BioRUST Forums - View Single Post

Hornet · 04-14-2004

Because I am me, I've been learning about web application security holes for some time. However, I have now started to learn PHP in earnest, and I'm now trying to defend my scripts against the usual attacks. After tearing out several patches of hair trying to make a half-decent variable checker, I finally decided to consult the PHP manual, deciding that someone else must have already done something similar. It turns out that they had - '^[^./][^/]*$' - was mentioned as an ereg parameter, and the code was about twenty lines shorter than what I was churning out, although it seems to be based on the same principles (even though I was using preg_match). But this now begs the question, What The Hell Does It Mean? I don't speak PHP parser (yet), so could someone tell me what that clump of ASCII is up to?

And what's more, looking at the code in question, surely the attacker could just close and exit the if statement and then carry on as he was before? The solution almost seems more dangerous than the cure. In case you wondered, I'm currently creating a download manager, and I'm trying to stop people traversing around by fiddling with the URL and then downloading password files and the like (I'd previously forced it to show me the entire downloads folder, for example).

I've already forced the script to append a .zip extension to the requested file, but that might not be enough. Your thoughts on that one? The PHP executable will be running with root access rights, so yes it could dish out the password files on a nix system (where it's headed when I'm done with it).
Hang on... Wouldn't it be easier (and safer) to catch and refuse any requests that contain non-alphanumeric characters, instead of trying to scan for any funny business? *Ponders*

I have never actually run a website (I just build them for friends), and so the answer to this next one may be painfully obvious to most of you. I keep getting one of two errors when my counter tries to write to a log file: one error is that the file or directory does not exist, and the other is that it isn't writable. I'm assuming that the first error is another manifestation of the second, but how can I solve it? The development server (aka my laptop with its professional hat on) is an XP machine running Apache 1.3 and PHP 4.2 if that helps. I presume I need to do a bit of chmodding? If so, how does one go about it?

I'm also having trouble making the script allow localhost as a referrer. Unlike the previous problem, this one's probably down to my coding. The bare-bones of the code in question goes _something_ like:

PHP Code:


			
$ref = $http_referrer;

if (preg_match ("/local/i", "$ref")) { 

header ("location /zips/afile.zip");

} else {

echo "Cheese"; }

And please don't complain about my using preg_match - it's only until I get the blasted thing working, then I'll use something more refined. There isn't much that could go wrong, but Something's Up Somewhere. As a test I made a PHP file that outputs the referrer to the screen, and it shows the page I came from, so that's got me rightly flummoxed. Just what is going wrong?

Finally, I'm also playing around with overlaying one PNG image onto another. I'm not trying to make it output an image, but create a seperate one somewhere else, and I've tried six or seven different ways of doing it, but none seem to work as they should. What libraries/extensions do I need to do so? Phpinfo says that I have gd 2.0 or higher, yet many examples in the PHP manual don't work either. I doubt anyone here has tried to use PHP to create PNGs, but if you have some assistance would be muchly appreciated.

And if you actually took the time to read all of this post, then I admire your stamina!

04-14-2004	#13 (permalink)
Hornet Registered User Join Date: Nov 2003 Location: Hiding in a ditch with a stolen laptop, somewhere in the South of England. Posts: 66	Because I am me, I've been learning about web application security holes for some time. However, I have now started to learn PHP in earnest, and I'm now trying to defend my scripts against the usual attacks. After tearing out several patches of hair trying to make a half-decent variable checker, I finally decided to consult the PHP manual, deciding that someone else must have already done something similar. It turns out that they had - '^[^./][^/]$' - was mentioned as an ereg parameter, and the code was about twenty lines shorter than what I was churning out, although it seems to be based on the same principles (even though I was using preg_match). But this now begs the question, What The Hell Does It Mean? I don't speak PHP parser (yet), so could someone tell me what that clump of ASCII is up to? And what's more, looking at the code in question, surely the attacker could just close and exit the if statement and then carry on as he was before? The solution almost seems more dangerous than the cure. In case you wondered, I'm currently creating a download manager, and I'm trying to stop people traversing around by fiddling with the URL and then downloading password files and the like (I'd previously forced it to show me the entire downloads folder, for example). I've already forced the script to append a .zip extension to the requested file, but that might not be enough. Your thoughts on that one? The PHP executable will be running with root access rights, so yes it could dish out the password files on a nix system (where it's headed when I'm done with it). Hang on... Wouldn't it be easier (and safer) to catch and refuse any requests that contain non-alphanumeric characters, instead of trying to scan for any funny business? Ponders* I have never actually run a website (I just build them for friends), and so the answer to this next one may be painfully obvious to most of you. I keep getting one of two errors when my counter tries to write to a log file: one error is that the file or directory does not exist, and the other is that it isn't writable. I'm assuming that the first error is another manifestation of the second, but how can I solve it? The development server (aka my laptop with its professional hat on) is an XP machine running Apache 1.3 and PHP 4.2 if that helps. I presume I need to do a bit of chmodding? If so, how does one go about it? I'm also having trouble making the script allow localhost as a referrer. Unlike the previous problem, this one's probably down to my coding. The bare-bones of the code in question goes _something_ like: PHP Code: `$ref = $http_referrer; if (preg_match ("/local/i", "$ref")) { header ("location /zips/afile.zip"); } else { echo "Cheese"; }` And please don't complain about my using preg_match - it's only until I get the blasted thing working, then I'll use something more refined. There isn't much that could go wrong, but Something's Up Somewhere. As a test I made a PHP file that outputs the referrer to the screen, and it shows the page I came from, so that's got me rightly flummoxed. Just what is going wrong? Finally, I'm also playing around with overlaying one PNG image onto another. I'm not trying to make it output an image, but create a seperate one somewhere else, and I've tried six or seven different ways of doing it, but none seem to work as they should. What libraries/extensions do I need to do so? Phpinfo says that I have gd 2.0 or higher, yet many examples in the PHP manual don't work either. I doubt anyone here has tried to use PHP to create PNGs, but if you have some assistance would be muchly appreciated. And if you actually took the time to read all of this post, then I admire your stamina! __________________ De Profundis, Sed Non Satatia.