Full Disclosure mailing list archives
Re: Ioncube Encoded PHP Files
From: Joachim Schipper <j.schipper () math uu nl>
Date: Wed, 21 Dec 2005 14:45:03 +0100
On Thu, Dec 22, 2005 at 12:04:17AM +1100, mz4ph0d () gmail com wrote:
On 12/21/05, Joachim Schipper <j.schipper () math uu nl> wrote:Pretty much any source code encoding scheme can be defeated, given enough work. The point is in making sure that it is too much work to do so. Though I wonder what the point is - it's not likely to be all that hard to run the code on another system. The main point seems to be to prevent administrators from making local changes, and I must admit to not seeing a problem with people who have bought the software doing that.Agreed, but in this case the application is for a security purpose rather than change or server control. Looking for a secure way to include an AES password in a PHP script for use with AES_ENCRYPT() in MySQL without that password being viewable even if the source of the page is compromised. Ioncube seems to fit the bill, but wanted to enquire about whether or not that's the case.
If the application you are using gets a password, hashes it, and compares it against the hash of the password you want to see, why not just store the second hash? That will do everything you want. Could you elaborate on what you want to do, exactly? The above, of course, is only useful if the hash does not grant equivalent priviliges as the password. And I don't know about you, but I'd rather rely on restrictive permissions in the database, the irreversibility of hashes, or somesuch (more-or-less) known-good method. (Consider, for instance, what happens when an attacker grabs the source code, and runs it in a controlled environment - it doesn't take too much effort to find out it uses MySQL, and it is not likely very difficult to get the app to spew the password at your very own MySQL server with some extra logging features.) Joachim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Ioncube Encoded PHP Files mz4ph0d (Dec 21)
- Re: Ioncube Encoded PHP Files Joachim Schipper (Dec 21)
- Re: Ioncube Encoded PHP Files mz4ph0d (Dec 21)
- Re: Ioncube Encoded PHP Files Joachim Schipper (Dec 21)
- Re: Ioncube Encoded PHP Files Valdis . Kletnieks (Dec 21)
- Re: Ioncube Encoded PHP Files Joachim Schipper (Dec 22)
- Re: Ioncube Encoded PHP Files mz4ph0d (Dec 21)
- Re: Ioncube Encoded PHP Files Stefan Esser (Dec 21)
- Re: Ioncube Encoded PHP Files Joachim Schipper (Dec 21)