[vox-tech] php security (was: another php question)

Matt Roper vox-tech@lists.lugod.org
Thu, 6 Jun 2002 12:36:56 -0700 

On Thu, Jun 06, 2002 at 12:05:31PM -0700, Peter Jay Salzman wrote:
> begin Matt Roper <matt@mattrope.com> 
> > 
> > I think what you want is 
> > 
> >     <UL>
> >     <LI><A href="display_stats.php3?arg=mustang.dat">mustang</A>
> >     <LI><A href="display_stats.php3?arg=beetle.dat">beetle</A>
> >     ...
> >     </UL>
> > 
> > After doing this, your display_stats page can read the argument from
> > $arg.  Note that you still need to do some checking to make sure people
> > don't craft a url like "display_stats.php3?arg=/etc/shadow" -- this can
> > be a security hole if you use the filename directly without checking it
> > first.
>  
> that's really cool -- i didn't know you could do this sort of thing.
> it's ... "cgi-like".
> 
> your warning sends chills up my spine, though.
> 
> i'd check which files are allowed to open, rather than which files are NOT
> allowed to open (too many files to protect).  something like:
> 
>    if ($arg != "beetle.dat" && $arg != "mustang.dat" && ... ) {
>       system("mail -s "funny business on the php page" p@dirac.org");
>       blah blah blah
>    }
> 
> btw, what should "blah blah blah" be?   just an empty return statement?
> would that be secure?

Yeah, a blank page or an error page saying "invalid file $arg" would be
fine.  Especially if it doesn't really let the person know whether or
not the file they tried to reference actually exists.

> if someone tries something evil, i'd like to be sent email notification.
> maybe even blacklist the ip address that was doing the monkey business.
> anyway

Yeah, PHP has some built in mail functions you can use, so you don't
even have to use system().

> it never occured to me to check for this.  the prospect of someone
> forging an url and gaining access to something like /etc/shadow is
> frightening!

Well, usually file permissions would prevent the web server user from
reading /etc/shadow, but there are other files that could be read this
way which would cause problems.

> actually -- even better -- is there a directive to tell php "you're only
> allowed to open files in /www/p/Adventuring" or something like that?

I'm not aware of anything like that, but I'm not really a PHP expert.
You might be able to chroot your whole web server or something, but that
might be tricky...

> 
> pete
> 
> ps- thanks for the warning.  i never would've thought of this!
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech


Matt

-- 

*************************************************
* Matt Roper <matt@mattrope.com>                *
* http://www.mattrope.com                       *
* PGP Key: http://www.mattrope.com/mattrope.asc *
*************************************************