NYCPHP Meetup

[Brian Williams]

phpinfo() pish...


$user_input = "`rm -Rf /`"

nuff said.

in case it wasn't - backticks are basically the short cut to get PHP to
execute something on the command line.

*always *check incoming user data.



On Sun, Apr 5, 2009 at 8:56 PM, Konstantin Rozinov <krozinov at gmail.com>wrote:

> Hey guys,
>
> I have a question about logging messages.
>
> Is it safe to log unsanitized, unvalidated user-inputted data into a
> logfile?
>
> For example, if I have a function called check_username(), which
> checks that the username only consists of A-Za-z0-9, is it safe to
> have check_username() write to a logfile that it was called on the
> particaular user-inputted string, like so:
>
> Function definition:
> function check_username($username, &$error)
> {
>  .. set $log_file...
>
>  /* print out informational message. */
>  error_log(__FUNCTION__ . '(' . $username . '): called.', 3, $log_file);
>
>  ..check the username for correctness..
> }
>
> Function called like so:
> check_username('$_POST['username'], $error);
>
> Output to logfile:
> check_username(user1): called.
>
>
> Is it possible for an attacker to submit  a specific string as the
> $username to somehow "escape" out of the error_log() function and have
> code executed instead (like calling phpinfo())?
>
>
>
> thanks,
> Konstantin
> _______________________________________________
> New York PHP User Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> http://www.nyphp.org/show_participation.php
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20090405/647330a5/attachment.html>