Folks,
I am using Apache 1.3.x with PHP 4.3.x and MySQL v4.
Short question:
Before I put my web form available on the internet, how can I test it
from mis-use in such that special characters are ignored? I have tried
entering data such as `/bin/date > /tmp/1234` and this does not create a
temporary file (which is what I would expect, meaning that my form is safe).
Same question at greater length:
I understand how form input can be misused, and I understand that I can
clean the data input using addslashes() or by having magic_quotes turned
on. I have decided on the latter but want to ensure my form is safe and
that storeing my data in my mysql database isn't open to hacking by
CGI/Form manipulation. I have tried entering data such as `/bin/date >
/tmp/1234` and this does not create a temporary file (which is what I
would expect, meaning that my form is safe).
Have I tested it successfully against Form/CGI hacking?
Thanks in advance, replies please, via the newsgroup,
randell d.
8  5919 
Reply Via Newsgroup wrote: Have I tested it successfully against Form/CGI hacking?
No you haven't.
There are many ways to brake in to webservers, trying only one gives you
only a fealing that you are secure. There are even books written about
this subject, so this isn't as simple as one could think.
Even people who teach or sell security services or products get
sometimes their websites hacked. Most of it happens via forms or by
using known security holes in software they use.
Aggro wrote: Reply Via Newsgroup wrote:
Have I tested it successfully against Form/CGI hacking?
No you haven't.
There are many ways to brake in to webservers, trying only one gives you
only a fealing that you are secure. There are even books written about
this subject, so this isn't as simple as one could think.
Even people who teach or sell security services or products get
sometimes their websites hacked. Most of it happens via forms or by
using known security holes in software they use.
Thanks - I'm aware of what you have said and know there are several
methods of gaining unauthorised access to a webserver - Firewalls and
correct web server configuration can help with a more secure
environment, however when one receives data in a form, it too can be a
weakness if the data is stored and not cleaned before storing.
This is the area I want to test - I am specifically concerned with
testing that passing 'bad' data in my form won't corrupt my server.
Can you confirm that entering something like `/bin/date > /tmp/1234`
would create a temp file /tmp/1234 if I hadn't cleaned my data properly
- whereas the lack of a file confirms that I have cleaned the data.
Yes/No?
Reply Via Newsgroup wrote: Can you confirm that entering something like `/bin/date > /tmp/1234`
would create a temp file /tmp/1234 if I hadn't cleaned my data properly
- whereas the lack of a file confirms that I have cleaned the data.
Yes/No?
No.
Like I said, you have only tested one case. And much depends on where
you use your input. One could use it for file attack, database attack,
operating system attack, attack to another server, attack to clients
that use the server, ...
I know cases where people have used flash animations as their
user-images and gained passwords from other users which have viewed
those flash animations.
I have personally tested (with permission) to use sql-injection to do
unwanted actions into database. For example to delete data, get
passwords and usernames, etc.
I have also tested the same as what you are currently trying to stop.
i.e. not to allow user to run programns in the shell.
I also know cases when there have been nothing wrong with the php script
itself, but there has been another script on the same server that has
had a security hole. So you have been able to view the secure code via
the another script and the secure code has become unsecure.
I have also tested the famous problem with php and globals. i.e.
You have a form where you ask for $username and $password and you have a
script like this:
<?php
if( $username == "correct" && $password == "correct" )
$login = 1;
if( $login )
{
// give user permission to anything
}
?>
call the php script like this: script.php?logi n=1
And boom, you are in.
And this is not all, this is not even all I know. And I don't even work
with the security, it is just a hobby for me.
It might even be possible that `/bin/date > /tmp/1234` doesn't do any
harm, but if you add a few more special characters to it, it might be
harmfull again. It can also be possible that you can't write anything,
but you can read something, and that is almost as bad.
