Page 2 of 3
Posted: Mon Sep 08, 2003 4:36 pm
by aladdinsane
Hi,
Right I have done that. It produces a long list of details but I can't see where it says what user the script runs as.
Can you help me, please? I am tearing my hair out over this!
Thanks
Keith
Posted: Mon Sep 08, 2003 5:18 pm
by Stoker
well, ok lets assume it works ok if you did in fact change permissions to private executable (0700)..
now try this:
echo '<PRE>';
passthru ('/usr/bin/gpg --homedir /home/username/.yourgpgdir --list-keys 2>&1');
(May need to change the path to gpg).
That should output a list of the public keys held, does this work?
Posted: Mon Sep 08, 2003 5:57 pm
by aladdinsane
Hi,
Yes that worked. I got a list of keys.
I had to put
echo'';
first though. Without I get malformed header errors.
Seems like we are getting somewhere!
Do go on...
Thanks
Keith
Posted: Mon Sep 08, 2003 9:24 pm
by Stoker
echo ''; would fix header probs? that is weird, sounds like that system may have the cli version of php, or the cgiwrapper is broken, try this as the first line of output instead:
echo 'Content-Type: text/html'."\r\n\r\n";
ok, so we know that gpg works now as your own user, now try this:
echo '<pre>';
passthru("echo 'test' | /usr/bin/gpg -ear touser --always-trust --homedir /home/usr/.mygpgpdir 2&>1");
where touser is the username of the receiver (no need to input full email, just the common user/nick you gave it is enough, whatever works on commandline)
what does that give?
Posted: Tue Sep 09, 2003 5:50 am
by aladdinsane
Hi,
That gives me a blank page with no output.
Edited -
I just looked via ftp and it seems to have created a file called '1' containing -
gpg: WARNING: using insecure memory!
gpg: please see
http://www.gnupg.org/faq.html for more information
gpg: fatal: ~/.gnupg: can't create directory: No such file or directory
secmem usage: 0/0 bytes in 0/0 blocks of pool 0/16384
Keith
Posted: Tue Sep 09, 2003 6:31 am
by aladdinsane
Hi,
I think we've cracked it. I have now made a script that sends me an encrypted e-mail that when unencrypted contains the correct output.
Here is the script. Is it now secure?
Code: Select all
#!/usr/bin/php
<?
//build the message string
$msg = "Hello this is a test of my own encryption script";
//set the environment variable for GNUPGHOME
putenv("GNUPGHOME=/home/username/.gnupg");
$crypted = "/home/username/public_html/dev/coded.txt";
//invoke GNUPG to encrypt form contents
system("echo '$msg' | /usr/bin/gpg --homedir /home/username/.gnupg --batch --always-trust -eatr keith@anemailaddress.co.uk -o $crypted");
//open file and read encrypted contents into var
$fd = fopen($crypted, "r");
$mail_cont = fread($fd, filesize($crypted));
fclose($fd);
//delete files!
unlink($crypted);
// Build mail message and send it to target recipient.
$recipient = "keith@anemailaddress.co.uk";
$subject = "Secret Message";
$mailheaders = "From: My Web Site\n";
$mailheaders .= "Reply-To: $sender_email\n\n";
mail("$recipient", "$subject", $mail_cont, $mailheaders);
// Print confirmation to screen.
echo'';
echo "
<H1 align=center>$msg</h1>
<p align=center>Your secret message has been sent.</p>
";
?>
Many Thanks
Keith
Posted: Tue Sep 09, 2003 8:46 am
by Stoker
The reason it gave no output was that everything was sent to the file 1, I typoed, the redirection should be 2>&1 (move the ampersand)
Your script is not very secure, for instance your ar using uncontrolled text in shell execution, this is very very bad (ALWAYS use escapeshellarg), and your script may fail if more than one person is acessing it at the same time (No point wasting disk resources by writing a file either).
