[pLog-svn] php security scanner

Jon Daley plogworld at jon.limedaley.com
Tue Jul 4 19:57:16 GMT 2006 

The guy mentioned this the other day.  Anyone remember why the calls to 
escapeshellarg are commented out?

It seems that there isn't much we need to do about people giving us a bad 
path to unzip, ie. some other program, since the only people who can 
change that value are "site admins", and if they are site-admins, they 
could turn off the security setting that disables php_in_templates, and 
then write their own php code in the template anyway.

We probably should escape the input to exec though.

function unpack( $file, $destFolder ){
...
    //$file = escapeshellarg($file);
    //$destFolder = escapeshellarg($destFolder);

    // :DANGER:
    // what if the user voluntarily sets the path of gzip and tar
    // to something else? we are doing no checks here to make sure that
    // the user is giving us a valid commnand so... how could we make
    // sure that it'll work?

    $cmd = "$gzipPath -dc $file | $tarPath xv -C $destFolder";
    $result = exec( $cmd, $output, $retval );


On Tue, 4 Jul 2006, Jon Daley wrote:

> On Tue, 4 Jul 2006, Ammar Ibrahim wrote:
>> PHP Security Scanner. http://securityscanner.lostfiles.de/
>
> Interesting.
>
> I am now running it, and will see if there is anything obvious that it 
> reports.
>
> 1. xmlrpc.php has an fopen call on line 783 that allows a "..".  I am not 
> sure what the xmlrpc stuff needs to be able to do, so I am not comfortable 
> modifying that regexp without further guidance.  I am not sure where the 
> arguments are coming when passed to metaWeblogNewMediaObject().
> The client is giving us a filename to open?  That sounds bad, although I 
> guess the temp_dir is specified in the config file, probably .htaccess could 
> be specified in addition to filenames with ".." in them?
>
>
> still going - but wanted to see if any of the rest of you were looking into 
> it, so we don't duplicate work.
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://devel.lifetype.net/mailman/listinfo/plog-svn
>

-- 
Jon Daley
http://jon.limedaley.com/

Every 18 months, the speed of software halves.
-- Gates' Law

More information about the pLog-svn mailing list