[geeklog-devel] PHP in Static Pages

Tony Bibbs tony at tonybibbs.com
Tue Jan 13 17:47:40 EST 2004


Dirk Haun wrote:
> echo "You can't use delete() in static pages.";

Yeah, but that is no different, IMHO, than the censorship filters we 
have now to catch 'bad' words.  If users are using thigns like 
'delete()' in the static page then they would simply go to the config 
and remove it if they really need it.  Point is we would be erroring on 
the side of security yet allowing users a way to remove this checking 
altogether.

> 
> So the first thing to do when you hijack a static page is to delete the
> error.log from it.
> 

LOL, I suppose.  IMHO, you don't even have to prevent the use of any PHP 
functions that may be questionable.  Maybe the first place to start is 
to proactively log when a page is saved by saying "hey, someone just 
saved a static page and we think it had things like delete() and chgrp() 
in it".

> 
> I guess a security audit of the plugin is in order, but, as I said
> before, I don't think you can reliably catch all cases.
> 

Maybe, I'm not dinging the thing...I'm just bringing back to light 
issues we should consider.  Again, the secure way to handle this is to 
not have PHP in static pages to begin with but given we now endorse this 
possiblity we should consider ways to harden especially considering that 
we are becoming more and more popular with blackhats.

Which reminds me, do we have that bozo doing SQL injection attempts on 
GL.net still?

--Tony




More information about the geeklog-devel mailing list