Qustion on viewing code

Re: Qustion on viewing code

Alan Larsson wrote:Unless there is a horrible server misconfiguratio n or the site has a
serious scripting vulnerability, no.

--
Curtis, http://dyersweb.com

Re: Qustion on viewing code

On 23 Feb, 01:12, Curtis <zer0d...@veriz on.netwrote:yes, probably but not for someone who provides no specifics and at
least attempts to justify it.
do no evil.
and you have to pay school fees by learning more about things before
you ask this kind of question, or you wont be respected enough to get
given the answers

Re: Qustion on viewing code

Message-ID: <45de37b2$0$489 1$4c368faf@road runner.comfrom Alan Larsson
contained the following:
No.



--
Geoff Berrow 011000100110110 0010000000110
001101101011011 001000110111101 100111001011
100110001101101 111001011100111 010101101011

Re: Qustion on viewing code


"shimmyshac k" <matt.farey@gma il.comwrote in message
news:1172193670 .840327.125390@ v33g2000cwv.goo glegroups.com.. .actually, I am being accused of stealing PHP code from a site.. and I did
not think it was possible, so I asked the experts here.

Re: Qustion on viewing code

On 23 Feb, 02:23, "Alan Larsson" <newsgr...@alst own.comwrote:Ah I see, well it didn't sound to me that you knew enough to do it, so
that's your strongest card.
Don't start getting interested in this area just for the sake of
showing you can't because it's a huge area and the answer to this
question is always YES probably. (even the ones with "hacker safe"
symbols.
Basically PHP code is designed never to be released to the end user,
any file on the server should be executed and only the results of the
php code sent to your browser, however there are times when people
make mistakes and the code can be downloaded. The only way you could
have accidentally stolen code via a browser is by accidentally finding
a publically available piece of code, which is NOT your fault. Even if
you did find this, it would be quite improbable that the site in
question could tell if you had. (Unless they use some kind of complex
outgoing filter that records but does not stop outgoing code release -
whereas filters of this kind are usually set up to stop code release)

I would say you are on balance very unlikely to be accused for very
long,
a) it shows a lack of professionalism on their part to be releasing
code which they later regret.
b) whereas however they are saying "they know" you did it, which shows
a degree of skill they probably don't have as (a) shows

Just ask for evidence. But don't claim it "isn't possible" because it
usually is possible to launch an attack, there are so may ways to do
it. For more advice and info ask "OWASP or web app sec" they have to
deal with these kinds of complaints and threats on a regular basis
when they reveal vulnerabilities on sites. In general if you see
something wrong the advice is don't report it, unless you have reason
to believe you will escape subsequent action.

Re: Qustion on viewing code


"shimmyshac k" <matt.farey@gma il.comwrote in message
news:1172198155 .605591.99560@s 48g2000cws.goog legroups.com...
| On 23 Feb, 02:23, "Alan Larsson" <newsgr...@alst own.comwrote:
| "shimmyshac k" <matt.fa...@gma il.comwrote in message
| >
| news:1172193670 .840327.125390@ v33g2000cwv.goo glegroups.com.. .
| >
| >
| >
| On 23 Feb, 01:12, Curtis <zer0d...@veriz on.netwrote:
| Alan Larsson wrote:
| Is there a way i can look at the php code that is runnig a site,
| without any
| ind of admin access to the server?
| >
| Unless there is a horrible server misconfiguratio n or the site has a
| serious scripting vulnerability, no.
| >
| --
| Curtis,http://dyersweb.com
| >
| yes, probably but not for someone who provides no specifics and at
| least attempts to justify it.
| do no evil.
| and you have to pay school fees by learning more about things before
| you ask this kind of question, or you wont be respected enough to get
| given the answers
| >
| actually, I am being accused of stealing PHP code from a site.. and I
did
| not think it was possible, so I asked the experts here.
|
| Ah I see, well it didn't sound to me that you knew enough to do it, so
| that's your strongest card.
| Don't start getting interested in this area just for the sake of
| showing you can't because it's a huge area and the answer to this
| question is always YES probably. (even the ones with "hacker safe"
| symbols.
| Basically PHP code is designed never to be released to the end user,
| any file on the server should be executed and only the results of the
| php code sent to your browser, however there are times when people
| make mistakes and the code can be downloaded. The only way you could
| have accidentally stolen code via a browser is by accidentally finding
| a publically available piece of code, which is NOT your fault. Even if
| you did find this, it would be quite improbable that the site in
| question could tell if you had. (Unless they use some kind of complex
| outgoing filter that records but does not stop outgoing code release -
| whereas filters of this kind are usually set up to stop code release)
|
| I would say you are on balance very unlikely to be accused for very
| long,
| a) it shows a lack of professionalism on their part to be releasing
| code which they later regret.
| b) whereas however they are saying "they know" you did it, which shows
| a degree of skill they probably don't have as (a) shows
|
| Just ask for evidence. But don't claim it "isn't possible" because it
| usually is possible to launch an attack, there are so may ways to do
| it. For more advice and info ask "OWASP or web app sec" they have to
| deal with these kinds of complaints and threats on a regular basis
| when they reveal vulnerabilities on sites. In general if you see
| something wrong the advice is don't report it, unless you have reason
| to believe you will escape subsequent action.

