one good reason to ever enable this, it would be a
security issue no matter how you slice it...
-Original Message-
From: Igor Escobar [mailto:titiolin...@gmail.com]
Sent: Tuesday, June 08, 2010 10:11 AM
To: richg...@gmail.com
Cc:
Subject: Re: [PHP] Security Issue
Hey Richard,
I'll
Igor Escobar [mailto:titiolin...@gmail.com]
Sent: Tuesday, June 08, 2010 10:11 AM
To: richg...@gmail.com
Cc:
Subject: Re: [PHP] Security Issue
Hey Richard,
I'll find more about this parameter allow_url_include, thank you!
Regards,
Igor Escobar
Systems Analyst & Interface De
Hey Richard,
I'll find more about this parameter allow_url_include, thank you!
Regards,
Igor Escobar
Systems Analyst & Interface Designer
+ http://blog.igorescobar.com
+ http://www.igorescobar.com
+ @igorescobar (twitter)
On Mon, Jun 7, 2010 at 5:26 PM, richard gray wrote:
> On 07/06/201
Are you running the latest version of PHP?
If not you should check for PHP vulnerabilities for the version that you
have installed. You should also check your OS and web server software for
security holes.
On Mon, Jun 7, 2010 at 7:54 AM, Igor Escobar wrote:
> Hi Folks!
>
> The portal for which
On 07/06/2010 20:00, Igor Escobar wrote:
PHP Injection is the technical name given to a security hole in PHP
applications. When this gap there is a hacker can do with an external code
that is interpreted as an inner code as if the code included was more a part
of the script.
// my code...
// my
From: Ashley Sheridan
> On Mon, 2010-06-07 at 15:00 -0300, Igor Escobar wrote:
>
>> PHP Injection is the technical name given to a security hole in PHP
>> applications. When this gap there is a hacker can do with an external
>> code that is interpreted as an inner code as if the code included was
On Mon, 2010-06-07 at 15:00 -0300, Igor Escobar wrote:
> PHP Injection is the technical name given to a security hole in PHP
> applications. When this gap there is a hacker can do with an external
> code that is interpreted as an inner code as if the code included was
> more a part of the script.
I disagree and this kind of approach could be appropriate if you walk
your input globals and apply some sanity checks and appropriate
filtering you could fix the issue.
On Jun 7, 2010, at 10:52 AM, Igor Escobar wrote:
I think we're getting off topic here folks...
Regards,
Igor Escobar
S
I'm totally agree with you Ash,
I came up here to ask you guys some for light. Anything to well me to track
that M%$#% F#$CK#$# and discover from where he's attacking.
Regards,
Igor Escobar
Systems Analyst & Interface Designer
+ http://blog.igorescobar.com
+ http://www.igorescobar.com
+ @igores
PHP Injection is the technical name given to a security hole in PHP
applications. When this gap there is a hacker can do with an external code
that is interpreted as an inner code as if the code included was more a part
of the script.
// my code...
// my code...
include ('http:///externalhacks
Because that only typecasts it. It's safe but it isn't what the user
actually entered.
This way I can actually determine if the user put in "123abc" and
reject it, not accept it and keep the "123" silently for example. Same
with floats. You may or may not consider a negative number acceptab
You could do generic things to modify the $_GET and other superglobal
arrays. For example if you wanted to implement magic quote yourself
have a recursive function (I'd paste one but I'm on my phone) but
something akin to this:
$_GET = your_function_name($_GET);
An idea for you might be to
I think we're getting off topic here folks...
Regards,
Igor Escobar
Systems Analyst & Interface Designer
+ http://blog.igorescobar.com
+ http://www.igorescobar.com
+ @igorescobar (twitter)
On Mon, Jun 7, 2010 at 2:51 PM, Ashley Sheridan
wrote:
> On Mon, 2010-06-07 at 10:48 -0700, Michael
On Mon, 2010-06-07 at 10:48 -0700, Michael Shadle wrote:
> Oh yeah. I do more than just intval() I make sure they didn't feed me
> anything BUT numeric text first. I do sanity check before type
> forcing :)
>
> I use garbage in garbage out. So I take what is given to me and yes I
> escape i
On Mon, 2010-06-07 at 14:42 -0300, Igor Escobar wrote:
> It's not a SQL Injection or XSS problem, Michael.
>
> It's a PHP Injection problem. I know how fix that but the web site is very
> very huge, have lots and lots of partners and i'm have a bug difficult do
> identify the focus of the problem
Oh yeah. I do more than just intval() I make sure they didn't feed me
anything BUT numeric text first. I do sanity check before type
forcing :)
I use garbage in garbage out. So I take what is given to me and yes I
escape if before the db of course as well, and then encode on output.
On Ju
On Mon, 2010-06-07 at 10:38 -0700, Michael Shadle wrote:
> It's not that bad.
>
> Use filter functions and sanity checks for input.
>
> Use htmlspecialchars() basically on output.
>
> That should take care of basically everything.
>
> On Jun 7, 2010, at 6:16 AM, Igor Escobar wrote:
>
> > Thi
It's not a SQL Injection or XSS problem, Michael.
It's a PHP Injection problem. I know how fix that but the web site is very
very huge, have lots and lots of partners and i'm have a bug difficult do
identify the focus of the problem.
Got it?
Regards,
Igor Escobar
Systems Analyst & Interface Des
It's not that bad.
Use filter functions and sanity checks for input.
