PaulDotCom mailing list archives
Re: Is this a secure way to parse logs over the web?
From: Dancing Dan <d4ncingd4n () gmail com>
Date: Sun, 26 Feb 2012 12:21:16 -0600
Disclaimer: My PHP skills are very rusty so, I may have misunderstood some of what I saw. Some of what I say may be complete or partial rubbish.... YMMV I'm not sure how much of a difference this would make but, I would constrain the choices from the Internet to specific items instead of allowing regexs. It would be good to white list the specific searches you want to allow and discard anything not on the approved list. You could separate the retrieval and searching functions from the display functions by using a scheduled task on the server to extract the data to separate files with a subset of data. Not necessarily real time but, it would gain a little separation and could be a lower privileged process separate account. This could be especially helpful if you are using SELinux or other MAC control. I would also suggest considering the types of data that could be stored in the log. It would be a bad thing (TM) for someone to generate a log event that would cause reflected XSS when viewing the log file in a browser. My paranoia would cause me to retrieve a text file containing data that I could view as pure ASCII.... Hope this helps.... Bart On Fri, Feb 24, 2012 at 10:02 AM, Adrian Crenshaw <irongeek () irongeek com>wrote:
Ok, not saying this code is well done, but I had a question about if it was possible to do some Regex injection that has really bad consequences. I've made a simple little PHP (attached) script as a test to look for the top 404s and 403 on a site based on its http log. Since web scanners seem to cause a lot of these (causing errors and looking for files that are not there), it seems like a good way to spot them. The downside, I'm pretty much letting the user put anything into the regular expression for searching that they want. I'm not using the exec function, but preg_match instead, so shell execution should not be an issue as far as I know. Assuming I don't care if people know what is in my logs, how secure is this? I could also always just password it off. Thanks, Adrian -- "The ability to quote is a serviceable substitute for wit." ~ W. Somerset Maugham _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Is this a secure way to parse logs over the web? Adrian Crenshaw (Feb 25)
- Re: Is this a secure way to parse logs over the web? Dancing Dan (Feb 26)
- Re: Is this a secure way to parse logs over the web? Adrian Crenshaw (Feb 26)
- Re: Is this a secure way to parse logs over the web? Frisch, Daniel (JUS) (Feb 27)
- Re: Is this a secure way to parse logs over the web? Adrian Crenshaw (Feb 27)
- Re: Is this a secure way to parse logs over the web? Frisch, Daniel (JUS) (Feb 27)
- Re: Is this a secure way to parse logs over the web? Adrian Crenshaw (Feb 27)
- Re: Is this a secure way to parse logs over the web? Adrian Crenshaw (Feb 27)
- Re: Is this a secure way to parse logs over the web? Frisch, Daniel (JUS) (Feb 27)
- Re: Is this a secure way to parse logs over the web? Adrian Crenshaw (Feb 26)
- Re: Is this a secure way to parse logs over the web? Dancing Dan (Feb 26)