[geeklog-devel] PHP in Static Pages
Tony Bibbs
tony at tonybibbs.com
Tue Jan 13 17:47:40 EST 2004
Dirk Haun wrote:
> echo "You can't use delete() in static pages.";
Yeah, but that is no different, IMHO, than the censorship filters we
have now to catch 'bad' words. If users are using thigns like
'delete()' in the static page then they would simply go to the config
and remove it if they really need it. Point is we would be erroring on
the side of security yet allowing users a way to remove this checking
altogether.
>
> So the first thing to do when you hijack a static page is to delete the
> error.log from it.
>
LOL, I suppose. IMHO, you don't even have to prevent the use of any PHP
functions that may be questionable. Maybe the first place to start is
to proactively log when a page is saved by saying "hey, someone just
saved a static page and we think it had things like delete() and chgrp()
in it".
>
> I guess a security audit of the plugin is in order, but, as I said
> before, I don't think you can reliably catch all cases.
>
Maybe, I'm not dinging the thing...I'm just bringing back to light
issues we should consider. Again, the secure way to handle this is to
not have PHP in static pages to begin with but given we now endorse this
possiblity we should consider ways to harden especially considering that
we are becoming more and more popular with blackhats.
Which reminds me, do we have that bozo doing SQL injection attempts on
GL.net still?
--Tony
More information about the geeklog-devel
mailing list