I would suggest that you now use the code that I posted in my first post, just correct the typo that caused the parse error, add the -t to options if you need that..
If it doesnt work, add the 2>&1 at the end to redirect errors to stdout so you can read them..
Posted: Tue Sep 09, 2003 9:27 am
by aladdinsane
Hi,
I have done a fair bit of work on the script since the last post. It now takes form input correctly. The filename contains a random element to stop trouble from more than 1 user accessing it.
What I want to do is add the escapeshellarg. But when I add this it doesn't work it show's it in the text of the e-mail.
Can someone help me write this line so it includes the escapeshellarg
system("echo '$msg' | /usr/bin/gpg --homedir /home/username/.gnupg --batch --always-trust -eatr
keith@email.co.uk -o $crypted");
Stoker thank-you very much for all of your help on this. I really appreciate it.
Code: Select all
#!/usr/bin/php
<?
$msg ="$sender_name\n";
$msg .="$sender_email\n";
$msg .="$message";
$randomfile = rand (1, 1234567890);
$crypted = ("/home/username/public_html/dev/".$randomfile);
//invoke GNUPG to encrypt form contents
system("echo '$msg' | /usr/bin/gpg --homedir /home/username/.gnupg --batch --always-trust -eatr keith@email.co.uk -o $crypted");
//delete variable containing user input
$msg = "";
//open file and read encrypted contents into var
$fd = fopen($crypted, "r");
$mail_cont = fread($fd, filesize($crypted));
fclose($fd);
//delete files!
unlink($crypted);
// Build mail message and send it to target recipient.
$recipient = "keith@email.co.uk";
$subject = "Secret Message";
$mailheaders = "From: My Web Site\n";
$mailheaders .= "Reply-To: $sender_email\n\n";
mail("$recipient", "$subject", $mail_cont, $mailheaders);
// Print confirmation to screen.
echo "";
echo "
<H1 align=center>Thank You, $msg</h1>
<p align=center>Your secret message has been sent.</p>
";
?>
Posted: Tue Sep 09, 2003 9:50 am
by aladdinsane
Hi,
Some notes on my escapeshellarg problem. If I use -
$msg ="$sender_name\n";
$msg .="$sender_email\n";
$msg .="$message";
$msg = escapeshellarg($msg)
the whole script stops working properly.
If I use -
$msg ="$sender_name";
$msg .="$sender_email";
$msg .="$message";
$msg = escapeshellarg($msg)
it works but there are no line breaks in my e-mail.
How can I get around this?
Thanks
Keith
Posted: Tue Sep 09, 2003 11:01 am
by aladdinsane
Hi,
This now seems to work. Are there any more security holes to fill? One question should I be using escapeshellarg or escapeshellcmd?
Thanks
Keith
Code: Select all
#!/usr/bin/php
<?
$msg = escapeshellarg($sender_name);
$msg .="\n";
$msg .= escapeshellarg($sender_email);
$msg .="\n";
$msg .= escapeshellarg($message);
$randomfile = rand (1, 1234567890);
$crypted = ("/home/friendsh/public_html/dev/".$randomfile);
//invoke GNUPG to encrypt form contents
system("echo '$msg' | /usr/bin/gpg --homedir /home/friendsh/.gnupg --batch --always-trust -eatr keith@anemail.co.uk -o $crypted");
//empty variable containing user input
$msg = "";
//open file and read encrypted contents into var
$fd = fopen($crypted, "r");
$mail_cont = fread($fd, filesize($crypted));
fclose($fd);
//delete files!
unlink($crypted);
// Build mail message and send it to target recipient.
$recipient = "keith@anemail.co.uk";
$subject = "Secret Message";
$mailheaders = "From: My Web Site\n";
$mailheaders .= "Reply-To: $sender_email\n\n";
mail("$recipient", "$subject", $mail_cont, $mailheaders);
// Print confirmation to screen.
echo "";
echo "
<H1 align=center>Thank You, $msg</h1>
<p align=center>Your secret message has been sent.</p>
";
?>
Posted: Tue Sep 09, 2003 11:26 am
by Stoker
no no, do NOT use escapeshellarg multiple times, you take your whole complete message and do escapeshellarg ONCE to make it a single argument for the systems echo command, look at the first sample I posted.
