View Single Post
  #77  
Old 7th February 2006, 00:37
webstergd webstergd is offline
Member
 
Join Date: Dec 2005
Location: Washington, DC
Posts: 53
Thanks: 0
Thanked 0 Times in 0 Posts
Default

ehh better but still has a lot of holes.

I agree with Till on all his security points and he is a much better php programmer then I am. However, I do not feel his solution will patch all the holes in this statement.

for example:
if a users submits .../../../ he will still be able to transverse the directory. The system matches two .. not three. Called triple-dot vulnerablility.

If a hacker sends the command /var/www/.../../../../../etc/passwd you will have the password file.

Next example is that if hacker uses multiple alternate encodings for text in order to bypass the filters the filters will not flag.

/var/www/%25%25/%25%23/%25%25 ...... using URL
/var/www/%C0AE/%C0AE/%C0AF ......... using unicode

ok, I am tired so i will stop with the examples...

basicly my fear is that it is almost impossible to properly search for phrases that are not allowed. Using different encoding tricks or really just playing around you could eventully find a loophole. I am a firm believer on stating what a function can do verses what I function cannot do.

if I have time later tonight I will think of possible ways to do this that could solve your problem and make the program easier. Might not be as efficient as my original idea but should be just as secure and a hell of a lot easier to program.

SORRY TILL!!! YOU ARE STILL MY HERO!!!

Last edited by webstergd; 7th February 2006 at 04:45.
Reply With Quote