|
|
|
|
| Re: Help with Security Have I coded this correctly? [message #182071 is a reply to message #182069] |
Wed, 03 July 2013 16:31   |
bill
Messages: 310
Registered: October 2010
Karma: 0
|
Senior Member |
|
|
On 2013-07-03 2:50 AM, chirag sharma wrote:
> I have created an online PHP code executor at http://web.guru99.com
>
> Though I have checked all security aspects … do you experts see any major flaw that I need to care of?
>
Pretty good site, actually, the parts I looked at. Like the plain
language used.
Same result as Arno on the test. IE 10; too bad he didn't menation his
browser; it could be browser specific.
|
|
|
|
| Re: Help with Security Have I coded this correctly? [message #182072 is a reply to message #182069] |
Wed, 03 July 2013 17:42 |
Timothy
Messages: 3
Registered: June 2013
Karma: 0
|
Junior Member |
|
|
On Tue, 02 Jul 2013 23:50:44 -0700, chirag sharma wrote:
> I have created an online PHP code executor at http://web.guru99.com
Wow! That site looks very neat!
> Though I have checked all security aspects … do you experts see any
> major flaw that I need to care of?
I would only whitelist allowable patterns/functions. I it very plausible
to miss an attack/harmful function in a blacklist.
For example I could partially read your source code by running:
<?php
readfile("exec.php");
?>
I could not test your script reliably, because sometimes 'exec.php'
throws an Apache 403 Forbidden error.
Be sure to disable include/require and the *_once variant, because they
might include a remote script.
Timothy
|
|
|
|
|
|
| Re: Help with Security Have I coded this correctly? [message #182074 is a reply to message #182069] |
Wed, 03 July 2013 18:12 |
Daniel Pitts
Messages: 68
Registered: May 2012
Karma: 0
|
Member |
|
|
On 7/2/13 11:50 PM, chirag sharma wrote:
> I have created an online PHP code executor at http://web.guru99.com
>
> Though I have checked all security aspects … do you experts see any major flaw that I need to care of?
>
I get a 403 forbidden on the AJAX request in both Chrome and Firefox.
I don't know what you've done to protect against attack. Are you safe
against the following type of attack? Are you just scrubbing the input,
or have you actually locked-down and hardened the PHP itself?
<?php
$foo = "scan";
$foo .= "dir";
var_dump($foo('.'));
?>
|
|
|
|
| Re: Help with Security Have I coded this correctly? [message #182075 is a reply to message #182074] |
Wed, 03 July 2013 18:35 |
Christoph Michael Bec
Messages: 207
Registered: June 2013
Karma: 0
|
Senior Member |
|
|
Daniel Pitts wrote:
> On 7/2/13 11:50 PM, chirag sharma wrote:
>> I have created an online PHP code executor at http://web.guru99.com
>>
>> Though I have checked all security aspects … do you experts see any
>> major flaw that I need to care of?
>>
> I get a 403 forbidden on the AJAX request in both Chrome and Firefox.
>
> I don't know what you've done to protect against attack. Are you safe
> against the following type of attack? Are you just scrubbing the input,
> or have you actually locked-down and hardened the PHP itself?
>
> <?php
> $foo = "scan";
> $foo .= "dir";
>
> var_dump($foo('.'));
> ?>
When the AJAX request did work (about an hour ago), I was able to
execute the following successfully:
<?php
print_r(glob("*"));
?>
--
Christoph M. Becker
|
|
|
|
| Re: Help with Security Have I coded this correctly? [message #182087 is a reply to message #182075] |
Mon, 08 July 2013 08:49 |
kishorguru99pvtltd
Messages: 1
Registered: July 2013
Karma: 0
|
Junior Member |
|
|
On Thursday, July 4, 2013 12:05:09 AM UTC+5:30, Christoph Michael Becker wrote:
> Daniel Pitts wrote:
>
>> On 7/2/13 11:50 PM, chirag sharma wrote:
>
>>> I have created an online PHP code executor at http://web.guru99.com
>
>>>
>
>>> Though I have checked all security aspects � do you experts see any
>
>>> major flaw that I need to care of?
>
>>>
>
>> I get a 403 forbidden on the AJAX request in both Chrome and Firefox.
>
>>
>
>> I don't know what you've done to protect against attack. Are you safe
>
>> against the following type of attack? Are you just scrubbing the input,
>
>> or have you actually locked-down and hardened the PHP itself?
>
>>
>
>> <?php
>
>> $foo = "scan";
>
>> $foo .= "dir";
>
>>
>
>> var_dump($foo('.'));
>
>> ?>
>
>
>
> When the AJAX request did work (about an hour ago), I was able to
>
> execute the following successfully:
>
>
>
> <?php
>
> print_r(glob("*"));
>
> ?>
>
>
>
> --
>
> Christoph M. Becker
> Thanks for reply
if disable "glob()" function it can be solve.
|
|
|
|
| Re: Help with Security Have I coded this correctly? [message #182088 is a reply to message #182087] |
Mon, 08 July 2013 12:48 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 7/8/2013 4:49 AM, kishorguru99pvtltd(at)gmail(dot)com wrote:
> On Thursday, July 4, 2013 12:05:09 AM UTC+5:30, Christoph Michael Becker wrote:
>> Daniel Pitts wrote:
>>
>>> On 7/2/13 11:50 PM, chirag sharma wrote:
>>
>>>> I have created an online PHP code executor at http://web.guru99.com
>>
>>>>
>>
>>>> Though I have checked all security aspects � do you experts see any
>>
>>>> major flaw that I need to care of?
>>
>>>>
>>
>>> I get a 403 forbidden on the AJAX request in both Chrome and Firefox.
>>
>>>
>>
>>> I don't know what you've done to protect against attack. Are you safe
>>
>>> against the following type of attack? Are you just scrubbing the input,
>>
>>> or have you actually locked-down and hardened the PHP itself?
>>
>>>
>>
>>> <?php
>>
>>> $foo = "scan";
>>
>>> $foo .= "dir";
>>
>>>
>>
>>> var_dump($foo('.'));
>>
>>> ?>
>>
>>
>>
>> When the AJAX request did work (about an hour ago), I was able to
>>
>> execute the following successfully:
>>
>>
>>
>> <?php
>>
>> print_r(glob("*"));
>>
>> ?>
>>
>>
>>
>> --
>>
>> Christoph M. Becker
>> Thanks for reply
> if disable "glob()" function it can be solve.
>
What you don't understand is - that will solve THIS problem. But how
many other potential security risks do you have?
There are huge risks when allowing people to place code on your system.
Securing your system is much more than just disabling a few functions.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: Help with Security Have I coded this correctly? [message #182098 is a reply to message #182071] |
Tue, 09 July 2013 14:20 |
Arno Welzel
Messages: 317
Registered: October 2011
Karma: 0
|
Senior Member |
|
|
Am 03.07.2013 18:31, schrieb Twayne:
> On 2013-07-03 2:50 AM, chirag sharma wrote:
>> I have created an online PHP code executor at http://web.guru99.com
>>
>> Though I have checked all security aspects … do you experts see any major flaw that I need to care of?
>>
>
> Pretty good site, actually, the parts I looked at. Like the plain
> language used.
>
> Same result as Arno on the test. IE 10; too bad he didn't menation his
> browser; it could be browser specific.
Firefox 22.0 running in Windows 7 Pro x64.
I just checked it again - and now it seems to work.
But again: Without any code or details about the implementation - how to
check for major flaws?
--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]