PHP Classes

Security issues

Recommend this page to a friend!

      pAjax  >  All threads  >  Security issues  >  (Un) Subscribe thread alerts  
Subject:Security issues
Summary:The potential for horror is serious here
Messages:4
Author:Phil
Date:2005-09-13 16:48:19
Update:2005-09-14 13:17:00
 

  1. Security issues   Reply   Report abuse  
Picture of Phil Phil - 2005-09-13 16:48:19
I have got to say that this sort of script is going to same my day.

However, on inspection, is this sort of class very insecure?

I can call simply any PHP function of my own choosing, including readfile or even exec.

Could we not use some form of regitration ststem, where during the initialisation fo the class, we can declare a set of valid functions that can be called.

Even better, a set of function maps, so I can map a called to generic function called "encode" to a totaly different function?

  2. Re: Security issues   Reply   Report abuse  
Picture of Guilherme Blanco Guilherme Blanco - 2005-09-13 23:03:47 - In reply to message 1 from Phil
Hello Phil,

First of all, thanks for you message. Only with threads and emails I can write a better class and provide useful stuff to everyone.

I'll try to answer your question. I got an email 2 days after I published this class reporting a very big problem that a cracker could call any function from server, even being outside the same domain. The person documented the error and described a very commom approach to fix this issue. The solution was function exports (like you suggested). My idea is to make my class as simple as possible, and I spent the last 3 weeks rebuild this class from scratch, to solve not only this bug, but another ones that I found.

I thought if I didn't mention anything and tryed to finish the new version as soon as possible. That's what I did. I finished the version 1.5 last wednesday and I'm finished documenting it. Some suggestions were included too, but the class isn't everything I expected, and I delivered some TODO to next version.

I'll publish the solution today or even tomorrow. It's missing more 2 doc files to be written. I'll notify all subscribed users about the changes, even telling why they need to update the script. I already written a migration document to help programmers that already use my class.

Ah... I told that this bug is already solved, but didn't tell you how. I restricted the call by domain (only scripts in the same domain can make a request) and also a map of allowed functions to be called. You can use domain protection, export protection or both at the same time. This fix the issue.


Cheers,

  3. Re: Security issues   Reply   Report abuse  
Picture of Phil Phil - 2005-09-14 10:22:10 - In reply to message 1 from Phil
I have just noticed the publication of the new version now.

Many thanks

The fact that any function could be called was a real worry, and the new one is going to be great.

I am gonna raise a new question now though, because of the nature of my site setup, I am praying it is possible.

  4. Re: Security issues   Reply   Report abuse  
Picture of Guilherme Blanco Guilherme Blanco - 2005-09-14 13:17:00 - In reply to message 3 from Phil
You should be reminded that version 1.5.1 has been published now.

Yesterday night I uploaded a wrong files that still did not fix the domain protection. I also added 2 new parser error messages if function is not valid and if domain is not valid.

Download the class from now. Itīs safer and much more better than the older one. =)


Cheers,