[vox-tech] php security (was: another php question)

Larry Ozeran vox-tech@lists.lugod.org
Thu, 06 Jun 2002 21:26:04 +0000


Perhaps I'm missing something, but I agree with Richard. The easiest way is
actually to use a table lookup for which file to open and then you don't
worry about access of system resources. This can be hard coded into the php
script (we use .inc files) or stored in a database (we use MySQL, but php
connects to many flavors).

We do go one step further since there are certain pages we don't want
non-administrative users to see. We have a security file which lists which
class of user can access which pages of the site.

-- Larry

At 12:35 PM 6/6/02 -0700, you wrote:
>This might sound silly, but I might instead try something like this:
>
>In file one, do...
>
>	Click on your favorte car:
>	<ul>
>		<li><a href="display_stats.php3?arg=m">mustang</a></li>
>		<li><a href="display_stats.php3?arg=b">beetle</a></li>
>	</ul>
>
>and in page two (pseudocode):
>
>	<blah blah blah>
>	if ($arg = "m") open "mustang.dat" else open "beetle.dat";
>
>It's the way I would naturally have thought of doing it.  Are there
security reasons for not handling it this way?
>
>
>On Thu, Jun 06, 2002 at 12:20:31PM -0700, Tim Riley wrote:
>> An easy way around exposing /etc/anything is to do what Apache does with
>> HTML documents: only reference documents inside a relative directory.
>> 
>> e.g., $file2open = $APPLICATION_HOME_DIRECTORY . $arg[ 1 ]
>> 
>> Peter Jay Salzman wrote:
>> 
>> > begin Matt Roper <matt@mattrope.com>
>> > > On Thu, Jun 06, 2002 at 11:04:19AM -0700, Peter Jay Salzman wrote:
>> > > ...
>> > > > is there a way to pass a variable to a php3 href so i can have one
file
>> > > > that does a reading, but with an argument of which data file to read?
>> > > > something like:
>> > > >
>> > > >
>> > > >    Click on your favorite car:
>> > > >    <UL>
>> > > >    <LI><A href="display_stats.php3" arg="mustang.dat">mustang</A>
>> > > >    <LI><A href="display_stats.php3" arg="beetle.dat">beetle</A>
>> > > >    ...
>> > > >    </UL>
>> > > >
>> > > > can i do this sort of thing with php3?
>> > >
>> > > I think what you want is
>> > >
>> > >     <UL>
>> > >     <LI><A href="display_stats.php3?arg=mustang.dat">mustang</A>
>> > >     <LI><A href="display_stats.php3?arg=beetle.dat">beetle</A>
>> > >     ...
>> > >     </UL>
>> > >
>> > > After doing this, your display_stats page can read the argument from
>> > > $arg.  Note that you still need to do some checking to make sure people
>> > > don't craft a url like "display_stats.php3?arg=/etc/shadow" -- this can
>> > > be a security hole if you use the filename directly without checking it
>> > > first.
>> >
>> > that's really cool -- i didn't know you could do this sort of thing.
>> > it's ... "cgi-like".
>> >
>> > your warning sends chills up my spine, though.
>> >
>> > i'd check which files are allowed to open, rather than which files are
NOT
>> > allowed to open (too many files to protect).  something like:
>> >
>> >    if ($arg != "beetle.dat" && $arg != "mustang.dat" && ... ) {
>> >       system("mail -s "funny business on the php page" p@dirac.org");
>> >       blah blah blah
>> >    }
>> >
>> > btw, what should "blah blah blah" be?   just an empty return statement?
>> > would that be secure?
>> >
>> > if someone tries something evil, i'd like to be sent email notification.
>> > maybe even blacklist the ip address that was doing the monkey business.
>> > anyway
>> >
>> > it never occured to me to check for this.  the prospect of someone
>> > forging an url and gaining access to something like /etc/shadow is
>> > frightening!
>> >
>> > actually -- even better -- is there a directive to tell php "you're only
>> > allowed to open files in /www/p/Adventuring" or something like that?
>> >
>> > pete
>> >
>> > ps- thanks for the warning.  i never would've thought of this!
>> > _______________________________________________
>> > vox-tech mailing list
>> > vox-tech@lists.lugod.org
>> > http://lists.lugod.org/mailman/listinfo/vox-tech
>> 
>> _______________________________________________
>> vox-tech mailing list
>> vox-tech@lists.lugod.org
>> http://lists.lugod.org/mailman/listinfo/vox-tech
>
>-- 
>Slainte,
>Richard S. Crawford
>
>mailto:rscrawford@mossroot.com		http://www.mossroot.com
>AIM:  Buffalo2K   ICQ: 11646404  Yahoo!: rscrawford
>MSN:  underpope@hotmail.com
>
>"It is only with the heart that we see rightly; what is essential is
>invisible to the eye."  --Antoine de Saint Exupery
>
>vi vi vi - the editor of the beast
>_______________________________________________
>vox-tech mailing list
>vox-tech@lists.lugod.org
>http://lists.lugod.org/mailman/listinfo/vox-tech
>
>