PHP code scraping

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
pwhitrow
Forum Newbie
Posts: 3
Joined: Tue Mar 21, 2006 4:34 am

PHP code scraping

Post by pwhitrow »

HI,

first post here so be gentle!!

I was recently asked a question to which I could not give a definitive answer, so thought it would be good to get the communities input.

If a user was to create a file (i.e, settings.php) with a php variable in it (i.e, $pass='blahblah'; ), how easy is it for a hacker to obtain this?

I have tried myself with some page scraping code and successfully could not retrieve the value.

Thoughts?

Paul
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Get a shared host account on the same server and try a few Perl, PHP or other language scripts to see if you can read the file. ;)

No, it shouldn't be possible using PHP from outside the webserver. The file has no connection to an echo() or print() function.

Sometimes it's possible to grab the file using anonymous ftp if the host is badly configured and the file is world-readable in an executable directory - usually 777.

Read a PHP or other security book regarding the web for things to check for in securing any server environment.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

In case it wasn't obvious - the file itself is faultless. Any exploit would be on the server it's being hosted from, and the user permissions set.
pwhitrow
Forum Newbie
Posts: 3
Joined: Tue Mar 21, 2006 4:34 am

Post by pwhitrow »

that's what I thought.

Thanks for your help guys.
Post Reply