1. No Profile Picture
    The Wizard
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2003
    Posts
    128
    Rep Power
    12
    use php-cgiwrap to run php scripts in your username...
    Stand out for justice as witnesses to God
  2. Midnight Rider
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2003
    Location
    Quebec, Canada
    Posts
    58
    Rep Power
    12
    I want to point out something I found out about cookie forging. On a site I developed, different users have different kind of access, and their user_id and access_id is stored in a session variables, and for those who want the site to remember their login, also in a cookie. We figured someone might try to edit their cookie and change the access rank to one higher than their legitimate one, and tested it, and it was just ignored. Also, if the browser was closed, and then re-opened to the page, the edited cookie would simply be deleted.

    Has this happened to anyone else? I tested it on different machines and the same behavior re-occured.
  3. Banned (not really)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 1999
    Location
    Brussels, Belgium
    Posts
    14,642
    Rep Power
    4476
    I think the browser tries to protect the cookie and ignore any changes you make directly to the file. but that doesn't stop someone from connecting directly through telnet or with a socket in PHP and sending their own cookie data by creating their own headers. They will know the format needed from the cookie you've already supplied them.

    The vulnerability is there, even if you can't directly edit the cookie file. I think that ability is system dependent.

    ---John Holmes...
    -- Cigars, whiskey and wild, wild women. --
  4. Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2003
    Posts
    13
    Rep Power
    0
    I found this as a little extra for CMS security



    PHP Code:
    $crypt_pass crypt($this->passCRYPT_MD5); 
  5. Banned (not really)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 1999
    Location
    Brussels, Belgium
    Posts
    14,642
    Rep Power
    4476
    Wow, you're right. I put that line in my code and now I can't hack into my program at all. It's amazing...

    Anyhow... Thanks for the tip, but you may want to describe what it does and how someone should use it. That's the whole purpose of this thread.

    ---John Holmes...
    -- Cigars, whiskey and wild, wild women. --
  6. Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2003
    Posts
    13
    Rep Power
    0
    http://www.etronicscomputers.com/doc...rbeginners.htm

    Is this a secure way for using sessions? This is an easy example for me to understand, but I wont use it if it's not a secure one. It looks secure though. Check it out. Thanks!
  7. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2003
    Location
    SA, Centurion
    Posts
    355
    Rep Power
    12
    thanks for this great post - will surely help alot !!!
    :P
  8. Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2003
    Posts
    13
    Rep Power
    0

    HELP!


    I'm extremely confused now. I'm almost finished creating my Content system and the one of the things I need to finish is the login/validating part. This example below, is it for logging in or validating after logging in on every page? It also seems that everyone has a different example and a different opinion and I'm trying to make my CMS as secure as possible but with all these opinions, different examples, and some that don't work, is there one example we can all agree on, or is any good examples you can recommend? About the below example, I tried it, didnít work, still donít know if its for logging in or validating after logging in. Someone please help me? Thank you.

    Originally posted by iamtgo3
    Another thing I have seen is to set 2+ cookies and/or sessionID. This way you can use the cookie data to query a database to see if they are valid users before giving them access to certain pages.
    PHP Code:
    //Set Cookies and sessionID when the users logs in.
    setcookie("registered""Yes"time()+ "2592000""/"""0);
    setcookie("username"$nametime()+ "2592000""/"""0);
    setcookie("userid"$useridtime()+ "2592000""/"""0);
    setcookie("password"$passwordtime()+ "2592000""/"""0);
    $session session_id();

    // Run this validation when a user comes to restricted area
    if ($HTTP_COOKIE_VARS["registered"] != "Yes") {
      echo 
    "You do not have access";
      exit;
    }

    $username$HTTP_COOKIE_VARS['username'];
    $userid $HTTP_COOKIE_VARS['userid'];
    $password$HTTP_COOKIE_VARS['password'];

    $db_name "Database";

    $link mysql_connect("localhost""username""password") or die("Could not connect to server!");
    $query "SELECT * FROM Users WHERE userid = '$userid' AND password = password('$password') AND userid = '$userid'";
    $result mysql_db_query($db_name$query$link) or die("Could not complete database query");
    $num mysql_num_rows($result);

    if (
    $num != 0) {
      echo 
    "Your In";
    } else {
      echo 
    "You are not in";

  9. Banned (not really)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 1999
    Location
    Brussels, Belgium
    Posts
    14,642
    Rep Power
    4476
    If you have questions, please start a new thread. This thread is for security notes, a place to post remarks related to PHP security. This isn't the best place to ask new questions. The only people reading this thread are (hopefully) newbies here and those of us that have contributed and get the notice through email that someone posted here.

