What CHMOD to use?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Re: What CHMOD to use?

Post by Chris Corbyn »

Please post the code. You did *change* this pseudo code right?

Code: Select all

echo file_get_contents($path_to_the_photo);
$path_to_the_photo won't actually exist. You need to code that. Please show us what you did.
obay
Forum Newbie
Posts: 17
Joined: Sun Mar 01, 2009 1:04 pm

Re: What CHMOD to use?

Post by obay »

i removed the header() call, and got a weird result from IE

Firefox: random characters
IE: placeholder for an image which contains a red "X"
Opera: random characters
Chrome: random characters

all browsers cannot display the image when header() call is present

hmm..
obay
Forum Newbie
Posts: 17
Joined: Sun Mar 01, 2009 1:04 pm

Re: What CHMOD to use?

Post by obay »

Chris Corbyn wrote:Please post the code. You did *change* this pseudo code right?

Code: Select all

echo file_get_contents($path_to_the_photo);
$path_to_the_photo won't actually exist. You need to code that. Please show us what you did.
yes i did. i'll post the code later tonight. im still at work. lol
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: What CHMOD to use?

Post by kaisellgren »

So the data was loaded correctly. Are you sure you changed the content-type header to match the filetype?
obay
Forum Newbie
Posts: 17
Joined: Sun Mar 01, 2009 1:04 pm

Re: What CHMOD to use?

Post by obay »

the content-type header i used was

Code: Select all

header('Content-Type: image/jpeg');
because all photos are .jpg files

i have 3 versions for each image. 1=small (public), 2=medium (level2 users), 3=large (level3 users)

i'll post my code below. note this:
- header() call is present: no output
- header() call is not present: random characters

Code: Select all

<?php
session_start();
require("admin/settings.php");
require("admin/page_functions.php");
 
if (!isset($_SESSION[security_level])) $_GET[size] = 1;
 
if ($_SESSION[security_level]==2) {
    if ($_GET[size]==2) if ($_GET[allow]!=md5($_SESSION[username])) $_GET[size] = 1;
    if ($_GET[size]==3) $_GET[size] = 1;
}
 
if ($_SESSION[security_level]==3) {
    //no restrictions
}
 
//header('Content-Type: image/jpeg');
echo file_get_contents("../myphotos/".$_GET[trans]."-".$_GET[size].".jpg");
 
?>
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: What CHMOD to use?

Post by kaisellgren »

I think you should put quotes in your GET and SESSION data... $_SESSION['xxx'], $_GET['xxx']...

Can you show me an example of "random characters"?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: What CHMOD to use?

Post by Mordred »

The code is insecure, path traversal is possible with 'trans' and sometimes with 'size'.
The $_GET['allow'] check doesn't make sense.
obay
Forum Newbie
Posts: 17
Joined: Sun Mar 01, 2009 1:04 pm

Re: What CHMOD to use?

Post by obay »

this is the beginning of the random characters

Code: Select all

ÿØÿà\0JFIF\0\0\0d\0d\0\0ÿìDucky\0\0\0\0\0<\0\0\0\0€\0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0\0ÿî\0Adobe\0dÀ\0\0\0ÿÛ\0„\0      ÿÀ\0 \0ÿÄ\0Ÿ\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \0!1AQ"aq‘2B#¡±RbÁr3ðÑ$áñ‚’¢CS4²ÂÒcsƒ%5E\0\0\0\0\0\0!1AQaq"2‘¡ÿÚ\0\0\0?\0þ¦†Æ\0€ ÖR ™BÏ”(ÓHAá DÀY”àr)dÊ…™Š ÁŸ0‰‘)B.õ„€@ZtŒ!!H‘«dç‚Â''XD“ ‚0ÂÌð…Æ0¥˜ \01*—û#Ò0‰‚`Œ0bòŒ$)*Œx@1\0>P…)`Ìaƒá®¤aa‰Ìa‡¤¤L³z˜P`€BˆÄ@F#.(ÒD‰ÀŒ(ƒ ƒC\0ƒ H0@ûCå4…¬¡Ä!dÊÈ¥3
truncated.

@mordred: i'll look up path traversal. haven't heard of it
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: What CHMOD to use?

Post by Mordred »

In short, it means that with creative use of ../ and %00 in the parameters in question, one will be able to read any file on the host that is readable by the apache user.

The "random characters" you print are just a regular jpeg, since you don't give any mime type for the content, it gets interpreted as text, not as jpeg. Try saving that data to a file, rename it to .jpeg and see if it's "readable" by a jpeg viewer.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: What CHMOD to use?

Post by kaisellgren »

Mordred wrote:The "random characters" you print are just a regular jpeg, since you don't give any mime type for the content, it gets interpreted as text, not as jpeg. Try saving that data to a file, rename it to .jpeg and see if it's "readable" by a jpeg viewer.
This is the point where it gets weird, he used header('content-type: image/jpeg'); and according to him, it did not work.
obay
Forum Newbie
Posts: 17
Joined: Sun Mar 01, 2009 1:04 pm

Re: What CHMOD to use?

Post by obay »

i tried saving it as .jpg, and it can't be opened by my image viewer, not even thumbnail on windows explorer

must be a problem with the server? cos everything works fine in my local setup.

*sigh*
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: What CHMOD to use?

Post by kaisellgren »

obay wrote:i tried saving it as .jpg, and it can't be opened by my image viewer, not even thumbnail on windows explorer

must be a problem with the server? cos everything works fine in my local setup.
Ok, so the image files are corrupted in a way or another.. hard to say why. Maybe they got corrupted during the upload process.
Post Reply