Why are you using a hard file? There is no need to do that, it just creates a lot of operations, and from a paranoid point of viuew there is no need to write the encrypted data to disk
Posted: Tue Sep 09, 2003 12:18 pm
by aladdinsane
Hi,
I know my current script works except when I try to add the escapeshellarg in the system() call.
I saw your first post but I am unsure of how to write this code correctly. This is my first time writing a system() code and I am struggling to get this bit to work as I do not know the syntax of this.
Can you help me with the particular line I want to write because I know it works and all the options are in the correct order. This is the line I want to add the escapeshellarg () to -
Code: Select all
system("echo '$msg' | /usr/bin/gpg --homedir /home/username/.gnupg --batch --always-trust -eatr keith@email.co.uk -o $crypted");
Incidentally does using the escapeshellarg repeatedly still work? Is the problem just that it is not efficient calling it several times?
Many Thanks
Keith
Posted: Tue Sep 09, 2003 1:29 pm
by Stoker
You are missunderstanding what escapeshellarg does and how the command line works, an argument is a single whitespace separated token, if the token contains whitespace or other control characters these must be escaped and/or enclosed in quotes, escapeshellarg does all this for you..
I rewrote your script a bit here:
Code: Select all
#!/usr/bin/php
<?php
# I dont know where you are getting $sender_name and the other variables from,
# I suspect they are from a POST request, so I there for handle them safely here.
# I assume magic quotes gpc is enabled.
# Remove these lines if those vars are from elsewhere
$sender_name = strip_tags( strip_slashes( trim( $_REQUEST['sender_name'] )));
$sender_email = strip_tags( strip_slashes( trim( $_REQUEST['sender_email'] )));
$message = strip_tags( strip_slashes( trim( $_REQUEST['message'] )));
# Done cleaning input, perhaps add some validation later?
$_REQUEST = $_POST = $_GET = array(); # Paranoid
# Email Message:
$msg = 'Name: ' . $sender_name . "\n"
. 'Email: ' . $sender_email . "\n"
. 'Message:' . "\n" . $message . "\n";
$message = ''; # Paranoid
# System Call to encrypt email content
exec('/bin/echo '. escapeshellarg ($msg)
. ' | /usr/bin/gpg --homedir /home/user/.gpgdirsomewhere '
. ' --batch --always-trust -eatr ''user@mail.co.uk''', $encoded);
$msg = ''; # Paranoid
# Build mail message and send it to target recipient.
$recipient = 'user@mail.com';
$subject = 'Secret Message';
$mailheaders = "From: My Web Site\n"
. "Reply-To: $sender_email\n";
$result = mail($recipient, $subject, implode ('',$encoded), $mailheaders);
$encoded = ''; # Paranoid
# Print confirmation to screen.
if (!$result) { /* Do something when mail was not sent */ }
else {
?>
<H1 align=center>Thank You, <?php echo htmlspecialchars($sender_name); ?></h1>
<p align=center>Your secret message has been sent.</p>
<?php
}
?>
That will not waste resources on writing useless files..
Posted: Tue Sep 09, 2003 1:44 pm
by aladdinsane
Hi,
Thanks for that.
Unfortunately there are some errors.
1) Call to underfined function strip_slashes()
Removed these lines and it gets past here and sends the e-mail.
2) The e-mail contains the data but it is all in a long line so pgp will not read it. I didn't have this problem before.
Keith
Posted: Tue Sep 09, 2003 3:51 pm
by Stoker
1) User stripslashes, a typo
2) change the mailing line to
$result = mail($recipient, $subject, implode ("\r\n",$encoded), $mailheaders);