[vox-tech] php security (was: another php question)

Richard S. Crawford vox-tech@lists.lugod.org
Thu, 6 Jun 2002 12:35:46 -0700 

This might sound silly, but I might instead try something like this:

In file one, do...

	Click on your favorte car:
	<ul>
		<li><a href="display_stats.php3?arg=m">mustang</a></li>
		<li><a href="display_stats.php3?arg=b">beetle</a></li>
	</ul>

and in page two (pseudocode):

	<blah blah blah>
	if ($arg = "m") open "mustang.dat" else open "beetle.dat";

It's the way I would naturally have thought of doing it.  Are there security reasons for not handling it this way?


On Thu, Jun 06, 2002 at 12:20:31PM -0700, Tim Riley wrote:
> An easy way around exposing /etc/anything is to do what Apache does with
> HTML documents: only reference documents inside a relative directory.
> 
> e.g., $file2open = $APPLICATION_HOME_DIRECTORY . $arg[ 1 ]
> 
> Peter Jay Salzman wrote:
> 
> > begin Matt Roper <matt@mattrope.com>
> > > On Thu, Jun 06, 2002 at 11:04:19AM -0700, Peter Jay Salzman wrote:
> > > ...
> > > > is there a way to pass a variable to a php3 href so i can have one file
> > > > that does a reading, but with an argument of which data file to read?
> > > > something like:
> > > >
> > > >
> > > >    Click on your favorite car:
> > > >    <UL>
> > > >    <LI><A href="display_stats.php3" arg="mustang.dat">mustang</A>
> > > >    <LI><A href="display_stats.php3" arg="beetle.dat">beetle</A>
> > > >    ...
> > > >    </UL>
> > > >
> > > > can i do this sort of thing with php3?
> > >
> > > I think what you want is
> > >
> > >     <UL>
> > >     <LI><A href="display_stats.php3?arg=mustang.dat">mustang</A>
> > >     <LI><A href="display_stats.php3?arg=beetle.dat">beetle</A>
> > >     ...
> > >     </UL>
> > >
> > > After doing this, your display_stats page can read the argument from
> > > $arg.  Note that you still need to do some checking to make sure people
> > > don't craft a url like "display_stats.php3?arg=/etc/shadow" -- this can
> > > be a security hole if you use the filename directly without checking it
> > > first.
> >
> > that's really cool -- i didn't know you could do this sort of thing.
> > it's ... "cgi-like".
> >
> > your warning sends chills up my spine, though.
> >
> > i'd check which files are allowed to open, rather than which files are NOT
> > allowed to open (too many files to protect).  something like:
> >
> >    if ($arg != "beetle.dat" && $arg != "mustang.dat" && ... ) {
> >       system("mail -s "funny business on the php page" p@dirac.org");
> >       blah blah blah
> >    }
> >
> > btw, what should "blah blah blah" be?   just an empty return statement?
> > would that be secure?
> >
> > if someone tries something evil, i'd like to be sent email notification.
> > maybe even blacklist the ip address that was doing the monkey business.
> > anyway
> >
> > it never occured to me to check for this.  the prospect of someone
> > forging an url and gaining access to something like /etc/shadow is
> > frightening!
> >
> > actually -- even better -- is there a directive to tell php "you're only
> > allowed to open files in /www/p/Adventuring" or something like that?
> >
> > pete
> >
> > ps- thanks for the warning.  i never would've thought of this!
> > _______________________________________________
> > vox-tech mailing list
> > vox-tech@lists.lugod.org
> > http://lists.lugod.org/mailman/listinfo/vox-tech
> 
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech

-- 
Slainte,
Richard S. Crawford

mailto:rscrawford@mossroot.com		http://www.mossroot.com
AIM:  Buffalo2K   ICQ: 11646404  Yahoo!: rscrawford
MSN:  underpope@hotmail.com

"It is only with the heart that we see rightly; what is essential is
invisible to the eye."  --Antoine de Saint Exupery

vi vi vi - the editor of the beast