Saturday, January 22, 2005
How not to use PHP
So someone found a exploit in my PHP code on the www.glug.org.za website. My mistake was that I was using the "include($filename)" function. Turns out when you used "www.glug.org.za/index.php?content=/etc/passwd" you could see the whole file in the main page. Allowing atackers to see sensitive files on the server. This could allow an attacker with enough patience to break into the server. Even though I had a fix ready within half an hour, the website has been pulled, and has been down ever since 7 January 2004.
My mistake was that I thought that it was apache's job to limit the visibility of what the php could do. Yes there are settings in PHP to run it in safe mode but they have their own problems. So for future reference: if you use the php function "include($filename)" it should be used as "include(basename($filename))". Always use the "basename($filename)" function. It strips away the path and only returns the filename, that way the files located in the root can never be accessed.
Another way to secure your Apache server would be to run Apache in a chroot jail, this will make sense especially if you host someone else's code and do not have control over the code that people write. Well what can I say?... Lesson learnt. Hope someone else can also learn out of my mistake.
My mistake was that I thought that it was apache's job to limit the visibility of what the php could do. Yes there are settings in PHP to run it in safe mode but they have their own problems. So for future reference: if you use the php function "include($filename)" it should be used as "include(basename($filename))". Always use the "basename($filename)" function. It strips away the path and only returns the filename, that way the files located in the root can never be accessed.
Another way to secure your Apache server would be to run Apache in a chroot jail, this will make sense especially if you host someone else's code and do not have control over the code that people write. Well what can I say?... Lesson learnt. Hope someone else can also learn out of my mistake.
Saturday, January 01, 2005
Google's products...
Well I have to say I am impressed, it redefines the webmail experience completely. I have only been using it for a couple of days and I am already moving the mailing lists over. Why have a mail client on your local PC, this one is available all over the world without the need to carry your PC around?
It is still beta but I can see great potential. The whole design is brilliant, it isn't simply a clone of another web-based mailing system, it is clever, it figures out things like addresses on the fly, hides long quoted emails and automatically put a conversation on email below each other so that it reads like a story. I am suddenly wishing I had google shares.
They are going to be worth millions in the future. Writing this on another one of their services... Blogger.
Knowledge is power and they have lots of it.
Just think about it, they will control people's searches(what people get to discover), blogs (thoughts), mails (interaction). Next is a messenger or browser? They can shape your world and your perception (assuming of course that you do not interact with other people by talking to them).
Cospiracy theory!!!
;)
Jokes aside. Knowledge is power and power can be a dangerous thing.
For now let me just embrace the 2005, it is only a couple of hours away!
