Page 1 of 1

PHP code scraping

Posted: Tue Mar 21, 2006 4:40 am
by pwhitrow
HI,

first post here so be gentle!!

I was recently asked a question to which I could not give a definitive answer, so thought it would be good to get the communities input.

If a user was to create a file (i.e, settings.php) with a php variable in it (i.e, $pass='blahblah'; ), how easy is it for a hacker to obtain this?

I have tried myself with some page scraping code and successfully could not retrieve the value.

Thoughts?

Paul

Posted: Tue Mar 21, 2006 5:04 am
by Maugrim_The_Reaper
Get a shared host account on the same server and try a few Perl, PHP or other language scripts to see if you can read the file. ;)

No, it shouldn't be possible using PHP from outside the webserver. The file has no connection to an echo() or print() function.

Sometimes it's possible to grab the file using anonymous ftp if the host is badly configured and the file is world-readable in an executable directory - usually 777.

Read a PHP or other security book regarding the web for things to check for in securing any server environment.

Posted: Tue Mar 21, 2006 5:05 am
by Maugrim_The_Reaper
In case it wasn't obvious - the file itself is faultless. Any exploit would be on the server it's being hosted from, and the user permissions set.

Posted: Tue Mar 21, 2006 5:45 am
by pwhitrow
that's what I thought.

Thanks for your help guys.