[lug] Safely Parsing PHP Parameters
Zan Lynx
zlynx at acm.org
Wed Oct 10 14:21:36 MDT 2007
On Wed, 2007-10-10 at 14:13 -0600, Bill Thoen wrote:
> Zan Lynx wrote:
> > And I think forcing the conversion to int will make your code safe
> > enough. As long as no one can do a ?essay=../../../../../etc/passwd or
> > anything like it.
> >
>
> That's exactly the sort of thing I'm worried about. How in the world
> would a hacker get anything useful with a trick like this? I never
> display the parameter value (except as an integer, and only if it's in
> the correct range). Does shoving the contents of the passwd file turn it
> into global variables or something?
No, but lets say you had code later on that did something like:
output("$ESSAY_PATH/$essay/$page");
and it was $page == "../../../../../etc/passwd", then the result would
be to produce output from the filename
"$ESSAY_PATH/$essay/$page/../../../../../etc/passwd", which is very
likely to be the system password file. It could also be used to get the
contents of any other file readable by the web server user.
By itself that isn't so bad, but being able to scout the system like
that is the first step to going from a remote attack (rare) to a local
privilege escalation attack (sadly, rather more common).
--
Zan Lynx <zlynx at acm.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20071010/92a0fc9a/attachment.pgp>
More information about the LUG
mailing list