Re: prevent user from getting scripts outside the web folder [this better?]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Is this a bit better ?
As directed, I 'sanitized' all user input variables with trim and mysql_real_escape_string.
thanks for everyone's patience as I am starting at ground zero concerning security. 


if( isset($_REQUEST['cmd']) OR isset($_REQUEST['path'] ))
{
    // decrypt and santize variables
$cmd = isset($_REQUEST['cmd']) ? cleanser(decrypt($_REQUEST ['cmd'])) : $cmd="null"; $path = isset($_REQUEST['path']) ? cleanser(decrypt($_REQUEST ['path'])) : $path="null"; 
.
.
.

the cleanser script:
function cleanser( $value )
{
    return mysql_real_escape_string( trim( $value ) ) ;
}
the 'decrypt' function uses MCRYPT_RIJNDAEL_256 with a $key stored outside the web folder. 

many thanks :)
g


On Oct 13, 2005, at 2:36 PM, Graham Anderson wrote:



Ok, I just heard back from him and feel like an idiot
my htaccess file for the folder containing the php script was not set properly guess at this point, I'll take all of the advice you guys gave and implement it :) 

g

On Oct 13, 2005, at 2:21 PM, Robert Cummings wrote:



On Thu, 2005-10-13 at 17:05, Graham Anderson wrote:



How does a hacker get access to your scripts located outside the web
folder?
I asked a friend to hack my php script within the web folder...




Ummm, the obvious thing to do is ask your friend how he did it, then
we'll tell you how to prevent it in the future. Otherwise we're all just 
shooting in the dark.

Cheers,
Rob.






all of my crucial function were called by:
require_once("/home/siren/includes/fonovisa.inc");
the 'encrypt' functions are MCRYPT_RIJNDAEL_256

He was able to get access to the 'fonovisa.inc'  php script [outside
the web folder] and all the stuff inside
Based on my current knowledge, my security breaches are probably big
enough to drive a truck through :(


how can I prevent this ?
I am VERY new at the whole 'security' thing so any help is appreciated 



this is the script within the web folder:
<?php
require_once("/home/siren/includes/fonovisa.inc");
$thisScriptURL = ThisScriptsAbsoluteHTTPLocation($_SERVER
['SCRIPT_NAME']);
qtversiondetect($_SERVER['HTTP_USER_AGENT']);




//////////////////////////////////////////
//   This PHP script is performing three tasks
//   1)  Creates a SMIL playlist of Quicktime movies from a database
call
//   2)  Reads each requested movie file from outside the web folder
//        Movies are downloaded by passing the GET variable, 'path',
to the 'freadMovie()' function
//                This function is located in the script,
'fonovisa.inc', located outside the web folder
//                The movie files are fread chunk  by chunk  in
binary format and loaded into the the Quicktime Player
//   3) Build the Actual Quicktime Media Link with all the EMBED
attributes like KIOSKMODE and QUITWHENDONE
//
//
////////////////////////
//   Flow of the Code:
//   If the GET variable, 'cmd', equals 'makesmil'
//         Build the  SMIL playlist
//   ElseIf the GET variable, 'cmd', equals 'getmovie'
//          Send the requested url [with the encrypted movie file
path] to the freadmovie() function
//          which freads the requested movie file data  to the
Quicktime Player
//   Else
//            Build the Quicktime Media Link that generated the
Headers and Embed  tags
//            where the 'src' attribute points to the  SMIL Playlist
Movie function in THIS script
//   Endif
//////////////////////


// any variable there ?
if( isset($_REQUEST['cmd']) OR isset($_REQUEST['path'] ))
{

     ////////////
     // Ok, there is a 'cmd' and/or 'path' variable, what are they ?
     ////////////

     //make the SMIL playlist of movie
     if(    trim(decrypt( $_REQUEST['cmd'])) =="makesmil")
makesmil($thisScriptURL);

      //fread a movie file in the playlist and send to QuickTime
     elseif(trim(decrypt($_REQUEST['cmd']))=="getmovie")
freadMovie($_REQUEST['path']);


     }else{
     ///////////
     //  No commands were given
// So make the Quicktime Media Link with all the EMBED attributes 
     //  The 'src' attribute  is going to call the 'makesmil'
function to generate the SMIL playlist movie
     //////////
             buildQTMediaLinkForSMILPlaylist( $autoplay="true",

$cache="false",

$kioskmode="true",

$quitwhendone="true",

$movieid=md5(time()),

$moviename="Commercial Reel 2005",

$src="$thisScriptURL?cmd=".encrypt('makesmil')
                                                                 );

         ///////////
         // Output the Correct QuickTime Headers and the Embed Tags
and send the movie to QuickTime
         ///////////
             OutputHeaders($_SERVER['HTTP_USER_AGENT']);
             echo $finalQTMovie;


     }


/////////////////////////////////////
// Local Functions
/////////////////////////////////////

function makesmil($thisScriptURL)
{
buildSMILArray($thisScriptURL,$d='siren',$playlist="Show Reel"); 

     // format the SMIL playlist
     buildSMILPlaylist(       $timeslider="true",
                                             $chaptermode="all",

$immediateinstantiation="false",
                                             $autoplay="true",
                                             $left="1",
                                             $top="1",
                                             $height="208",
                                             $width = "352",
                                             $fit= "fill",
                                             $title = "Commercial
Reel 2005",
                                             $regionid="siren",
                                             $bgcolor="black",
                                             $movieid=md5(time()),
                                             $moviename="Commercial
Reel 2005",
                                             $movieArray);
}


//-------------------------
// Santize the variables to prevent mysql injection and trim them
function sanitizeVars()
{
     $path = getGetVarProcessed( 'path', 'cleanser', 'unknown' );
     $cmd = getGetVarProcessed( 'cmd', 'cleanser', 'unknown' );
}


//-------------------------
// Output Player or Browser Content-Type Header

function OutputHeaders($userAgent)
{
global $finalQTMovie;
if(strstr($userAgent,"qtver")){
     // Player
     header('Content-Type: application/x-quicktimeplayer');
}else{
     //Browser
     header('Content-Type: video/quicktime');
}
//output any of the other headers
header ("Content-Length:".strlen($finalQTMovie));
}

?>



--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting  |
| a powerful, scalable system for accessing system services  |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for       |
| creating re-usable components quickly and easily.          |
`------------------------------------------------------------'

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux