Loading...
 

SecurityRules

fopen


3 reasons to not use fopen to read urls:

  • if the url is not syntax-checked, one can read local files
  • if the websever is behind a firewall (intranet) and restricted to use a proxy, it does simply not work (don't think that this is a rare case!)
  • if the websever is behind or part of a firewall (intranet or dmz) one can read contents of the internal network (http://localhost:631 to get cups managemnent for example).

exec, system & others


Calls to execute external programs should be avoided if possible. If it is not possible to avoid them, all parameters, input and output should be checked for consistency.
Example attack:
{CODE(ln=>0,colors=>phpsource),wrap=>0,wiki=>1}
$a=$_REQUEST'input';
passthru("/bin/echo $a");
{CODE}
if someone adds ?input=bla;/bin/ls to the url, then he can read the local directory.


Page last modified on Tuesday 01 February 2005 10:23:22 GMT-0000

Upcoming Events

1)  18 Apr 2024 14:00 GMT-0000
Tiki Roundtable Meeting
2)  16 May 2024 14:00 GMT-0000
Tiki Roundtable Meeting
3)  20 Jun 2024 14:00 GMT-0000
Tiki Roundtable Meeting
4)  18 Jul 2024 14:00 GMT-0000
Tiki Roundtable Meeting
5)  15 Aug 2024 14:00 GMT-0000
Tiki Roundtable Meeting
6)  19 Sep 2024 14:00 GMT-0000
Tiki Roundtable Meeting
7) 
Tiki birthday
8)  17 Oct 2024 14:00 GMT-0000
Tiki Roundtable Meeting
9)  21 Nov 2024 14:00 GMT-0000
Tiki Roundtable Meeting
10)  19 Dec 2024 14:00 GMT-0000
Tiki Roundtable Meeting