Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Moderator: General Moderators
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098 Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia
Post
by Chris Corbyn » Thu Mar 05, 2009 3:48 pm
Please post the code. You did *change* this pseudo code right?
Code: Select all
echo file_get_contents($path_to_the_photo);
$path_to_the_photo won't actually exist. You need to code that. Please show us what you did.
obay
Forum Newbie
Posts: 17 Joined: Sun Mar 01, 2009 1:04 pm
Post
by obay » Fri Mar 06, 2009 5:00 am
i removed the header() call, and got a weird result from IE
Firefox: random characters
IE: placeholder for an image which contains a red "X"
Opera: random characters
Chrome: random characters
all browsers cannot display the image when header() call is present
hmm..
obay
Forum Newbie
Posts: 17 Joined: Sun Mar 01, 2009 1:04 pm
Post
by obay » Fri Mar 06, 2009 5:02 am
Chris Corbyn wrote: Please post the code. You did *change* this pseudo code right?
Code: Select all
echo file_get_contents($path_to_the_photo);
$path_to_the_photo won't actually exist. You need to code that. Please show us what you did.
yes i did. i'll post the code later tonight. im still at work. lol
kaisellgren
DevNet Resident
Posts: 1675 Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.
Post
by kaisellgren » Fri Mar 06, 2009 7:35 am
So the data was loaded correctly. Are you sure you changed the content-type header to match the filetype?
obay
Forum Newbie
Posts: 17 Joined: Sun Mar 01, 2009 1:04 pm
Post
by obay » Tue Mar 10, 2009 8:39 am
the content-type header i used was
Code: Select all
header('Content-Type: image/jpeg');
because all photos are .jpg files
i have 3 versions for each image. 1=small (public), 2=medium (level2 users), 3=large (level3 users)
i'll post my code below. note this:
- header() call is present: no output
- header() call is not present: random characters
Code: Select all
<?php
session_start();
require("admin/settings.php");
require("admin/page_functions.php");
if (!isset($_SESSION[security_level])) $_GET[size] = 1;
if ($_SESSION[security_level]==2) {
if ($_GET[size]==2) if ($_GET[allow]!=md5($_SESSION[username])) $_GET[size] = 1;
if ($_GET[size]==3) $_GET[size] = 1;
}
if ($_SESSION[security_level]==3) {
//no restrictions
}
//header('Content-Type: image/jpeg');
echo file_get_contents("../myphotos/".$_GET[trans]."-".$_GET[size].".jpg");
?>
kaisellgren
DevNet Resident
Posts: 1675 Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.
Post
by kaisellgren » Tue Mar 10, 2009 9:28 am
I think you should put quotes in your GET and SESSION data... $_SESSION['xxx'], $_GET['xxx']...
Can you show me an example of "random characters"?
Mordred
DevNet Resident
Posts: 1579 Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria
Post
by Mordred » Tue Mar 10, 2009 9:51 am
The code is insecure, path traversal is possible with 'trans' and sometimes with 'size'.
The $_GET['allow'] check doesn't make sense.
obay
Forum Newbie
Posts: 17 Joined: Sun Mar 01, 2009 1:04 pm
Post
by obay » Tue Mar 10, 2009 10:21 am
this is the beginning of the random characters
Code: Select all
ÿØÿà\0JFIF\0\0\0d\0d\0\0ÿìDucky\0\0\0\0\0<\0\0\0\0€\0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0\0ÿî\0Adobe\0dÀ\0\0\0ÿÛ\0„\0 ÿÀ\0 \0ÿÄ\0Ÿ\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0!1AQ"aq‘2B#¡±RbÁr3ðÑ$áñ‚’¢CS4²ÂÒcsƒ%5E\0\0\0\0\0\0!1AQaq"2‘¡ÿÚ\0\0\0?\0þ¦†Æ\0€ ÖR ™BÏ”(ÓHAá DÀY”àr)dÊ…™Š ÁŸ0‰‘)B.õ„€@ZtŒ!!H‘«dç‚Â''XD“ ‚0ÂÌð…Æ0¥˜ \01*—û#Ò0‰‚`Œ0bòŒ$)*Œx@1\0>P…)`Ìaƒá®¤aa‰Ìa‡¤¤L³z˜P`€BˆÄ@F#.(ÒD‰ÀŒ(ƒ ƒC\0ƒ H0@ûCå4…¬¡Ä!dÊÈ¥3
truncated.
@mordred: i'll look up path traversal. haven't heard of it
Mordred
DevNet Resident
Posts: 1579 Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria
Post
by Mordred » Tue Mar 10, 2009 10:28 am
In short, it means that with creative use of ../ and %00 in the parameters in question, one will be able to read any file on the host that is readable by the apache user.
The "random characters" you print are just a regular jpeg, since you don't give any mime type for the content, it gets interpreted as text, not as jpeg. Try saving that data to a file, rename it to .jpeg and see if it's "readable" by a jpeg viewer.
kaisellgren
DevNet Resident
Posts: 1675 Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.
Post
by kaisellgren » Tue Mar 10, 2009 10:39 am
Mordred wrote: The "random characters" you print are just a regular jpeg, since you don't give any mime type for the content, it gets interpreted as text, not as jpeg. Try saving that data to a file, rename it to .jpeg and see if it's "readable" by a jpeg viewer.
This is the point where it gets weird, he used header('content-type: image/jpeg'); and according to him, it did not work.
obay
Forum Newbie
Posts: 17 Joined: Sun Mar 01, 2009 1:04 pm
Post
by obay » Tue Mar 10, 2009 11:05 am
i tried saving it as .jpg, and it can't be opened by my image viewer, not even thumbnail on windows explorer
must be a problem with the server? cos everything works fine in my local setup.
*sigh*
kaisellgren
DevNet Resident
Posts: 1675 Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.
Post
by kaisellgren » Tue Mar 10, 2009 11:16 am
obay wrote: i tried saving it as .jpg, and it can't be opened by my image viewer, not even thumbnail on windows explorer
must be a problem with the server? cos everything works fine in my local setup.
Ok, so the image files are corrupted in a way or another.. hard to say why. Maybe they got corrupted during the upload process.