Re: A Study In Scarlet - Exploiting Common Vulnerabilities in PHP Applications
From: Ben Ford (bford@erisksecurity.com)Date: 07/30/01
- Previous message: Micha³ Pasternak: "Re: Abusing poor programming techniques in webserver scripts V 1.0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <3B65D7A6.6060009@erisksecurity.com> Date: Mon, 30 Jul 2001 14:54:46 -0700 From: Ben Ford <bford@erisksecurity.com> To: secprog@securityfocus.com Subject: Re: A Study In Scarlet - Exploiting Common Vulnerabilities in PHP Applications
salo wrote:
> On Fri, Jul 27, 2001 at 06:05:25PM +0100, Julian Hall wrote:
>
>> Is anyone really that naive? I, and I'm sure most other PHP uses, would
>> automatically write:
>>
>> > $themefile = "themes/$theme.inc";
>> include ($themefile);
>> ?>
>>
>> If I was even remotely thinking about security I would check for the
>> presence
>> of directory seperator characters in $theme (as it stands obviously
>> the code
>> would allow the inclusion of any file with the '.inc' suffix). You
>> never
>> include code from a filename specified directly by the user. That's
>> a primary
>> rule, and applies to server applications written in any language, not
>> just PHP
>> and other similar systems.
>>
>
> what about checking like this?
>
Even better:
if(isset($theme)) {
switch ($theme) {
case "1" :
include("theme1.php");
break;
case "2" :
include("theme2.php");
break;
case "3" :
include("theme3.php");
break;
default :
include("default_theme.php");
break;
}
}
Can you break that?
-b
- Previous message: Micha³ Pasternak: "Re: Abusing poor programming techniques in webserver scripts V 1.0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
