[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Cobalt Cube Webmail directory traversal (fwd)

Subject: Re: [cobalt-security] Cobalt Cube Webmail directory traversal (fwd)
From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
Date: Sun, 8 Jul 2001 19:47:38 -0400
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

"Gossi The Dog" <gossi@xxxxxxxxxxxxxx> wrote:
> Indeed.  For this years Blackhat conference, a paper and presentation on
> advanced PHP code hacking has been released.  Whilst it's a very good
> technical read, it leaves a major headache to hosting companies.  The
> reason?  The amount of exploitable PHP utilities.  Generally speaking, if
> you suppose PHP, chances are your users will be running prewritten code
> such as PHPnuke, SquirrelMail etc.
>
> I'll rumage through my inbox for the paper URL, if anybody is interested.

I think the article you are probably referring to is this one.
http://lwn.net/2001/0704/a/study-in-scarlet.php3  FYI, I notified the author
a few days ago of an error in the code that's a very common mistake that
gives many PHP programmers fits.  If you check out the code snippet with the
line below, you'll see that it really should be the line that follows:

if ($pass = "hello")
if ($pass == "hello")

It's pretty ironic considering that the article is about PHP vulnerabilities
and the snippet is really a good (yet unintended) example since the effect
is that $pass is being set to "hello" and then the if statement is being
evaluated as "if( TRUE )" which will always be TRUE.  This has the effect of
causing the security layer intended by requiring the user to supply a valid
password to be totally ignored, granting the user access 100% of the time.
There are a couple of lessons here.

1. Always test the application before putting into a production environment.
2. In PHP it might be a better idea to test for equality by placing the
variable on the right hand side of the equality like follows.  if ( "hello"
== $pass ).  Then, because of the way the parser works if you accidentally
leave off one equal sign and type if( "hello" = $pass ) you will end up with
an error and the code will not run.

Apologies if this doesn't qualify as Cobalt-specific, but in the context of
this thread I thought it might help a few folks who also happen to be PHP
programmers and who are concerned about the security of their applications.

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/

Follow-Ups:
- Re: [cobalt-security] Cobalt Cube Webmail directory traversal (fwd)
  - From: Carrie Bartkowiak

References:
- Re: [cobalt-security] Cobalt Cube Webmail directory traversal (fwd)
  - From: Gossi The Dog

Prev by Date: Re: [cobalt-security] Reverse Delegation Patch
Next by Date: [cobalt-security] What means Port 444 snpp
Previous by thread: Re: [cobalt-security] Cobalt Cube Webmail directory traversal (fwd)
Next by thread: Re: [cobalt-security] Cobalt Cube Webmail directory traversal (fwd)

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index