[lug] Safely Parsing PHP Parameters

Lee Woodworth blug-mail at duboulder.com
Wed Oct 10 19:48:56 MDT 2007


Zan Lynx wrote:
> On Wed, 2007-10-10 at 14:13 -0600, Bill Thoen wrote:
>> Zan Lynx wrote:
>>> And I think forcing the conversion to int will make your code safe
>>> enough.  As long as no one can do a ?essay=../../../../../etc/passwd or
>>> anything like it.
>>>   
>> That's exactly the sort of thing I'm worried about. How in the world 
>> would a hacker get anything useful with a trick like this? I never 
>> display the parameter value (except as an integer, and only if it's in 
>> the correct range). Does shoving the contents of the passwd file turn it 
>> into global variables or something?
> 
> No, but lets say you had code later on that did something like:
> output("$ESSAY_PATH/$essay/$page");
Don't know PHP, but IIRC, in perl:
    int ('evil code`)
would execute the the code in a shell and the cgi page's code would
(potentially) get an error too late to do anything about the code
that got executed. If PHP has arbitrary system execution escapes,
beware. Its better to filter any user input and discard anything
that isn't in the allowed/expected characters, eg. get rid of
anything that isn't a digit.


> 
> and it was $page == "../../../../../etc/passwd", then the result would
> be to produce output from the filename
> "$ESSAY_PATH/$essay/$page/../../../../../etc/passwd", which is very
> likely to be the system password file.  It could also be used to get the
> contents of any other file readable by the web server user.
> 
> By itself that isn't so bad, but being able to scout the system like
> that is the first step to going from a remote attack (rare) to a local
> privilege escalation attack (sadly, rather more common).
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug




More information about the LUG mailing list