You are here: Re: [PHP] Secure system calls -- how « PHP « IT news, forums, messages
Re: [PHP] Secure system calls -- how

Posted by Niels on 02/10/05 05:58

Richard Lynch wrote:

> Perhaps the reason there is no article or tutorial is that it would be a
> book, not an article or tutorial :-)
>
> There are so MANY affected/related software system pieces that you can't
> do it justice in an article or tutorial, I suspect.
Quite true. However, warnings about "don't do this or that", "an attacker
may use this" and so on are numerous, but advice on what to do about it is
rarer. And this thing with system calls is a good example: I can find many
warnings about not doing it, but not a single piece of advice about how to
do it when it's actually necessary.


> The interaction between your scripts, the OS, PHP and every other script
> or piece of software on the system comes into play once you start granting
> special privileges to the PHP user.
>
> Here's a method you could easily miss:
> Create a JPEG that looks like a JPEG in its header, but has malevlolent
> PHP code in it.
> Then, upload that JPEG to your server as an avatar or whatever through
> some kind of file upload anywhere on the system.
> Then, surf to that image with variations on ".php" in the URL in an
> attempt to get PHP to execute that image as PHP code.
True, and I do have file uploads for privileged users. I check the files,
but how can I be sure? Your example is good, it's very easy to miss the
problem with code in a file -- but where's the solution?


> This is exactly the kind of thing that *CAN* happen by successive small
> minor mistakes taken one at a time over years of a server build-up, none
> of which in and of themselves will be obvious as a problem, until too
> late.
Good point, but that's a danger with all programs. Maybe this is a good
reason to use tried-and-tested modules like PEAR -- but they can be faulty
as well.

My main point isn't that I want to be 100% certain nothing will ever go
wrong with my program. That's quite unrealistic. But I'm looking for
solutions to the problems everybody's pointing out.


Thanks again,
Niels

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация