WebApp Sec mailing list archives
RE: RE: Ten Security Checks for PHP, Part 1 {Very usefull sugestions....}
From: "Ing. Bernardo Lopez" <bloodk () prodigy net mx>
Date: Sat, 22 Mar 2003 15:46:18 -0600
PHP is an script language whit many stuff... but... if you dont know how to secure a server you may put http://yourserver.com/etc/password (like if you put / as Root in the server) To avoid that stuff just turn safe_mode ON and some stuff in php.ini ... Like everithing, if php thinks you are the only who can access that machine, you could have FULL access... but as many http servers you share it whit the world... so... edit your php.ini or... Also i agre whit Howard. Also you must open a file called stuff.php from other server... AND that server must have .php php scripting disabled (just like geocities or servers like), else you will get an html static page... httpd: <Directory /home/httpd/htdocs/insecure> php_admin_value open_dir /home/httpd/httdocs/insecure/ php_admin safe_mode 1 </Directory> Whit that stuff you could get a *secure* directory... Yea, i know... is a stupid action think this will make all safe... but at least you will not be able to include/move/read/write../../ /etc/passwd Have a nice day! PD: php should ever be whit safe_mode = On... almost always... (also you should check in .htaccess) On Fri, 2003-03-21 at 18:42, Michael Howard wrote:
Aaarrrgggg...// $page is a variable from the URL include($page); The user could set the $lib_dir or $page variables and include filessuch as /etc/passwd or remote files such >>as http://www.some-site.com/whatever.php with malicious code. This malicious code could potentially delete >>files, corrupt databases, or change the values of variables used to track authentication status.What to Look For Search code for the following functions: readfile fopen file include requireThis is just wrong. The security issue is NOT THESE FUNCTIONS - it's the data, the fact that $page is untrusted is the issue.... Check the data.... If the data is untrusted, then validate it is correctly formatted, correct and safe, and then call the functions you need to get the job done... Cheers, Michael Secure Windows Initiative Writing Secure Code 2nd Edition http://www.microsoft.com/mspress/books/5957.asp -----Original Message----- From: Bob Auger [mailto:bauger () spidynamics com] Sent: Friday, March 21, 2003 1:39 PM To: webappsec () securityfocus com I found this linked from net-security.org today. Probabl of interest to the list. http://www.onlamp.com/pub/a/php/2003/03/20/php_security.html - Robert A.
Current thread:
- Ten Security Checks for PHP, Part 1 Bob Auger (Mar 21)
- <Possible follow-ups>
- RE: Ten Security Checks for PHP, Part 1 Michael Howard (Mar 22)
- RE: RE: Ten Security Checks for PHP, Part 1 {Very usefull sugestions....} Ing. Bernardo Lopez (Mar 23)
- Re: Ten Security Checks for PHP, Part 1 Sverre H. Huseby (Mar 23)
- RE: Ten Security Checks for PHP, Part 1 Michael Howard (Mar 23)