[PLUG] Preventing Probes Like This

Ron Chmara ronabop at gmail.com
Tue Aug 26 23:31:32 UTC 2008 

Eric Wilhelm wrote:
> # from Ronald Chmara
> # on Tuesday 26 August 2008 03:04:
>   
>> If your webroot for the application is /etc/, because your particular
>>   application is a sysadmin application, /etc/passwd being read-
>> accessible makes perfect sense.
>>     
> Yes.  I would hope you were doing some authentication in that case.  But 
> still, what I said is that you want a method for addressing filenames 
> within the webroot which throws an error when handed an out-of-bounds 
> filename.  If you actually set the webroot to /etc/ (though I wouldn't 
> do this, even if it were a sysadmin app), well that isn't 
> out-of-bounds, is it?
>   
http://us.php.net/manual/en/features.safe-mode.php#ini.open-basedir

Unfortunately, what seems at first blush to be a fairly simple thing can 
get pretty complex, pretty fast (PHP's "safe_mode" has a whole, uhm, 
history.). Putting this level of restriction on a general default 
per-apache-process level, for example, can lead to hundreds of "allowed 
directories" in the web roots on a shared server available to PHP 
processes (one directory for each vhost), with possibly multiple PEAR 
include libraries for different users, so it's really something that 
should be handled on a per-script, per-program execution cycle, level 
(as required).... back to square one, though, if the programmers simply 
can't be bothered to write more secure code, or intentionally dodge the 
built-in features designed to keep themselves from shooting at their feet.

> In the PHP case, you have a lot of core language functions which are 
> specifically designed for use in web applications, yet they all tend to 
> place convenience over security (so much so that you would think this 
> was some kind of templating language hacked together in an afternoon's 
> worth of Perl.)
"all tend to..." might be a little broad....  :D as far as "convenience 
over security", that's up to the programmer. If, for example, a 
programmer wants to use prepared statements, transactions, and 
language-specific-db-string-escaping for SQL, they can. If they want 
straight raw SQL client, convenience, and speed, and are willing to 
suffer the potential drawbacks, they can.


> So, maybe the developers which PHP attracts would actually be better off 
> with a javascript or otherwise jailed+stripped+managed framework?
>   
Yeah, they'd never get bitten by XSS bugs that way, right?... ;)

I think the challenge is in trying to write a software application 
language that doesn't allow people to easily shoot themselves in the 
foot.... yet is still powerful enough to do all of the tasks they want, 
even if that task happens to be, uhm, easily shooting one's self in the 
foot.


-Bop

More information about the PLUG mailing list