Here are a couple pages, do some searching on google and you will finde more
info. http://httpd.apache.org/docs/misc/security_tips.html http://www.devarticles.com/c/a/Perl/...e-CGI-scripts/
"Reply Via Newsgroup" <re************ ****@please.com > wrote in message
news:Vfz3c.1139 5$Up2.3469@pd7t w1no...
Folks,
I am using Apache 1.3.x with PHP 4.3.x and MySQL v4.
Short question:
Before I put my web form available on the internet, how can I test it
from mis-use in such that special characters are ignored? I have tried
entering data such as `/bin/date > /tmp/1234` and this does not create a
temporary file (which is what I would expect, meaning that my form is
safe).
Same question at greater length:
I understand how form input can be misused, and I understand that I can
clean the data input using addslashes() or by having magic_quotes turned
on. I have decided on the latter but want to ensure my form is safe and
that storeing my data in my mysql database isn't open to hacking by
CGI/Form manipulation. I have tried entering data such as `/bin/date >
/tmp/1234` and this does not create a temporary file (which is what I
would expect, meaning that my form is safe).
Have I tested it successfully against Form/CGI hacking?
Thanks in advance, replies please, via the newsgroup,
randell d.
Aggro wrote: Reply Via Newsgroup wrote:
Can you confirm that entering something like `/bin/date > /tmp/1234`
would create a temp file /tmp/1234 if I hadn't cleaned my data
properly - whereas the lack of a file confirms that I have cleaned the
data.
Yes/No?
No.
Like I said, you have only tested one case. And much depends on where
you use your input. One could use it for file attack, database attack,
operating system attack, attack to another server, attack to clients
that use the server, ...
I know cases where people have used flash animations as their
user-images and gained passwords from other users which have viewed
those flash animations.
I have personally tested (with permission) to use sql-injection to do
unwanted actions into database. For example to delete data, get
passwords and usernames, etc.
I have also tested the same as what you are currently trying to stop.
i.e. not to allow user to run programns in the shell.
I also know cases when there have been nothing wrong with the php script
itself, but there has been another script on the same server that has
had a security hole. So you have been able to view the secure code via
the another script and the secure code has become unsecure.
I have also tested the famous problem with php and globals. i.e.
You have a form where you ask for $username and $password and you have a
script like this:
<?php
if( $username == "correct" && $password == "correct" )
$login = 1;
if( $login )
{
// give user permission to anything
}
?>
call the php script like this: script.php?logi n=1
And boom, you are in.
And this is not all, this is not even all I know. And I don't even work
with the security, it is just a hobby for me.
It might even be possible that `/bin/date > /tmp/1234` doesn't do any
harm, but if you add a few more special characters to it, it might be
harmfull again. It can also be possible that you can't write anything,
but you can read something, and that is almost as bad.
I'm pretty sure you're trying to help me - but you're giving me answers
not directly related to the question I asked.
I'm not asking about
- flash animations,
- security access or bugs related to GLOBALS being switched on
- security weakness available to clients on the same network
- or sql-injection type vunerabilities
- file uploads
I want to test that when data is transported from my HTML form, to my
MySQL database that the data does not get some form of ability to
execute code which I believe could be made possible via hooks or some
other special character. I am pretty sure I clean my data, but I would
like to test it with the hack.
I am not going to take comfort in the fact that by confirming this hole
is closed that I am safe - I merely want to test for this specific weakness.
Can you help?
You should also keep in mind that the things you want to be careful for very
with the context of the form. If it is something you are going to echo back
to the browser, you do not care if somebody uses a semicolon; the semicolon
is a legitimate punctuation mark. On the other hand, if this is getting
passed to MySQL or something else that attributes special meaning to the
semicolon, then need to be careful.
What I am saying is, in order to make sure your form is safe, you have to
consider the context. So, what are you trying to do with this form? Is it
going to be a used in a SQL query or what?
Joshua Beall wrote: You should also keep in mind that the things you want to be careful for very
with the context of the form. If it is something you are going to echo back
to the browser, you do not care if somebody uses a semicolon; the semicolon
is a legitimate punctuation mark. On the other hand, if this is getting
passed to MySQL or something else that attributes special meaning to the
semicolon, then need to be careful.
What I am saying is, in order to make sure your form is safe, you have to
consider the context. So, what are you trying to do with this form? Is it
going to be a used in a SQL query or what?
Yes Yes Yes!
At last - someone who seems to know where I am comming from - This is
specifically what I am concerned about (that characters might be
mis-interpreted as a command as opposed to ordinary data). I believe I
have managed to cover my ass but I'd like to test, safely.
Any ideas? This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Tim Haughton |
last post by:
I've just released an article on using Test Driven Development with C# and
Windows Forms. GUI's are often difficult to test, so I thought it might be
of interest.
The article along with the example source code can be downloaded here:
http://www.blogitek.com/timhaughton/archives/files/User%20Interrogator%20And%20TDD.zip
The article text is below. Not sure what it will do to the formatting when
|
by: Cor |
last post by:
Hallo,
I have promised Jay B yesterday to do some tests.
The subject was a string evaluation that Jon had send in. Jay B was in doubt
what was better because there was a discussion in the C# newsgroup on 25
September. The regular expressions where in that newsgroup too involved.
I told yesterday night, to Jay that I would test all 4 methods and the
stupid method I was thinking of the first time that night when I saw Jon's
|
by: jab3 |
last post by:
Hello. I"m new to this group, and to JavaScript in general, so please
forgive me if I breach local etiquette. I'm trying to implement some
client-side 'dynamic' validation on a form. I'm having a couple of
problems, which I'll try to describe. But this e-mail will only
reproduce one of them, in a "short" example. What I'm generally doing
is having each form entry contained in a div, which as a label, an
input with some event handlers,...
|
by: mbarnhizer |
last post by:
Hello All,
Trying to figure out how to validate a series of questions on an online test. I am thinking that VB or Javascript is the best route, but your input may make a difference. The site i am working with is using .asp.
Their are 30 multiple choice questions. Each will have have 3 or 4 checkboxes where the test taker will choose only 1 answer per question. Anybody have any ideas as to the best way to validate that each question has...
|
by: Torsten Bronger |
last post by:
Hallöchen!
I'd like to map general unicode strings to safe filename. I tried
punycode but it is case-sensitive, which Windows is not. Thus,
"Hallo" and "hallo" are mapped to "Hallo-" and "hallo-", however, I
need uppercase Latin letters being encoded, too, and the encoding
must contain only lowercase Latin letters, numbers, underscores, and
maybe a little bit more. The result should be more legible than
base64, though.
| | |
by: emily224 |
last post by:
Hello,
I have been trying to understand this source code, which I retreived from my online course test. I would like to know how to find the answer for the question on the test. Im sure the answer must be embedded somewhere in the source code, and I would like to know if anyone knows where to find the correct answer.
I would greatly appreciate it!!
Thanks!!
<!--put the preloads file here as it must load before the website class...
|
by: emily224 |
last post by:
Hello,
I have been trying to understand this source code, which I retreived from my online course test. I would like to know how to find the answer for the question on the test. Im sure the answer must be embedded somewhere in the source code, and I would like to know if anyone knows where to find the correct answer.
I would greatly appreciate it!!
Thanks!!
|
by: Faisal Shah |
last post by:
HI,
Well, Here is the code of my new project .. Actually it's just s scrap or it..
I have made 2 files.
the 1st file is test.php with of course creating a new file called testdb.txt.
And the file called admin.php
here is the code.
|
by: Voodoo Jai |
last post by:
I have a page the uses a form to pass a postcode to another page and I
want to test it against an SQL Injection. What would be a safe (i.e NO
DELETING of data ) statement to try and how would I format this to try
in the form.
I have limited the field to 10 chars so I know i would have to test it
with a larger field because a hacker could just rewrite the form and
use a lerger field for the attempted attack.
Many thanks in advance
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| | |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
