Menu
▾
▴
Re: [phpesp-dev] .ini?
|
From: James E. F. <jf...@ac...> - 2002-06-18 13:12:43
|
On Mon, 17 Jun 2002, randall ehren wrote:
> also, for /public/*.php files -
>
> randall@web[/www/phpesp/public]% diff survey.php.dist survey.php
> 3c3
> < require('/usr/local/lib/php/contrib/phpESP/admin/phpESP.ini');
> ---
> > require("../admin/phpESP.ini");
>
> doesn't that seem better?
No it does not. I have tried to make phpESP as secure as
possible. I don't want phpESP to open up holes to your
system, and you probably don't either. On of the best ways
to protect php scripts is to place them in a location that
is not accessible from the web. What I mean is, the main
body of any complicated php script should be *outside* of
your "htdocs" (or whatever) directory. That way you can
ensure that entry into the script is through a limited
number of points, and you only have to do security/sanity
checks there. For this reason, I suggest installing phpESP
in /usr/local/lib/php/contrib/phpESP, which is most
certainly outside of htdocs. Then you only copy the few
known entry points (public/handler*, admin/manage.php) to
some location in your htdocs. Because of this, it is
impossible to use relative pathnames in the public/* and
manage.php files. Does everyone understand this?
The naive user does this:
cd /usr/local/www/htdocs
tar -zxf ~/phpESP-1.4.tar.gz
vi phpESP-1.4/admin/phpESP.ini
mozilla http://mysite.com/phpESP-1.4/admin/manage.php
Wow, that was easy huh? But what about when someone notices
they are using phpESP, looks at the source and says humm:
mozilla http://mysite.com/phpESP-1.4/admin/phpESP.ini
mysql -h mysite.com -u phpESP -p phpESP
> DELETE FROM survey;
> ...
Several people have unzipped their fly with phpESP.ini
already. I've checked personally, every time someone asks a
question and posts some URL to the list or to me with
"phpESP/admin" in the URL I warn them they are exposing
themselves. (Are you Randal? It sure looks like it to me:
randall@web[/www/phpesp/public])
One step that has been mentioned is changing phpESP.ini to
something .php so that if it is accessible via a URL it
will get executed by PHP and be a harmless blank page. This
is treating the *symptoms* not the *problem*. I don't want
to promote bad security practices. I will not apply your
patch, unless it addresses these issues. Sorry to rant, but
there seem to be very few PHP coders who jack about
security.
-James
|
