RE: [PHP] /etc/passwd
-Original Message-
From: Fejes Jozsef [mailto:[EMAIL PROTECTED]
Sent: 10 July 2003 12:33
My method is:
1. check if id starts with /
if(ereg(^\/, $id))
goaway;
That's a rather expensive (and slightly obscure) way of performing that check. Try:
if ($id{0}=='/')
goaway;
2. check if there is .. in it
if(ereg(\.\., $id))
goaway;
Likewise:
if (strpos($id, '..')!==FALSE)
goaway;
Cheers!
Mike
-
Mike Ford, Electronic Information Services Adviser,
Learning Support Services, Learning Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Beckett Park, LEEDS, LS6 3QS, United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] /etc/passwd
Mantas Kriauciunas wrote:
The problem is
if the make script ? if($id) include($id); ?
and then just write
test.php?id=/etc/passwd , they see all the file.
Check if $id is valid. Exact way depends on the structure of the files.
Example 1: All included files are in web root and are named
something.html, something can contain letters, underscore, digits.
if($id eregi('^[a-z0-9_]+\.html',$id)) include($id);
Example 2: The included files split into several directories, which can
contain letters, underscore, digits.
if($id eregi('^[a-z0-9_]+/[a-z0-9_]+\.html',$id)) include($id);
Sure, this assumes you have nothing to hide in your *.html files.
So how to make sure that no one can access other people files and
server files? and is there any way that nobody would be able to
download php files or how to make them look like code when they are
downloaded. Thanks!
P.S If someone knows good links please reply me! thanks a lot!
---Don't Get Mad, Ged Glad , Buy Gladware---
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] /etc/passwd
Exactly like I said, just check this:
$id='/etc/passwd';
if($id eregi('^[a-z0-9_]+\.html',$id)) include($id);
else die('Go away!');
The regular expression prevents anyone from accessing any file that is
not in your web root (http://your.server.net/) or its name does contain
any other character then letters, numbers or underscore or does not end
with html extension. This is pretty strict so a chance you will miss
something is 0.
The syntex of the regular expression depend on your needs, I don't know
them so I can't help you.
Mantas Kriauciunas wrote:
Hello Marek,
Thanks for the answer, but i think you misunderstood me because of my
bad english. What i mean is the people with that code can access and
view files on any place on my server and see the passwords stored in
some files, decode them, and do stuff like that. I wanted to know how
to prevent that from happening? If the people make file like this, how
to protect myself so they could not view the /etc/passwd file?
Thursday, July 10, 2003, 5:13:33 AM, you wrote:
MK Mantas Kriauciunas wrote:
The problem is
if the make script ? if($id) include($id); ?
and then just write
test.php?id=/etc/passwd , they see all the file.
MK Check if $id is valid. Exact way depends on the structure of the files.
MK Example 1: All included files are in web root and are named
MK something.html, something can contain letters, underscore, digits.
MK if($id eregi('^[a-z0-9_]+\.html',$id)) include($id);
MK Example 2: The included files split into several directories, which can
MK contain letters, underscore, digits.
MK if($id eregi('^[a-z0-9_]+/[a-z0-9_]+\.html',$id)) include($id);
MK Sure, this assumes you have nothing to hide in your *.html files.
So how to make sure that no one can access other people files and
server files? and is there any way that nobody would be able to
download php files or how to make them look like code when they are
downloaded. Thanks!
P.S If someone knows good links please reply me! thanks a lot!
---Don't Get Mad, Ged Glad , Buy Gladware---
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] /etc/passwd
On Thursday 10 July 2003 17:26, Mantas Kriauciunas wrote: my server is running freebsd 5.0 and yet i havent fixed bug that i knew long time ago, so can anyone point me with some links or resources about it, i could not find any good on google, maybe i don't know how to search. First of all it's not a bug. The problem is if the make script ? if($id) include($id); ? and then just write test.php?id=/etc/passwd , they see all the file. So how to make sure that no one can access other people files and server files? and is there any way that nobody would be able to download php files or how to make them look like code when they are downloaded. Thanks! You should only be allowing people to include files from pre-determined directories. So use explode() or basename() to extract the filename then prepend the pre-determined directory. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts. -- Bertrand Russell */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] /etc/passwd
My method is: 1. check if id starts with / if(ereg(^\/, $id)) goaway; 2. check if there is .. in it if(ereg(\.\., $id)) goaway; -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] /etc/passwd
Add a check for php files, or any other files you don't want anybody to
include:
if(ereg('php[0-9]$', $id))
goaway;
Fejes Jozsef wrote:
My method is:
1. check if id starts with /
if(ereg(^\/, $id))
goaway;
2. check if there is .. in it
if(ereg(\.\., $id))
goaway;
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] /etc/passwd
At 13:45 10-7-03, Marek wrote:
Add a check for php files, or any other files you don't want anybody to
include:
if(ereg('php[0-9]$', $id))
goaway;
but what about '?' and '#' additions?
$id=however_they_would_find_out/your_path/file.php?extra=x#loc;
?
so maybe
if(ereg('\.php', $id)) ?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] /etc/passwd
So how to make sure that no one can access other people files and server files? and is there any way that nobody would be able to download php files or how to make them look like code when they are downloaded. Thanks! I think he means How do I keep people who have access to upload their OWN php scripts to my server from accessing files outside their directory? :) Check out the following: http://www.php.net/manual/en/features.safe-mode.php#ini.open-basedir http://www.php.net/manual/en/security.php http://www.php.net/manual/en/features.safe-mode.php#ini.safe-mode -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] /etc/passwd
Hi, if the make script ? if($id) include($id); ? and then just write test.php?id=/etc/passwd , they see all the file. Well, FreeBSD provides a way to jail webservers: Jails 8-) http://www.freebsd.org/doc/en_US.ISO8859-1/books/developers-handbook/jail.html with best regards -- Andreas Mendyk [EMAIL PROTECTED] - mobile +49 172 7111512 Uhlandstr. 7 D-73271 Holzmaden http://www.mendyk.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
