Reply to Re: [PHP] Newbie: Safe function call to a .inc file outside the web folder

Your name:

Reply:


Posted by "Richard Lynch" on 08/27/05 02:42

On Fri, August 26, 2005 5:55 am, Edward Vermillion wrote:
> Chris Shiflett wrote:
>
>> Because $_SERVER['SERVER_NAME'] can be manipulated by the user in
>> some
>> cases, you must consider $temp tainted at this point.
>>
>
> I was under the the impression that the non-'HTTP_*' keys in the
> $_SERVER array came from the server itself. Obvoiusly I'm wrong, but
> I'm
> curoius how 'SERVER_NAME' could be manipulated by the client. Is there
> anything in the $_SERVER array that *can* be considered safe?

Here is what little info I have in my brain on this topic... :-)

When your browser requests:
http://example.com/index.php
what really happens is a more like doing this from a command shell:

telnet example.com 80
[wait for a prompt, type the following]
GET /index.php HTTP/1.0
Host: example.com
[hit return again here]

This last one, the "Host:" headers, is used by VirtualHost settings in
Apache to determine which URL you actually want.

But there's nothing to stop Bad Guy from doing this:
telnet php.net 80
GET /index.php HTTP/1.0
Host: example.com

At that point, if php.net responds at all, I *THINK*
$_SERVER['SERVER_NAME'] might, depending on Apache configuration, be
'example.com'

Or maybe not.

But when you stop to think about all the sites that are hosted on
multiple server farm setups, where a single domain is actually
serviced by an army of computers due to the sheer volume, you realize
that the 'SERVER_NAME' cannot POSSIBLY be the actual honest-to-god
there-is-only-one IP address of a single computer that is responding.

So odds are really good that in *SOME* situations,
$_SERVER['SERVER_NAME'] is not particularly reliable.

That may not be your situation ; It might be 100% reliable in YOUR
situation.

But do you really want to write code that might maybe someday get
thrown into a different situation that has vulnerabilities in it?

Disclaimer: I really have no idea how it could harm you, but if Chris
Shifflett warns against it, don't do it. :-)

--
Like Music?
http://l-i-e.com/artists.htm

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация