PaulDotCom mailing list archives

Re: Is this a secure way to parse logs over the web?

From: "Frisch, Daniel (JUS)" <Daniel.Frisch () ontario ca>
Date: Mon, 27 Feb 2012 10:30:25 -0500

Another thing to note: outputting the $_SERVER['PHP_SELF'] variable
without htmlenties also leaves you open to xss (lins 5 & 49).
 
Dan

________________________________

From: pauldotcom-bounces () mail pauldotcom com
[mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Adrian
Crenshaw
Sent: February 26, 2012 3:30 PM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Is this a secure way to parse logs over the
web?


Point taken about XSS, I've added some encoding for that since
(htmlentities). I'll likely recommend people password protect wherever
they put the script.

Adrian


On Sun, Feb 26, 2012 at 1:21 PM, Dancing Dan <d4ncingd4n () gmail com>
wrote:


        Disclaimer: My PHP skills are very rusty so, I may have
misunderstood some of what I saw. Some of what I say may be complete or
partial rubbish.... YMMV
        
        I'm not sure how much of a difference this would make but, I
would constrain the choices from the Internet to specific items instead
of allowing regexs. It would be good to white list the specific searches
you want to allow and discard anything not on the approved list. 
        
        You could separate the retrieval and searching functions from
the display functions by using a scheduled task on the server to extract
the data to separate files with a subset of data. Not necessarily real
time but, it would gain a little separation and could be a lower
privileged process separate account. This could be especially helpful if
you are using SELinux or other MAC control.
        
        I would also suggest considering the types of data that could be
stored in the log. It would be a bad thing (TM) for someone to generate
a log event that would cause reflected XSS when viewing the log file in
a browser. My paranoia would cause me to retrieve a text file containing
data that I could view as pure ASCII....
        
        Hope this helps....
        
        Bart
        
        
        On Fri, Feb 24, 2012 at 10:02 AM, Adrian Crenshaw
<irongeek () irongeek com> wrote:
        


                Ok, not saying this code is well done, but I had a
question about if it was possible to do some Regex injection that has
really bad consequences. I've made a simple little PHP (attached) script
as a test to look for the top 404s and 403 on a site based on its http
log. Since web scanners seem to cause a lot of these (causing errors and
looking for files that are not there), it seems like a good way to spot
them. The downside, I'm pretty much letting the user put anything into
the regular expression for searching that they want. I'm not using the
exec function, but preg_match instead, so shell execution should not be
an issue as far as I know. Assuming I don't care if people know what is
in my logs, how secure is this? I could also always just password it
off.  
                
                
                Thanks,
                Adrian
                
                
                
                -- 
                "The ability to quote is a serviceable substitute for
wit." ~ W. Somerset Maugham
                
                
                _______________________________________________
                Pauldotcom mailing list
                Pauldotcom () mail pauldotcom com
        
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
                Main Web Site: http://pauldotcom.com
                



        _______________________________________________
        Pauldotcom mailing list
        Pauldotcom () mail pauldotcom com
        http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
        Main Web Site: http://pauldotcom.com
        




-- 
"The ability to quote is a serviceable substitute for wit." ~ W.
Somerset Maugham
"The ability to Google can be a serviceable substitute for technical
knowledge." ~ Adrian D. Crenshaw

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

Is this a secure way to parse logs over the web? Adrian Crenshaw (Feb 25)
- Re: Is this a secure way to parse logs over the web? Dancing Dan (Feb 26)
  - Re: Is this a secure way to parse logs over the web? Adrian Crenshaw (Feb 26)
    - Re: Is this a secure way to parse logs over the web? Frisch, Daniel (JUS) (Feb 27)
    - Re: Is this a secure way to parse logs over the web? Adrian Crenshaw (Feb 27)
    - Re: Is this a secure way to parse logs over the web? Frisch, Daniel (JUS) (Feb 27)
    - Re: Is this a secure way to parse logs over the web? Adrian Crenshaw (Feb 27)
    - Re: Is this a secure way to parse logs over the web? Adrian Crenshaw (Feb 27)
    - Re: Is this a secure way to parse logs over the web? Frisch, Daniel (JUS) (Feb 27)