Re: prevent user from getting scripts outside the web folder

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2005-10-13 at 17:05, Graham Anderson wrote:
> How does a hacker get access to your scripts located outside the web  
> folder?
> I asked a friend to hack my php script within the web folder...

Ummm, the obvious thing to do is ask your friend how he did it, then
we'll tell you how to prevent it in the future. Otherwise we're all just
shooting in the dark.

Cheers,
Rob.

> 
> 
> all of my crucial function were called by:
> require_once("/home/siren/includes/fonovisa.inc");
> the 'encrypt' functions are MCRYPT_RIJNDAEL_256
> 
> He was able to get access to the 'fonovisa.inc'  php script [outside  
> the web folder] and all the stuff inside
> Based on my current knowledge, my security breaches are probably big  
> enough to drive a truck through :(
> 
> 
> how can I prevent this ?
> I am VERY new at the whole 'security' thing so any help is appreciated
> 
> 
> 
> this is the script within the web folder:
> <?php
> require_once("/home/siren/includes/fonovisa.inc");
> $thisScriptURL = ThisScriptsAbsoluteHTTPLocation($_SERVER 
> ['SCRIPT_NAME']);
> qtversiondetect($_SERVER['HTTP_USER_AGENT']);
> 
> 
> 
> 
> //////////////////////////////////////////
> //   This PHP script is performing three tasks
> //   1)  Creates a SMIL playlist of Quicktime movies from a database  
> call
> //   2)  Reads each requested movie file from outside the web folder
> //        Movies are downloaded by passing the GET variable, 'path',  
> to the 'freadMovie()' function
> //                This function is located in the script,  
> 'fonovisa.inc', located outside the web folder
> //                The movie files are fread chunk  by chunk  in  
> binary format and loaded into the the Quicktime Player
> //   3) Build the Actual Quicktime Media Link with all the EMBED  
> attributes like KIOSKMODE and QUITWHENDONE
> //
> //
> ////////////////////////
> //   Flow of the Code:
> //   If the GET variable, 'cmd', equals 'makesmil'
> //         Build the  SMIL playlist
> //   ElseIf the GET variable, 'cmd', equals 'getmovie'
> //          Send the requested url [with the encrypted movie file  
> path] to the freadmovie() function
> //          which freads the requested movie file data  to the  
> Quicktime Player
> //   Else
> //            Build the Quicktime Media Link that generated the  
> Headers and Embed  tags
> //            where the 'src' attribute points to the  SMIL Playlist  
> Movie function in THIS script
> //   Endif
> //////////////////////
> 
> 
> // any variable there ?
> if( isset($_REQUEST['cmd']) OR isset($_REQUEST['path'] ))
> {
> 
>      ////////////
>      // Ok, there is a 'cmd' and/or 'path' variable, what are they ?
>      ////////////
> 
>      //make the SMIL playlist of movie
>      if(    trim(decrypt( $_REQUEST['cmd'])) =="makesmil")             
> makesmil($thisScriptURL);
> 
>       //fread a movie file in the playlist and send to QuickTime
>      elseif(trim(decrypt($_REQUEST['cmd']))=="getmovie")             
> freadMovie($_REQUEST['path']);
> 
> 
>      }else{
>      ///////////
>      //  No commands were given
>      //  So make the Quicktime Media Link with all the EMBED attributes
>      //  The 'src' attribute  is going to call the 'makesmil'  
> function to generate the SMIL playlist movie
>      //////////
>              buildQTMediaLinkForSMILPlaylist( $autoplay="true",
>                                                                   
> $cache="false",
>                                                                   
> $kioskmode="true",
>                                                                   
> $quitwhendone="true",
>                                                                   
> $movieid=md5(time()),
>                                                                   
> $moviename="Commercial Reel 2005",
>                                                                   
> $src="$thisScriptURL?cmd=".encrypt('makesmil')
>                                                                  );
> 
>          ///////////
>          // Output the Correct QuickTime Headers and the Embed Tags  
> and send the movie to QuickTime
>          ///////////
>              OutputHeaders($_SERVER['HTTP_USER_AGENT']);
>              echo $finalQTMovie;
> 
> 
>      }
> 
> 
> /////////////////////////////////////
> // Local Functions
> /////////////////////////////////////
> 
> function makesmil($thisScriptURL)
> {
>      buildSMILArray($thisScriptURL,$d='siren',$playlist="Show Reel");
> 
>      // format the SMIL playlist
>      buildSMILPlaylist(       $timeslider="true",
>                                              $chaptermode="all",
>                                               
> $immediateinstantiation="false",
>                                              $autoplay="true",
>                                              $left="1",
>                                              $top="1",
>                                              $height="208",
>                                              $width = "352",
>                                              $fit= "fill",
>                                              $title = "Commercial  
> Reel 2005",
>                                              $regionid="siren",
>                                              $bgcolor="black",
>                                              $movieid=md5(time()),
>                                              $moviename="Commercial  
> Reel 2005",
>                                              $movieArray);
> }
> 
> 
> //-------------------------
> // Santize the variables to prevent mysql injection and trim them
> function sanitizeVars()
> {
>      $path = getGetVarProcessed( 'path', 'cleanser', 'unknown' );
>      $cmd = getGetVarProcessed( 'cmd', 'cleanser', 'unknown' );
> }
> 
> 
> //-------------------------
> // Output Player or Browser Content-Type Header
> 
> function OutputHeaders($userAgent)
> {
> global $finalQTMovie;
> if(strstr($userAgent,"qtver")){
>      // Player
>      header('Content-Type: application/x-quicktimeplayer');
> }else{
>      //Browser
>      header('Content-Type: video/quicktime');
> }
> //output any of the other headers
> header ("Content-Length:".strlen($finalQTMovie));
> }
> 
> ?>
-- 
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting  |
| a powerful, scalable system for accessing system services  |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for       |
| creating re-usable components quickly and easily.          |
`------------------------------------------------------------'

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux