_source() call and disallow
> > consecutive periods (".."), forward slashes or both. This is the method
> > used at slashdot.
> >
Christopher Ostmo
a.k.a. [EMAIL PROTECTED]
AppIdeas.com
Innovative Application Ideas
Meeting cutting edge dynamic
web site needs since the
dawn of Internet time (1995)
Business Applications:
http://www.AppIdeas.com/
Open Source Applications:
http://open.AppIdeas.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