    Anyhow, that code you posted here is not a good method to use at all. It's setting the user's password in a cookie, which is a bad idea and the query is messed up (repeated $user check).

    There are better methods and it's been discussed around here a lot. Either search or start a new thread with your questions.

    ---John Holmes...
    -- Cigars, whiskey and wild, wild women. --
  10. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2003
    Posts
    1
    Rep Power
    0
    Originally posted by DiPesa
    You named this vulnerability:


    That is an obvious bug. But only if you use

    include($page);

    in you code. As Keiichi suggested to use
    include("$DOCUMENT_ROOT/director/blah_$page.php");

    You effectively execute
    include("$DOCUMENT_ROOT/director/blah_../../../../../etc/passwd.php");

    which results in an illegal filename. The trick suggested by Keiichi limits the pages you can use to the pages mentioned: bla_*.php.
    Personally i prefer to check the $page for punctuation and simply deny it and return an error page if any exsists. It means a bit extra thought into how directory structures are going to be layed out. Alternatively you might simply check for a "../" or "://".
  11. Gogo Google.
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2002
    Location
    Adelaide, Australia
    Posts
    226
    Rep Power
    12
    I like to predefine all my pages that will be accessed. However, I don't just load the page names into the array: I load key=>value pairs into the array. I pass the KEY in the url, so the user never knows what file they're getting.

    I know which pages will be permissible, and which will not.

    I load these accepted pages into an array, and perform a check on them.

    If the page exists in the array, I include it. Otherwise, I don't. Pretty common method nowadays.

    Two fold advantage: Secure, and shadowed, meaning the user doesn't really know what they're looking at. All they see is "index.php?code=00".

    It's not very extensible (well, it could be with some tricks), but it's just my preferred method.
  12. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2003
    Posts
    1
    Rep Power
    0
    Keiichi
    Morisato's

    method is my choice for this .inc mess,


    PHP Code:
    if (file_exists(blah_$page.php)) {
      include(
    "$DOCUMENT_ROOT/director/blah_$page.php");
    }
    else { echo 
    "does not exist"; } 
    But I only accept letters a-z in $page; everything else gets ripped away.

    About cookies/username/password, I use two cookies. One contains data for timeout, (name=session_time, value=time_of_creation, updated every request), one contains no information (name and value are generated randomly at login, this is only to annoy hackers)

    All I do is that I compare that current_time - session_time < 10minutes and randomly_generated_cookie_name value = randomly_generated_cookie_value, if all this adds up, then I trust my session and I can check user_level, used_id etc from session.

    example randomly_generated_cookie_name = 2434b2cc4c148f68de4ecbaf549710e7

    These ofcourse are addition to php's own session id cookie. If you wan't to make it a bit harder to hack you can change the values to random number cookie every request.

    Any thoughts?

    -9902468
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2000
    Posts
    204
    Rep Power
    14
    one contains no information (name and value are generated randomly at login, this is only to annoy hackers)
    That's so wicked. I love it!
  14. No Profile Picture
    Another damn newb...
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2002
    Location
    BodÝ, Norway
    Posts
    94
    Rep Power
    13
    Originally posted by andnaess
    That's fine for library files, but I use a lot of includes when building my sites and putting them outside the webtree would make things messy, so we have our webserver set up to deny request for .inc files, simple as that.
    Another simple solution is to just place all the typical "content" files, that you don't want to be viewed/executed out of context into a separate folder, and then protect this folder from outside access through a simple .htaccess file... Something like this:

    Order Deny,Allow
    Deny from all
    Allow from www.yoursite.com

    Could be like this:
    /www
    /inc
    .htaccess
    content1.inc
    content2.inc

    In this way at least, people trying to access the /inc folder will only get a "403 forbidden"-message while your PHP-scripts fetching the files through the include-function will work just fine...
    Torkil Johnsen

    Never underestimate the power of stupid people in large groups...
    ---------------------------(Ú”,)----
  15. Banned (not really)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 1999
    Location
    Brussels, Belgium
    Posts
    14,642
    Rep Power
    4476
    Yeah, pretty sure that's been said already. Please read the whole thread before posting.

    ---John Holmes...

IMN logo majestic logo threadwatch logo seochat tools logo