Many thanks for everyone's advice :)
It is appreciated
Is this a bit better ?
In my 'cleaner' function, I amended the script to:
function cleanser( $value )
{
return mysql_real_escape_string( trim( escapeshellcmd($value ) )) ;
}
Instead of mysql_real_escape_string, I could use addslashes()
All of my $_REQUEST variables are contained within a case statement
The 'cmd' variable can ONLY be 'makesmil' or 'getmovie'
If it exists, the 'path' variable is run through the 'cleanser'
function and sent with the original encryption to the fread()
function located outside the web folder
The $path variable is decrypted in the fread function.
//----------
As to my fread function:
//this function is located outside the web folder
function freadMovie($path)
{
$key = "myfakepassword";
$path = decrypt($path);
$filepath ="/home/path_to_includes/Library/multimedia/h264/".$path;
$fileSize = filesize($filepath);
$chunkSize = 32768;
header("ETag: ".md5(time()));
header("Accept-Ranges: bytes");
header ("Content-Length: ".$fileSize);
header('Content-Type: video/quicktime');
if( $fd = fopen($filepath, 'rb'))
{
while(!feof($fd)) {
echo (fread($fd, $chunkSize));
}
fclose ($fd);
exit;
}
}
anything more that comes to mind ?
part of the script......
if (array_key_exists('cmd', $_REQUEST)) {
switch($_REQUEST['cmd']) {
case 'makesmil':
// make an array of 'video src' urls from a database call
buildSMILArray($d='siren',$playlist="Show Reel",
$this_script_name);
// format the SMIL playlist
buildSMILPlaylist( /
*timeslider*/ "true",
/
*chaptermode*/ "clip",
/
*immediateinstantiation*/ "false",
/
*autoplay*/ "true",
/
*left*/ "0",
/
*top*/ "0",
/
*height*/ "208",
/*width
*/ "352",
/
*fit*/ "fill",
/*title
*/ "Commercial Reel 2005",
/
*regionid*/ "siren",
/
*bgcolor*/ "black",
/
*movieid*/ md5(time()),
/
*moviename*/ "Commercial Reel 2005",
/*the array of
movies*/ $movieArray);
break;
case 'getmovie':
// if the 'REQUEST variable, 'path' , exists:
$path = isset($_REQUEST['path']) ? cleanser($_REQUEST
['path']): $path="null";
// read the movie file [located outside the web folder]
from binary into QuickTime
freadMovie($path);
break;
}
}else{
.
.
.
.
many thanks
g
On Oct 14, 2005, at 12:37 PM, Richard Lynch wrote:
On Thu, October 13, 2005 4:05 pm, Graham Anderson wrote:
How does a hacker get access to your scripts located outside the web
folder?
Several obvious options:
1. Get an account on the machine, and write another PHP script to read
it.
2. Find some other script on the machine that will cheerfully dump out
any path you ask for:
<?php include $_GET['hack_me']?>
3. Guess/Get the username/password of the webmaster.
4. Find somebody hosted on a Windows box. Break the Windows security
with any of the 2 zillion scripts to do that.
5. Physical access to the box. If he can touch the hardware, it's
game over.
There are presumably more arcane and obscure methods that might have
been employed.
I asked a friend to hack my php script within the web folder...
all of my crucial function were called by:
require_once("/home/siren/includes/fonovisa.inc");
the 'encrypt' functions are MCRYPT_RIJNDAEL_256
He was able to get access to the 'fonovisa.inc' php script [outside
the web folder] and all the stuff inside
Ask your friend how they did it.
Plug that hole, and any similar-shaped holes.
Repeat.
Based on my current knowledge, my security breaches are probably big
enough to drive a truck through :(
how can I prevent this ?
Without knowing which way they got in, nobody can answer this.
It's like this:
A burglar stole my silverware!
How do I stop this from happening again?
Nobody can answer that.
elseif(trim(decrypt($_REQUEST['cmd']))=="getmovie")
freadMovie($_REQUEST['path']);
Okay, this sure looks like it might be #2 from above. Depends on how
freadMovie() is written.
//-------------------------
// Santize the variables to prevent mysql injection and trim them
function sanitizeVars()
You specifically protect against MySQL injection in a script that
doesn't seem to do anything with MySQL...
But do NOTHING to protect against shell arguments.
What's wrong in this picture? :-)
Or should I say what's wrong in this Movie? :-) :-) :-)
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php