Graham Anderson wrote:
How does a hacker get access to your scripts located outside the web
folder?
I asked a friend to hack my php script within the web folder...
all of my crucial function were called by:
require_once("/home/siren/includes/fonovisa.inc");
the 'encrypt' functions are MCRYPT_RIJNDAEL_256
He was able to get access to the 'fonovisa.inc' php script [outside
the web folder] and all the stuff inside
Based on my current knowledge, my security breaches are probably big
enough to drive a truck through :(
how can I prevent this ?
I am VERY new at the whole 'security' thing so any help is appreciated
Just looking briefly at the below script; NEVER trust user input!
Sanatize it, escape it, check to see it's what you expect, and do it
again. Doing things like this...
freadMovie($_REQUEST['path']);
is just asking for trouble.
this is the script within the web folder:
<?php
require_once("/home/siren/includes/fonovisa.inc");
$thisScriptURL = ThisScriptsAbsoluteHTTPLocation($_SERVER ['SCRIPT_NAME']);
qtversiondetect($_SERVER['HTTP_USER_AGENT']);
//////////////////////////////////////////
// This PHP script is performing three tasks
// 1) Creates a SMIL playlist of Quicktime movies from a database call
// 2) Reads each requested movie file from outside the web folder
// Movies are downloaded by passing the GET variable, 'path', to
the 'freadMovie()' function
// This function is located in the script,
'fonovisa.inc', located outside the web folder
// The movie files are fread chunk by chunk in binary
format and loaded into the the Quicktime Player
// 3) Build the Actual Quicktime Media Link with all the EMBED
attributes like KIOSKMODE and QUITWHENDONE
//
//
////////////////////////
// Flow of the Code:
// If the GET variable, 'cmd', equals 'makesmil'
// Build the SMIL playlist
// ElseIf the GET variable, 'cmd', equals 'getmovie'
// Send the requested url [with the encrypted movie file path]
to the freadmovie() function
// which freads the requested movie file data to the
Quicktime Player
// Else
// Build the Quicktime Media Link that generated the Headers
and Embed tags
// where the 'src' attribute points to the SMIL Playlist
Movie function in THIS script
// Endif
//////////////////////
// any variable there ?
if( isset($_REQUEST['cmd']) OR isset($_REQUEST['path'] ))
{
////////////
// Ok, there is a 'cmd' and/or 'path' variable, what are they ?
////////////
//make the SMIL playlist of movie
if( trim(decrypt( $_REQUEST['cmd'])) =="makesmil")
makesmil($thisScriptURL);
//fread a movie file in the playlist and send to QuickTime
elseif(trim(decrypt($_REQUEST['cmd']))=="getmovie")
freadMovie($_REQUEST['path']);
}else{
///////////
// No commands were given
// So make the Quicktime Media Link with all the EMBED attributes
// The 'src' attribute is going to call the 'makesmil' function
to generate the SMIL playlist movie
//////////
buildQTMediaLinkForSMILPlaylist( $autoplay="true",
$cache="false",
$kioskmode="true",
$quitwhendone="true",
$movieid=md5(time()),
$moviename="Commercial Reel 2005",
$src="$thisScriptURL?cmd=".encrypt('makesmil')
);
///////////
// Output the Correct QuickTime Headers and the Embed Tags and
send the movie to QuickTime
///////////
OutputHeaders($_SERVER['HTTP_USER_AGENT']);
echo $finalQTMovie;
}
/////////////////////////////////////
// Local Functions
/////////////////////////////////////
function makesmil($thisScriptURL)
{
buildSMILArray($thisScriptURL,$d='siren',$playlist="Show Reel");
// format the SMIL playlist
buildSMILPlaylist( $timeslider="true",
$chaptermode="all",
$immediateinstantiation="false",
$autoplay="true",
$left="1",
$top="1",
$height="208",
$width = "352",
$fit= "fill",
$title = "Commercial Reel
2005",
$regionid="siren",
$bgcolor="black",
$movieid=md5(time()),
$moviename="Commercial Reel
2005",
$movieArray);
}
//-------------------------
// Santize the variables to prevent mysql injection and trim them
function sanitizeVars()
{
$path = getGetVarProcessed( 'path', 'cleanser', 'unknown' );
$cmd = getGetVarProcessed( 'cmd', 'cleanser', 'unknown' );
}
//-------------------------
// Output Player or Browser Content-Type Header
function OutputHeaders($userAgent)
{
global $finalQTMovie;
if(strstr($userAgent,"qtver")){
// Player
header('Content-Type: application/x-quicktimeplayer');
}else{
//Browser
header('Content-Type: video/quicktime');
}
//output any of the other headers
header ("Content-Length:".strlen($finalQTMovie));
}
?>
--
John C. Nichel
ÜberGeek
KegWorks.com
716.856.9675
john@xxxxxxxxxxxx
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php