FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Help with Security Have I coded this correctly?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Help with Security Have I coded this correctly? [message #182088 is a reply to message #182087] Mon, 08 July 2013 12:48 Go to previous message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
Senior Member
On 7/8/2013 4:49 AM, kishorguru99pvtltd(at)gmail(dot)com wrote:
> On Thursday, July 4, 2013 12:05:09 AM UTC+5:30, Christoph Michael Becker wrote:
>> Daniel Pitts wrote:
>>
>>> On 7/2/13 11:50 PM, chirag sharma wrote:
>>
>>>> I have created an online PHP code executor at http://web.guru99.com
>>
>>>>
>>
>>>> Though I have checked all security aspects � do you experts see any
>>
>>>> major flaw that I need to care of?
>>
>>>>
>>
>>> I get a 403 forbidden on the AJAX request in both Chrome and Firefox.
>>
>>>
>>
>>> I don't know what you've done to protect against attack. Are you safe
>>
>>> against the following type of attack? Are you just scrubbing the input,
>>
>>> or have you actually locked-down and hardened the PHP itself?
>>
>>>
>>
>>> <?php
>>
>>> $foo = "scan";
>>
>>> $foo .= "dir";
>>
>>>
>>
>>> var_dump($foo('.'));
>>
>>> ?>
>>
>>
>>
>> When the AJAX request did work (about an hour ago), I was able to
>>
>> execute the following successfully:
>>
>>
>>
>> <?php
>>
>> print_r(glob("*"));
>>
>> ?>
>>
>>
>>
>> --
>>
>> Christoph M. Becker
>> Thanks for reply
> if disable "glob()" function it can be solve.
>

What you don't understand is - that will solve THIS problem. But how
many other potential security risks do you have?

There are huge risks when allowing people to place code on your system.
Securing your system is much more than just disabling a few functions.


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Consumir Web Service usando SoapClient y Certificados jsk
Next Topic: How can i get value of text area?
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sat Nov 30 17:03:55 GMT 2024

Total time taken to generate the page: 0.04294 seconds