ASPit - Totally ASP JSit - Totally JavaScript
Search PHPit

Use this textbox to search for articles on PHPit. Seperate keywords with a space.


PHPit hacked? Never!

(Page 2 out of 2)

The "hacker" has contacted me. He had not real malicious intent, and he has told me about the bug. To be honest, I made a really stupid mistake, involving highlight_file(). To demonstrate code files in articles, I use a viewsource file (located at path.). I actually took counter-measures to prevent anyone from opening files that shouldn't be opened, but I missed one critical thing.

I restricted the script to only open files from the demo directory, using the following code:

if (substr($url, 0, strlen("/demo")) == "/demo") {
        highlight_file ($begin . $url);
} else {
        die ("Security Alert! Breach has been logged for review (IP Address: " . $_SERVER['REMOTE_ADDR'] . ").");

Who can spot the HUGE security bug in that one? I didn't, until the hacker showed me (and I can't believe I forgot about it).

The problem is that the path can include '..', which means go a directory up. Do something like and it actually shows the .passwd file. Gasp! (it's fixed now, of course)

Thankfully, the hacker wasn't really a hacker, and contacted me through the contact form to show me my error. Heck, he even had a look at the viewsource.php file, to suggest a fix. So, to the hacker: no hard feelings, and thanks for pointing out my error. Don't worry about any legal action or nonsense like that. I haven't lost any money or time, so I'm not angry or mad.

Lesson learnt from this? Security is hard, really hard. I thought I had covered all my bases, but there was still a way in. In the near future, I will probably write a PHP security article that has a look at all kinds of different situations, with some good examples and code. Stay tuned!

« Previous: What exactly happened?

One Response to “PHPit hacked? Never!”

  1. Arnold Daniels Says:

    May I point out that this also means that your host has a security leak on your server. You could simply write a PHP file to readout the root password and TAKE OVER THE WORLD!!!… ehhh… I mean take over the server.

    You should realy mention to you host that he sould not run apache as root and/or change the privileges on the server so dirs outside the webroot can’t be accessed by www-data (the default apache user).


    Arnold Daniels

Leave a Reply

About the author
Dennis Pallett is the main contributor to PHPit. He owns several websites, including ASPit and Chill2Music. He is currently still studying.
Article Index
  1. What exactly happened?
  2. The hacker responds
Bookmark Article
Download Article
Download this article as a PDF file