Use htmlspecialchars() basically on output.
That should take care of basically everything.
On Jun 7, 2010, at 6:16 AM, Igor Escobar wrote:
This was my fear.
Regards,
Igor Escobar
Systems Analyst & Interface Designer
+ ht
-Original Message-
From: Igor Escobar [mailto:titiolin...@gmail.com]
Sent: Monday, June 07, 2010 9:21 AM
To: Phpster
Cc:
Subject: Re: [PHP] Security Issue
I do not believe he is doing so through forms but PHP Injection. We have
already met one of the files that he used to make the concatenation of
I do not believe he is doing so through forms but PHP Injection. We have
already met one of the files that he used to make the concatenation of the
cache files. Need to know if there is a tool, anything, that we can install
on the server and identify the hacker more easily because the manual labor
This was my fear.
Regards,
Igor Escobar
Systems Analyst & Interface Designer
+ http://blog.igorescobar.com
+ http://www.igorescobar.com
+ @igorescobar (twitter)
On Mon, Jun 7, 2010 at 10:05 AM, Peter Lind wrote:
> On 7 June 2010 14:54, Igor Escobar wrote:
> > Hi Folks!
> >
> > The portal
Hi Ashley!
Thanks for helping us!
OK, first thing, check all the file access logs, i.e. FTP logs, etc, just to
make sure that it's not a case of a compromised password. There's a
well-known issue with people who use FileZilla on Windows systems that
allows passwords to be easily stolen.
*
*
*We'v
On Jun 7, 2010, at 8:54 AM, Igor Escobar wrote:
Hi Folks!
The portal for which I work is suffering constant attacks that I
feel that
is PHP Injection. Somehow the hacker is getting to change the cache
files
that our system generates. Concatenating the HTML file with another
that
have a
On 7 June 2010 14:54, Igor Escobar wrote:
> Hi Folks!
>
> The portal for which I work is suffering constant attacks that I feel that
> is PHP Injection. Somehow the hacker is getting to change the cache files
> that our system generates. Concatenating the HTML file with another that
> have an ifra
On Mon, 2010-06-07 at 09:54 -0300, Igor Escobar wrote:
> Hi Folks!
>
> The portal for which I work is suffering constant attacks that I feel that
> is PHP Injection. Somehow the hacker is getting to change the cache files
> that our system generates. Concatenating the HTML file with another that
Hi Folks!
The portal for which I work is suffering constant attacks that I feel that
is PHP Injection. Somehow the hacker is getting to change the cache files
that our system generates. Concatenating the HTML file with another that
have an iframe to a malicious JAR file. Do you have any suggestion
It was able to call up external includes using the below code which
resulted
that the server was used to send out spam.
How can I protect the code?
Is ../inc/ in the web path? $_SERVER['DOCUMENT_ROOT']
If so, then what do you mean by "external includes"? You need to move inc/
to a path unre
Karl,
Some simple checks on $contpath could solve your problem. Make sure that:
- it doesn't start with a /
- doesn't contain /../
- it doesn't contain a double slash //, or make sure the URL Fopen wrapper
is disabled:
http://nl3.php.net/manual/en/ref.filesystem.php#ini.allow-url-fopen
Usuall
It was able to call up external includes using the below code which resulted
that the server was used to send out spam.
How can I protect the code?
TIA
Neuer Wissenschaftlicher Verlag -
Hi Everyone,
Oddball error randomly shows up when accessing pages on my web hosting
provider. The error message is below.
My account is obb4wine. PHP behaves as if I'm the account budguy when
the script error occurs. A page refresh usually makes the error go
away. The error happens frequently
Hi Everyone,
Oddball error randomly shows up when accessing pages on my web hosting
provider. The error message is below.
My account is obb4wine. PHP behaves as if I'm the account budguy when
the script error occurs. A page refresh usually makes the error go
away. The error happens frequent
Hi,
I found a weekness in one of my local dev projects today.
php.ini is set ut with cookies off in session handling.
I asked another user to send me his url when logged in,
I copied and pasted it and then I was logged in as him.
What should I do? Turn cookies on? Or write ip to mysql? or...?
HI
If I make a file called index.php3 in a directory and have several
other files 'hidden' in that same directory, is it possible for
anyone to get the names of these files?
How would they do this?
How can I stop a spider or robot from finding these hidden files?
Thanks - Mike
--
_/_/_/_/
I have compiled my Apache server with suexec support. So the CGI scripts is
executed as the owner of the scripts. But PHP scripts is still executed as
the same user as the Apache daemon runs as (www).
This is a big security issue for me because I intend to use .htaccess and
.htpasswd files to pro
Not really sure what you need suggestions on. There are tons
of examples for querying MySQL databases from PHP out
there around the net, not to mention the php.net mysql
area itself.
Scott Novinger wrote:
> Hello,
>
> Would someone please offer some specific suggestions for the following?:
>
> 1. I have several static web pages ready to be published on the
> internet.
Great
> 2. We have chosed PHP, MySQL and Apache as part of our development
> system.
Ok
> 3. I would like to incorporate a PHP script into each static web page
> that queries a MySQL database. This script will de
Hello,
Would someone please offer some specific suggestions for the following?:
1. I have several static web pages ready to be published on the
internet.
2. We have chosed PHP, MySQL and Apache as part of our development
system.
3. I would like to incorporate a PHP script into each static w
38 matches
Mail list logo