which is odd that he'd be asking how to do it...thus giving him the
knowlege/means and taking away his best defense.

find a server that parses all documents via php instead of by extension, and
one that allows uploads. embed php code in an image and upload it. in that
code, you should find the document root and then recurse for all dirs from
the doc root. output the paths into a file your script creates. access that
script. look for interesting names...especia lly header, security, and config
file names. the embedded php code should also output the product of
php_info(). any file you want, you can access via this method whether it is
in the www root or in some other system directory - which most people here
think gives a measure of security.

it's not hard to hack any site...it just takes a bit of knowledge and some
desire.

Re: Qustion on viewing code


"Geoff Berrow" <blthecat@ckdog .co.ukwrote in message
news:68hst2l9rp l53um7q7q737mba v5aglopk9@4ax.c om...
| Message-ID: <45de37b2$0$489 1$4c368faf@road runner.comfrom Alan Larsson
| contained the following:
|
| >Is there a way i can look at the php code that is runnig a site, without
any
| >ind of admin access to the server?
|
| No.

are you trying to be funny, geof? that's about the most uninformed and
unimaginatively wrong answer as i've ever seen. i am horrified that it was
made by you of all people!

Re: Qustion on viewing code

Steve <no.one@example .comwrote:And in this case, both an insane webserver setting and a either no or a
bogus check on files after upload... Usually it would be much, much harder.

--
Rik Wasmus

Re: Qustion on viewing code


"Rik" <luiheidsgoeroe @hotmail.comwro te in message
news:op.tn6pvcv iqnv3q9@misant. ..
| Steve <no.one@example .comwrote:
| find a server that parses all documents via php instead of by extension,
| ....
| >
| it's not hard to hack any site...it just takes a bit of knowledge and
| some desire.
|
| And in this case, both an insane webserver setting and a either no or a
| bogus check on files after upload... Usually it would be much, much
harder.

true. however sadly, *most* web servers (apache anyway) out there at least
parse all documents through php even if the extension is different...thi ngs
like .css or .jpg, or what have you. this is the critical part. as long as
this is the configuration, you can find *many* ways to get your script onto
their server. and you will have enough authorization to access any system
directory that php has access to...even those not in the web root.

this is not just a php issue, asp and others have the same problem. people
are not ever as aware as they should be when it comes to security. myself
included.

Re: Qustion on viewing code

On 23 Feb, 04:45, "Steve" <no....@example .comwrote:the embedding image technique gets passed antivirus, alot of incoming
filters, mimetype checking, most types of "is this an image" checking
(thumbnails/height/width etc...) - cos it still is, and just about the
only reliable way on windows to counter this is to use forcetype, and
store all images so they arent callable by URL. Removehandler wont
work unless your using cgi, its a very damaging attack. As for the
server settings, its default on windows, even on a good admin who has
security always on his mind might let this one passed. The same attack
works locally too, embedding javascript instead of php, and calling
the image in a frame, if you know your victim has a server on his
machine, you can even email him the offending picture asking him to
save it to his desktop, and using one of IEs many local file insertion
vulnerabilities included it in the window and grab his crendentials,
so to speak. Nasty

Re: Qustion on viewing code

Steve wrote:Um, excuse me, but I've never seen/used a server that was set up like
that (then again, you can usually trust professional web hosts to set up
their servers properly). On one or two occasions, I've seen someone in
here ask if you *can* set up the server to parse everything through PHP,
and the general answer was "don't, because it's horribly insecure". It's
useful for single directories (containing dynamic images or feeds), but
as long as those directories are separated from the ones where files can
be uploaded, it should be safe.

--cb

Re: Qustion on viewing code

Steve wrote:I haven't seen Apache set up like that (on the document root and
below) ever. Most people don't do this. Apache doesn't force any
configuration, the server admin has control over how PHP is configured.

--
Curtis, http://dyersweb.com

Re: Qustion on viewing code

Message-ID: <77uDh.506$f%2. 460@newsfe03.lg afrom Steve contained the
following:
Well I don't really agree, but I see where you are coming from.
You could argue that any form of hacking is an attempt to get some kind
of admin access. In the normal course of events, barring a hacking
attempt or misconfigured server there is no way to 'look' at the php
code running the site.

Besides that, if you genuinely don't know the answer to the question the
answer of 'no' is probably quite reasonable.

Nevertheless, I apologise for not qualifying my answer more fully.



--
Geoff Berrow 011000100110110 0010000000110
001101101011011 001000110111101 100111001011
100110001101101 111001011100111 010101101011

Re: Qustion on viewing code

On Feb 22, 8:45 pm, "Steve" <no....@example .comwrote:I personally always run uploaded images through a resize operation -
that would defeat your embedded php code, wouldn't it?