[nycphp-talk] Is it safe to log unsanitized, unvalidated user-inputted data into a logfile?
Konstantin Rozinov
krozinov at gmail.com
Tue Apr 7 22:34:40 EDT 2009
On Mon, Apr 6, 2009 at 12:47 AM, Brian Williams <brianw1975 at gmail.com> wrote:
>
> if his code had read:
>
> error_log(__FUNCTION__ . "($username): called.", 3, $log_file);
>
> I wouldn't have made any comment at all.
>
> If the backticked code were not in double quotes it would be executed and
> the resulting output of the backticked code would be recorded to the log.
>
Brian,
This is not true. I tested what was discussed in this thread and here
are the results.
(1)
If an attacker submits the following as the $username: `touch /tmp/fooooo`
This will be outputted to the logfile: check_username(`touch
/tmp/fooooo`): called.
The attacker's input is not executed. It is treated as a string.
(2)
If an attacker submits the following as the $username: <?php `touch
/tmp/fooooo` ?>
This will be outputted to the logfile: check_username(<?php `touch
/tmp/fooooo` ?>): called.
The attacker's input is not executed. It is treated as a string.
Only if I process the logfile with php -f <logfile> will the code in
(2) actually execute.
The code in (1) won't even run since it's outside the <?php ?> tags,
but that's a minor point.
Paul raises a good question about log processing software that might
interpret and run the code....it seems that's where the real problem
lies.
Konstantin Rozinov
More information about the talk
mailing list
Automatic Email Organization without missing anything!