Re[2]: [phplib-dev] security: READ THIS! :: ASPN Mail Archive

Recent Messages
List Archives
About the List
List Leaders
Subscription Options

View Subscriptions
Help

View by Topic
ActiveState
.NET Framework
Open Source
Perl
PHP
Python
Tcl
Web Services
XML & XSLT

View by Category
Database
General
SOAP
System Administration
Tools
User Interfaces
Web Programming
XML Programming

MyASPN >> Mail Archive >> php-Lib-Dev

php-Lib-Dev

Re[2]: [phplib-dev] security: READ THIS!
by Jeff Stuart other posts by this author
Jul 14 2001 5:16PM messages near this date

[phplib-dev] More: security: READ THIS! | Re: [phplib-dev] security: READ THIS!

Hello nathan,

Ok.. let me ask a stupid question here.

Exactly WHAT is the hole?  You're redirecting $_PHPLIB[libdir].  Ok.. so my
prepend.php3 has the following:
require($_PHPLIB["libdir"] . "db_mysql.inc");  /* Change this to match your database. */
require($_PHPLIB["libdir"] . "ct_sql.inc");    /* Change this to match your data storage con
tainer */
require($_PHPLIB["libdir"] . "session.inc");   /* Required for everything below.      */
require($_PHPLIB["libdir"] . "auth.inc");      /* Disable this, if you are not using authent
ication. 
*/
require($_PHPLIB["libdir"] . "perm.inc");      /* Disable this, if you are not using permiss
ion check
s. */
require($_PHPLIB["libdir"] . "user.inc");      /* Disable this, if you are not using per-use
r variabl
es. */
require($_PHPLIB["libdir"] . "local.inc");     /* Required, contains your local configuratio
n. */
require($_PHPLIB["libdir"] . "page.inc");      /* Required, contains the page management fun
ctions. *
/

Now since I define my database connections in local.inc, exactly WHAT is the
problem?  My script won't work.  Oh no!  Some "hacker" just broke my script
but just for him/her.  Or am I just being dense here?

Saturday, July 14, 2001, 8:35:56 AM, you wrote:

nrh>  On Sat, 14 Jul 2001, giancarlo pinerolo wrote:

> > Gosh
> > with regards to this paper, named PHP Security Paper (a study in
> > scarlet)...
> >
> > http://www.securereality.com.au/studyinscarlet.txt
> >
> > I always thought _PHPLIB was a defined constant, now I realize it is an
> > array
> > try this script please, which can override the $_PHPLIB[libdir] value.
> >
> > in the third input field, which overrides _PHPLIB[libdir], type '/tmp/',
> > and it will include a file named 'test' there
> >
> > Giancarlo

nrh>  [snip scripts]

nrh>  This is becasue $_PHPLIB['libdir'] is only initalized if it isn't present.
nrh>  Simply remvove the if(!(is_array($_PHPLIB)) { call and it will be better.
nrh>  If you don't use this functionality in prepend.php3 (eg: you have phplib
nrh>  in PHP's include_path) then simply define $_PHPLIB['libdir'] as a a NULL
nrh>  or empty string.

nrh>  Better yet, enable track_vars and disable register_globals for php, and
nrh>  this won't be a problem, becasue your user input will be located in
nrh>  $HTTP_GET_VARS['_PHPLIB'['libdir']] not in the global environment

nrh>  -n

-- 
Abbestellen mit Mail an:   phplib-dev-unsubscribe@[...].de
Kommandoliste mit Mail an: phplib-dev-help@lists.netuse.de

Thread:

giancarlo pinerolo

nathan r. hruby

Jeff Stuart

nathan r. hruby

Jeff Stuart

nathan r. hruby