Posted by Michael Fesser on 10/22/07 16:22

..oO(Jerry Stuckle)

>Michael Fesser wrote:
>
>> If a file is stored outside the document root, it can't be accessed by a
>> URL. That's prevention.
>
>Nope. It is not. There is, for instance, nothing to stop me from
>uploading a document which opens the file and spits the source code out
>for me.

The file in question is still not accessible by URL, which is all what I
was talking about here.

>The only way to prevent me from getting the file is to not place it
>there in the first place.

The point was to "access the file by URL", which is what a user usually
does. It was not about breaking into the system to get it. If I don't
want a user to directly access something by URL, I can prevent it. If he
still wants to get it, he has to find another way.

>> If you allow the user to submit a value out of [1, 2, 3] to a form
>> processing script and check it against the set of allowed values, they
>> can't inject a 4. That's prevention.
>
>Until they find another way into the system. All you have done is close
>one hole.

Exactly. And i can prevent users from sneaking through that particular
hole by closing it.

>To be able to prevent something, you must have 100% security. And that
>means, in computer systems anyway, 100% perfect code, absolutely no
>access to the sensitive code, either via communications link, physical
>access to the server or any other way. There must also be no copies
>(i.e. backups) of the sensitive files at all. And even then you're
>likely to have potential gaps in the system.

Prevention is not only about protecting an entire system from a break-
in. It's also about all the little things that can get really annyoing,
even if someone just presses the wrong key and the application behaves
in an unexpected way or wreaks havoc.

Micha

[Back to original message]