insecure php

The geek forum. PHP, Perl, HTML, hardware questions etc.. it's all in here. Got a techie question? We'll sort you out. Ask your questions or post a link to your own site here!

insecure php

Postby Shao Feng-Li » Sun Jan 04, 2004 7:13 pm

what's a insecure php file?
User avatar
Shao Feng-Li
 
Posts: 5187
Joined: Sun Oct 12, 2003 12:00 pm
Location: Idaho

Postby andyroo » Sun Jan 04, 2004 8:39 pm

http://www.php.net/manual/en/security.php

I now see where Lorentz got that linkest link thing from. I'm pretty shure this is the PHP manual he's talking about.
"As vinegar to the teeth and smoke to the eyes, so is a sluggard to those who send him." ~Proverbs 10:26
†
The Ideas Behind Anime |

The difference between intelligence and stupidity is that intelligence has its limits.
A proud member of P.I.E. -- Pictures of Inkhana for Everyone! Join the fight!
User avatar
andyroo
 
Posts: 815
Joined: Tue Jun 10, 2003 11:00 am
Location: Alabama

Postby Straylight » Mon Jan 05, 2004 2:29 am

An insecure php file typically allows an attacker to run their own php code on your server. PHP will give you access to the server's filesystem, allowing you to do some really unpleasant things.
[align=center]
Image
Banner above created using my avatar generator tool.
You know you want try it.
User avatar
Straylight
 
Posts: 2346
Joined: Mon May 26, 2003 12:00 pm
Location: Manchester, UK

Postby Mave » Mon Jan 05, 2004 4:57 am

ack, I tried to read and understand the link provided. 0.o I'm assuming that members like me, can't do anything to help, right?
User avatar
Mave
 
Posts: 3662
Joined: Tue Aug 12, 2003 9:00 am

Postby shooraijin » Mon Jan 05, 2004 2:39 pm

djnoz wrote:An insecure php file typically allows an attacker to run their own php code on your server. PHP will give you access to the server's filesystem, allowing you to do some really unpleasant things.


Which is of course true of any program a web server runs if the programmer is stupid and doesn't treat user data with the proper modicum of paranoia. Perl has some nasty ones in filehandling that you have to "un-taint" first (hence the entire Perl tainting mechanism to force you to treat user data as if it were dirty).
"you're a doctor.... and 27 years.... so...doctor + 27 years = HATORI SOHMA" - RoyalWing, when I was 27
"Al hail the forum editting Shooby! His vibes are law!" - Osaka-chan

I could still be champ, but I'd feel bad taking it away from one of the younger guys. - George Foreman
User avatar
shooraijin
 
Posts: 9927
Joined: Thu Jun 26, 2003 12:00 pm
Location: Southern California

Postby Mithrandir » Mon Jan 05, 2004 5:29 pm

Have you spoken with Larry about 6 yet? I'm wondering if the "dirty user" stigmata will remain.

Incidentally, (plugs for shooby) does httpi allow you to run multiple "instances" of the server - for example to do virtual hosting, where each instance can run as a different user? That would make something like this virutally impossible...
User avatar
Mithrandir
 
Posts: 11071
Joined: Fri Jun 27, 2003 12:00 pm
Location: You will be baked. And then there will be cake.

Postby shooraijin » Mon Jan 05, 2004 6:49 pm

The New Security Model in HTTPi/1.4 automatically changes user to the owner of any document it serves, even if the document is static. (Previously it only changed UID on executable files.) As a nice side effect, this prevents root-owned documents from running, and you can further proscribe UIDs from serving documents (so no one can symlink /bin/tcsh somewhere and allow people run it as bin:bin).

If this isn't enough, HTTPi could always have been run in separately configured server instances with each running as an independent UID. This only works for multi-homed hosting, though; HTTP Host-based virtual hosting needs to run in one large process (for obvious reasons).

http://httpi.floodgap.com/

shameless plug wa, arigatoo ;)
"you're a doctor.... and 27 years.... so...doctor + 27 years = HATORI SOHMA" - RoyalWing, when I was 27
"Al hail the forum editting Shooby! His vibes are law!" - Osaka-chan

I could still be champ, but I'd feel bad taking it away from one of the younger guys. - George Foreman
User avatar
shooraijin
 
Posts: 9927
Joined: Thu Jun 26, 2003 12:00 pm
Location: Southern California

Postby LorentzForce » Mon Jan 05, 2004 9:15 pm

andyroo got it right! dum dum dum!

i might be able to help, but i won't, just so i don't interfere too much...

btw, i was unable to log in due to mozilla unable to redirect me in the first page. well, at least IE works here.
Image
User avatar
LorentzForce
 
Posts: 1263
Joined: Sun Jun 01, 2003 3:18 am
Location: Between B and E

Postby Mithrandir » Tue Jan 06, 2004 8:15 am

*shudder*

you know, seeing this look&feel and noticing what does/doesn't work makes me really respect Noz's talent/hard work here. :)
User avatar
Mithrandir
 
Posts: 11071
Joined: Fri Jun 27, 2003 12:00 pm
Location: You will be baked. And then there will be cake.

Postby LorentzForce » Tue Jan 06, 2004 10:06 am

copy/pasted proper redirected address from IE so i can use it on firebird. yes, i ditched IE :P i'm still getting used to tab browsing though... often see myself closing the entire browser, and i go 'NOOOOOOOOO' then oh well, and open it again.

Noz is good at programming :) really.
Image
User avatar
LorentzForce
 
Posts: 1263
Joined: Sun Jun 01, 2003 3:18 am
Location: Between B and E

Postby madphilb » Tue Jan 06, 2004 2:18 pm

I was getting a blank screen.... I don't know if it really helped or if I just hit something right, but by SHIFT-clicking on the "REFRESH" icon it reloaded that page and I got "Redirecting" at the top of the screen (and the updated forums shortly after that).

If I remember correctly (and it still applies) SHIFT-clicking on the Refresh would force Mozilla (which was birthed out of Netscape where I think I remember this from) to reload the page.

Again, i could just be blowing smoke out by butt too.... I dunno, but it seemed to work.... wondering if anyone else has/will try it and verify (my hotlink to CAA is to the root of the domain name).
PHIL

Image
Member of P.I.E. -- Pictures of Inkhana for Everyone!! Join the fight!!
Image
User avatar
madphilb
 
Posts: 1057
Joined: Thu May 29, 2003 1:46 pm
Location: Sunny St. Pete, FL

Postby Mithrandir » Wed Jan 07, 2004 4:57 pm

That is possible. We recently set the system to redirect, but if your machine had the page cached (and it wasn't doing things right) it's possible it solved the problem by forcing the reload.
User avatar
Mithrandir
 
Posts: 11071
Joined: Fri Jun 27, 2003 12:00 pm
Location: You will be baked. And then there will be cake.


Return to Computing and Links

Who is online

Users browsing this forum: No registered users and 78 guests