You are here: Re: [PHP] Secure system calls -- how « PHP « IT news, forums, messages
Re: [PHP] Secure system calls -- how

Posted by Richard Lynch on 02/09/05 22:51

Niels wrote:
> Richard Lynch wrote:
> One of the things I've asked for is articles and tutorials, but there
> apparently aren't any on this subject. I can find many on validating user
> input, securing sessions and that kind of thing. But not this, no "howto
> make php run useradd safely". I've seen many other people have problems
> with this, but no tutorials are to be found.

Perhaps the reason there is no article or tutorial is that it would be a
book, not an article or tutorial :-)

There are so MANY affected/related software system pieces that you can't
do it justice in an article or tutorial, I suspect.

The interaction between your scripts, the OS, PHP and every other script
or piece of software on the system comes into play once you start granting
special privileges to the PHP user.

Here's a method you could easily miss:
Create a JPEG that looks like a JPEG in its header, but has malevlolent
PHP code in it.
Then, upload that JPEG to your server as an avatar or whatever through
some kind of file upload anywhere on the system.
Then, surf to that image with variations on ".php" in the URL in an
attempt to get PHP to execute that image as PHP code.

This is exactly the kind of thing that *CAN* happen by successive small
minor mistakes taken one at a time over years of a server build-up, none
of which in and of themselves will be obvious as a problem, until too
late.

--
Like Music?
http://l-i-e.com/artists.htm

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация