Posted by John Nichel on 10/14/05 00:17

Graham Anderson wrote:
> How does a hacker get access to your scripts located outside the web
> folder?
> I asked a friend to hack my php script within the web folder...
>
>
> all of my crucial function were called by:
> require_once("/home/siren/includes/fonovisa.inc");
> the 'encrypt' functions are MCRYPT_RIJNDAEL_256
>
> He was able to get access to the 'fonovisa.inc' php script [outside
> the web folder] and all the stuff inside
> Based on my current knowledge, my security breaches are probably big
> enough to drive a truck through :(
>
>
> how can I prevent this ?
> I am VERY new at the whole 'security' thing so any help is appreciated

Just looking briefly at the below script; NEVER trust user input!
Sanatize it, escape it, check to see it's what you expect, and do it
again. Doing things like this...

freadMovie($_REQUEST['path']);

is just asking for trouble.

> this is the script within the web folder:
> <?php
> require_once("/home/siren/includes/fonovisa.inc");
> $thisScriptURL = ThisScriptsAbsoluteHTTPLocation($_SERVER ['SCRIPT_NAME']);
> qtversiondetect($_SERVER['HTTP_USER_AGENT']);
>
>
>
>
> //////////////////////////////////////////
> // This PHP script is performing three tasks
> // 1) Creates a SMIL playlist of Quicktime movies from a database call
> // 2) Reads each requested movie file from outside the web folder
> // Movies are downloaded by passing the GET variable, 'path', to
> the 'freadMovie()' function
> // This function is located in the script,
> 'fonovisa.inc', located outside the web folder
> // The movie files are fread chunk by chunk in binary
> format and loaded into the the Quicktime Player
> // 3) Build the Actual Quicktime Media Link with all the EMBED
> attributes like KIOSKMODE and QUITWHENDONE
> //
> //
> ////////////////////////
> // Flow of the Code:
> // If the GET variable, 'cmd', equals 'makesmil'
> // Build the SMIL playlist
> // ElseIf the GET variable, 'cmd', equals 'getmovie'
> // Send the requested url [with the encrypted movie file path]
> to the freadmovie() function
> // which freads the requested movie file data to the
> Quicktime Player
> // Else
> // Build the Quicktime Media Link that generated the Headers
> and Embed tags
> // where the 'src' attribute points to the SMIL Playlist
> Movie function in THIS script
> // Endif
> //////////////////////
>
>
> // any variable there ?
> if( isset($_REQUEST['cmd']) OR isset($_REQUEST['path'] ))
> {
>
> ////////////
> // Ok, there is a 'cmd' and/or 'path' variable, what are they ?
> ////////////
>
> //make the SMIL playlist of movie
> if( trim(decrypt( $_REQUEST['cmd'])) =="makesmil")
> makesmil($thisScriptURL);
>
> //fread a movie file in the playlist and send to QuickTime
> elseif(trim(decrypt($_REQUEST['cmd']))=="getmovie")
> freadMovie($_REQUEST['path']);
>
>
> }else{
> ///////////
> // No commands were given
> // So make the Quicktime Media Link with all the EMBED attributes
> // The 'src' attribute is going to call the 'makesmil' function
> to generate the SMIL playlist movie
> //////////
> buildQTMediaLinkForSMILPlaylist( $autoplay="true",
>
> $cache="false",
>
> $kioskmode="true",
>
> $quitwhendone="true",
>
> $movieid=md5(time()),
>
> $moviename="Commercial Reel 2005",
>
> $src="$thisScriptURL?cmd=".encrypt('makesmil')
> );
>
> ///////////
> // Output the Correct QuickTime Headers and the Embed Tags and
> send the movie to QuickTime
> ///////////
> OutputHeaders($_SERVER['HTTP_USER_AGENT']);
> echo $finalQTMovie;
>
>
> }
>
>
> /////////////////////////////////////
> // Local Functions
> /////////////////////////////////////
>
> function makesmil($thisScriptURL)
> {
> buildSMILArray($thisScriptURL,$d='siren',$playlist="Show Reel");
>
> // format the SMIL playlist
> buildSMILPlaylist( $timeslider="true",
> $chaptermode="all",
>
> $immediateinstantiation="false",
> $autoplay="true",
> $left="1",
> $top="1",
> $height="208",
> $width = "352",
> $fit= "fill",
> $title = "Commercial Reel
> 2005",
> $regionid="siren",
> $bgcolor="black",
> $movieid=md5(time()),
> $moviename="Commercial Reel
> 2005",
> $movieArray);
> }
>
>
> //-------------------------
> // Santize the variables to prevent mysql injection and trim them
> function sanitizeVars()
> {
> $path = getGetVarProcessed( 'path', 'cleanser', 'unknown' );
> $cmd = getGetVarProcessed( 'cmd', 'cleanser', 'unknown' );
> }
>
>
> //-------------------------
> // Output Player or Browser Content-Type Header
>
> function OutputHeaders($userAgent)
> {
> global $finalQTMovie;
> if(strstr($userAgent,"qtver")){
> // Player
> header('Content-Type: application/x-quicktimeplayer');
> }else{
> //Browser
> header('Content-Type: video/quicktime');
> }
> //output any of the other headers
> header ("Content-Length:".strlen($finalQTMovie));
> }
>
> ?>
>


--
John C. Nichel
ÜberGeek
KegWorks.com
716.856.9675
john@kegworks.com

• Next in forum: Re: [PHP] prevent user from getting scripts outside the web folder
• Prev in forum: Re: [PHP] prevent user from getting scripts outside the web folder
• Thread view: Re: [PHP] prevent user from getting scripts outside the web folder

[Reply to this message]