[TCLUG] Attack

Fri Mar 5 22:58:03 CST 2004

Probably the best thing is to do something like:

$index = array('index' => 'index.php', 'hs' => 'highschool.php', ...);

if (isset($index[$_GET['body']]) {
  include($index[$_GET['body']]);
}

Then, only pages specifically listed in $index get included.

David Phillips said:
> Chad Walstrom writes:
>> Can you build a dictionary list corresponding to the filenames so that
>> the visible URL that people see is something like
>> "http://domain.tld/location/FISH4310PREL2Q0OU", or submit the form
>> variable as the hash.  Then find the file based on the hash...?
>
> That's not a great method, because you then need to store a list of all
> the hashes and their corresponding values.  Unless you aren't using a
> secure hash, in which case you are relying on security through
> obscurity.
>
> What you want to do here is authenticate the filename passed.  In other
> words, you want to make sure that you generated the filename and it has
> not been tampered with.
>
> To do this, use a secure hash function such as MD5 or SHA1.  Pick a
> random string to use as a key.  Prepend this key to your filename and
> generate a hash for the string.  Include both the filename and the hash
> as variables. To determine if a passed filename is trusted, perform the
> same procedure as above and compare the generated hash to the passed
> hash.  If they match, it means the filename can be trusted.
>
> I actually wouldn't use this method here.  In fact, it looks like the OP
> should be using SSI instead of PHP.  But at any rate, he is violating a
> fundamental programming rule, especially for web applications:
>
> NEVER TRUST USER INPUT
>
> In his case, a simple basename() call would have prevented the problem.
>
> --
> David Phillips <david at acz.org>
> http://david.acz.org/
>
>
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> http://www.mn-linux.org tclug-list at mn-linux.org
> https://mailman.real-time.com/mailman/listinfo/tclug-list

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list