trying to crack my own system

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

trying to crack my own system

Post by s.dot »

K, so I've developed a good random way to generate unique filenames.

So, to test how unique they are, I'm trying to write a script that will "crack" the filename if you will.

What I'm doing is putting a bunch of letters and numbers into an array, using shuffle() to randomize them, pull out a set number of letters and numbers, and then run it through a huge while loop.

Here's an example (a basic one so you can get the idea)

Code: Select all

$user = "joebob";
$dir = "http://www.domain.com/picdir/$user";

$array = array("1","2","3");

for($i=0; $i<99999999; $i++)
{
   shuffle($array);
   $rand = $array[1].$array[2].$array[3];

   $pic = $dir.$rand.".jpg";
   if(@getimagesize($pic))
   {
       // show picture
   }
}
This brings me to two questions. If someone other than me were to run this script, would my server log it anywhere? Since it's being massively tested for getimagesize(); I would want to know if someone were trying something like this.

And #2, is there anything faster than getimagesize() for testing purposes? Running that loop takes a while. I've tried if(file_exists()), but it does't seem to work with URLs.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
Skara
Forum Regular
Posts: 703
Joined: Sat Mar 12, 2005 7:13 pm
Location: US

Post by Skara »

Rather than pick out what to work with in the beginning, then trying to randomize it with a giant loop, try getting the numbers from something that's actually "random." I don't really see the point in that loop.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

That's going to have a max of 6 variations, and you cannot guarantee that it will try every variation (I know it is only an example, but the point is still valid :) ):

123.jpg
321.jpg
231.jpg
132.jpg
312.jpg
213.jpg

The following is a brute force attempt:

Code: Select all

$user = "joebob";
$dir = "http://www.domain.com/picdir/$user"; 
for ($i = 0; $i <= 999; $i++) {
    $pic = substr("00$i", -3) . ".jpg";
    if(@getimagesize($dir.$pic)) {
        $i = 1000;
        //show pic
    }
}
:)
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

6 variants, but only a 5 character filename.. (zero based array) ;)
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

Well this is how I'm naming my files

Code: Select all

$extention = ".jpg";
$letters = array("all 26 lowercase letters","26 uppercase letters");
shuffle($letters);

$rand = $letters[0].$letters[1].$letters[2].$letters[3].$letters[4].$letters[5];
$time = time();

$filename = $time.$rand.$ext;
Pretty secure?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

Is there any particular reason why you are not just restricting the access to yourself?
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Given that the first part of the filename is time() I can narrow that part right down very quickly in a brute force... that leaves me with 5 more characters.... it wouldn't take long to brute force at all ;)

Why not just use apache to prevent hotlinking or whatever it is you're trying to acheive?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Remember, security through obstrurity is not good security :P.. only obscure
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

d11wtq is right. If you really need random string of characters, use something like...

Code: Select all

function randString($length=16){
        $newstring="";
        for($i=0;$i<$length;$i++) {
            $randnum = mt_rand(0,61);
            if ($randnum < 10) {
                $newstring.=chr($randnum+48);
            } elseif ($randnum < 36) {
                $newstring.=chr($randnum+55);
            } else {
                $newstring.=chr($randnum+61);
            }
        }
        return $newstring;
    }
Which returns a readable random string.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Make sure you check if the file name already exists, never know...
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

Well, given that there's time() which is unique every second, and 6 random letters afterward (out of 52 possible letters), i think that's pretty secure.

Im just using this to name pictures that people choose to "lock". In other words, they upload them.. but only people they give the password to have access to this particular photo album. So, "security through obscurity" is the only way. :-P. But, given d11wtq's response, I should develop an algorhythm for naming the files, instead of randomly naming them.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

scrotaye wrote:Well, given that there's time() which is unique every second, and 6 random letters afterward (out of 52 possible letters), i think that's pretty secure.

Im just using this to name pictures that people choose to "lock". In other words, they upload them.. but only people they give the password to have access to this particular photo album. So, "security through obscurity" is the only way. :-P. But, given d11wtq's response, I should develop an algorhythm for naming the files, instead of randomly naming them.
What d11wtq pointed out, is that even though it is unique, using time() is not secure.

If someone knows you made a file in the afternoon of the 13th may, that means they only have a few hours to suss out for part of the first part of the filename, then the remaining 5 chars is not a challenge for brute force.

Like has been pointed out, just restrict access to the folder and don't bother with the unique naming, it'll only add confusion and not add much security.
User avatar
n00b Saibot
DevNet Resident
Posts: 1452
Joined: Fri Dec 24, 2004 2:59 am
Location: Lucknow, UP, India
Contact:

Post by n00b Saibot »

Jenk wrote:What d11wtq pointed out, is that even though it is unique, using time() is not secure.

If someone knows you made a file in the afternoon of the 13th may, that means they only have a few hours to suss out for part of the first part of the filename, then the remaining 5 chars is not a challenge for brute force.
I think I read that somewhere here on the forum... :)
RaH
Forum Newbie
Posts: 2
Joined: Fri Nov 25, 2005 12:51 pm

Post by RaH »

Why not just use referrals? You could test for spoofing by inserting a session id into the referral url, and then test for validity of sess id. if you are serving up a few megs of photos to a few hundred users, the impact of that loop could DoS you.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

Why not store the images out of the DocumentRoot, and pass them through a php script, let the script decide who can see the image and who cant
Post Reply