Posted by Han on 09/26/32 11:27
A simpler attack would be to disable that check.
I guess the solution has to be outside of php. I cannot figure out a
solution though.
-Han
Gordon Burditt wrote:
> >> Our app runs on end-users machines (apache2.x + php5). At this moment
> >> it is quite easy for someone (who has access to the console) to insert
> >> a couple lines of php code to steal sensitive info.
> >>
> >> Is there a way to check the integrity of the php and javascript code by
> >> using digital signatures/simple hash/etc. ?
> >>
> >> What do you do to verify that your code has not been changed by someone
> >> else and everything is leaked to a rogue site?
> >>
> >> Thanks for your help
> >> -Han
> >
> >the md5 of the files would change completly if it was tampered with at
> >all.
> >
> >you can use the php 'md5("path/to/file")' function to check the
> >integrity of files through php.
>
> Until, of course, someone modifies their copy so that the path/to/file
> points at an *unmodified* copy which is never run but is only used
> to pass the integrity check.
>
> Gordon L. Burditt
[Back to original message]
|