RE: RE: Ten Security Checks for PHP, Part 1 {Very usefull sugestions....}

["Ing. Bernardo Lopez" <bloodk () prodigy net mx>]

PHP is an script language whit many stuff... but... if you dont know how
to secure a server you may put http://yourserver.com/etc/password (like
if you put / as Root in the server)

To avoid that stuff just turn safe_mode ON and some stuff in php.ini ...

Like everithing, if php thinks you are the only who can access that
machine, you could have FULL access... but as many http servers you
share it whit the world... so... edit your php.ini or...

Also i agre whit Howard.

Also you must open a file called stuff.php from other server... AND that
server must have .php php scripting disabled (just like geocities or
servers like), else you will get an html static page...

httpd:
<Directory /home/httpd/htdocs/insecure>
php_admin_value open_dir /home/httpd/httdocs/insecure/
php_admin safe_mode 1
</Directory>

Whit that stuff you could get a *secure* directory...

Yea, i know... is a stupid action think this will make all safe... but
at least you will not be able to include/move/read/write../../ 

/etc/passwd

Have a nice day!

PD: php should ever be whit safe_mode = On... almost always... (also you
should check in .htaccess)


On Fri, 2003-03-21 at 18:42, Michael Howard wrote:
> Aaarrrgggg...
>
> > > // $page is a variable from the URL
> > > include($page); 
> > > The user could set the $lib_dir or $page variables and include files
> such as /etc/passwd or remote files such >>as
> http://www.some-site.com/whatever.php with malicious code. This
> malicious code could potentially delete >>files, corrupt databases, or
> change the values of variables used to track authentication status.
> > > What to Look For
> > > Search code for the following functions: 
> > >
> > > readfile 
> > > fopen 
> > > file 
> > > include 
> > > require  
>
> This is just wrong. The security issue is NOT THESE FUNCTIONS - it's the
> data, the fact that $page is untrusted is the issue....
>
> Check the data.... If the data is untrusted, then validate it is
> correctly formatted, correct and safe, and then call the functions you
> need to get the job done...
>
>
>
>
> Cheers, Michael
> Secure Windows Initiative
> Writing Secure Code 2nd Edition
> http://www.microsoft.com/mspress/books/5957.asp
>
>
> -----Original Message-----
> From: Bob Auger [mailto:bauger () spidynamics com] 
> Sent: Friday, March 21, 2003 1:39 PM
> To: webappsec () securityfocus com
>
> I found this linked from net-security.org today. Probabl of interest to
> the list.
>
> http://www.onlamp.com/pub/a/php/2003/03/20/php_security.html
>
> - Robert A.