ASPit - Totally ASP JSit - Totally JavaScript
Search PHPit

Use this textbox to search for articles on PHPit. Seperate keywords with a space.

Advertisements
« Previous An Extensive Examination of the PHP:DataGrid Component: Part 1
PHP:Form Series, Part 1: Validators & Client-side Validation Next »

PHPit hacked? Never!

(Page 2 out of 2)

The "hacker" has contacted me. He had not real malicious intent, and he has told me about the bug. To be honest, I made a really stupid mistake, involving highlight_file(). To demonstrate code files in articles, I use a viewsource file (located at http://phpit.net/viewsource.php?url=some path.). I actually took counter-measures to prevent anyone from opening files that shouldn't be opened, but I missed one critical thing.

I restricted the script to only open files from the demo directory, using the following code:

if (substr($url, 0, strlen("/demo")) == "/demo") {
        highlight_file ($begin . $url);
} else {
        die ("Security Alert! Breach has been logged for review (IP Address: " . $_SERVER['REMOTE_ADDR'] . ").");
}

Who can spot the HUGE security bug in that one? I didn't, until the hacker showed me (and I can't believe I forgot about it).

The problem is that the path can include '..', which means go a directory up. Do something like http://phpit.net/viewsource.php?url=/demo/.../.../.../.../etc/passwd and it actually shows the .passwd file. Gasp! (it's fixed now, of course)

Thankfully, the hacker wasn't really a hacker, and contacted me through the contact form to show me my error. Heck, he even had a look at the viewsource.php file, to suggest a fix. So, to the hacker: no hard feelings, and thanks for pointing out my error. Don't worry about any legal action or nonsense like that. I haven't lost any money or time, so I'm not angry or mad.

Lesson learnt from this? Security is hard, really hard. I thought I had covered all my bases, but there was still a way in. In the near future, I will probably write a PHP security article that has a look at all kinds of different situations, with some good examples and code. Stay tuned!

« Previous: What exactly happened?



This article was posted on Saturday, September 17th, 2005 at 2:31 am. You can follow any responses to this article through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “PHPit hacked? Never!”

  1. Arnold Daniels Says:
    April 13th, 2006 at 6:38 pm

    May I point out that this also means that your host has a security leak on your server. You could simply write a PHP file to readout the root password and TAKE OVER THE WORLD!!!… ehhh… I mean take over the server.

    You should realy mention to you host that he sould not run apache as root and/or change the privileges on the server so dirs outside the webroot can’t be accessed by www-data (the default apache user).

    Regards,

    Arnold Daniels
    http://www.helderhosting.nl

Leave a Reply

About the author
Dennis Pallett is the main contributor to PHPit. He owns several websites, including ASPit and Chill2Music. He is currently still studying.
Article Index
  1. What exactly happened?
  2. The hacker responds
Bookmark Article
Add to Blink
Add to Del.icio.us
Add to Digg
Add to Furl
Add to Google
Add to Simpy
Add to Y!MyWeb
Add to Spurl
Download Article
PDF
Download this article as a PDF file