understanding buffer overflow

Re: understanding buffer overflow

j-marvin <customer@servi ce.boy> wrote:[color=blue]
> i went through the process of how a buffer overflow would work in my
> mind. i noticed you can limit the size of post data and its limit
> value is displayed on the phpinfo page 8mb. so my question is will
> the post ever be so big that it causes the abyss webserver to have a
> buffer overflow?[/color]

No program is free from errors, so there is a chance there are
exploitable bufferoverflows in the php/abyss combo. I'm no expert on
overflows, but the size is not the problem. A(ny) maximum is the
problem.
[color=blue]
> if not, why would you check for length of php input data?[/color]

Memory allocation, everything that is posted is mapped to $_POST (or
$_FILES) so it consumes memory, you probably want to limit memory usage
per script execution, limiting post will make sure you have some amount
of memory guaranteed to be available to your script (max. mem- max post).
[color=blue]
> i am trying to review my code for security issues. i found some good
> articles. i learned to htmlentities($m ydata) before displaying it[/color]

You do escape the quotes here, don't you?

--

Daniel Tryba

Re: understanding buffer overflow

Daniel Tryba <news_comp.lang .php@canopus.nl > wrote in news:ci8u50$aqf $2
@news.tue.nl:
[color=blue]
> j-marvin <customer@servi ce.boy> wrote:[color=green]
>> i went through the process of how a buffer overflow would work in my
>> mind. i noticed you can limit the size of post data and its limit
>> value is displayed on the phpinfo page 8mb. so my question is will
>> the post ever be so big that it causes the abyss webserver to have a
>> buffer overflow?[/color]
>
> No program is free from errors, so there is a chance there are
> exploitable bufferoverflows in the php/abyss combo. I'm no expert on
> overflows, but the size is not the problem. A(ny) maximum is the
> problem.
>[color=green]
>> if not, why would you check for length of php input data?[/color]
>
> Memory allocation, everything that is posted is mapped to $_POST (or
> $_FILES) so it consumes memory, you probably want to limit memory[/color]
usage[color=blue]
> per script execution, limiting post will make sure you have some[/color]
amount[color=blue]
> of memory guaranteed to be available to your script (max. mem- max[/color]
post).[color=blue]
>[color=green]
>> i am trying to review my code for security issues. i found some good
>> articles. i learned to htmlentities($m ydata) before displaying it[/color]
>
> You do escape the quotes here, don't you?
>[/color]

hi daniel-

so post memory must be like a session variable in that it persists until
the browser closes. that is why i should limit it per script execution
i guess.
when i say this i mean variable post_max_size. each script execution
adds more memory allocated to post.

on the escaping quotes you mean i should escape double quotes...right?
$new = htmlspecialchar s("<a href="test">Tes t</a>", ENT_QUOTES);
# this will produce a syntax error
# Parse error: parse error, unexpected T_STRING in C:\Program FilesAbyss
# Web Server\myfiles\ phpinfo.php on line 5
i had only tested it with single quotes (of course).
thanks,
jim

Re: understanding buffer overflow

j-marvin <customer@servi ce.boy> wrote:[color=blue]
> so post memory must be like a session variable in that it persists until
> the browser closes.[/color]

No, it's per http request.
[color=blue]
> that is why i should limit it per script execution i guess. when i
> say this i mean variable post_max_size. each script execution adds
> more memory allocated to post.[/color]

Let's say, every single request for a php script has a memory limit of
4Mb and a max post size of 3Mb. You not can only allocate another 1Mb in
your script. You might want to make sure you can allocate x Mb but no
more than y Mb... memorylimit would thus be y Mb and maxpost y-x Mb. The
total number of parallel request would only be limited by total memory/y
(neglecting overhead of the httpserver and other processes :).
[color=blue]
> on the escaping quotes you mean i should escape double quotes...right?
> $new = htmlspecialchar s("<a href="test">Tes t</a>", ENT_QUOTES);
> # this will produce a syntax error
> # Parse error: parse error, unexpected T_STRING in C:\Program FilesAbyss
> # Web Server\myfiles\ phpinfo.php on line 5
> i had only tested it with single quotes (of course).[/color]

ENT_QUOTES is what I was hoping for... The syntax error is because:
"foo"bar"fo o"
is just plain wrong:
"foo\"bar\" foo"
or
'foo"bar"foo'
or see the manual for heredoc notation.

--

Daniel Tryba

Re: understanding buffer overflow

Daniel Tryba <news_comp.lang .php@canopus.nl > wrote in
news:ci92io$d7b $1@news.tue.nl:
[color=blue]
> j-marvin <customer@servi ce.boy> wrote:[color=green]
>> so post memory must be like a session variable in that it persists
>> until the browser closes.[/color]
>
> No, it's per http request.
>[color=green]
>> that is why i should limit it per script execution i guess. when i
>> say this i mean variable post_max_size. each script execution adds
>> more memory allocated to post.[/color]
>
> Let's say, every single request for a php script has a memory limit of
> 4Mb and a max post size of 3Mb. You not can only allocate another 1Mb
> in your script. You might want to make sure you can allocate x Mb but
> no more than y Mb... memorylimit would thus be y Mb and maxpost y-x
> Mb. The total number of parallel request would only be limited by
> total memory/y (neglecting overhead of the httpserver and other
> processes :).
>[color=green]
>> on the escaping quotes you mean i should escape double
>> quotes...right? $new = htmlspecialchar s("<a href="test">Tes t</a>",
>> ENT_QUOTES); # this will produce a syntax error
>> # Parse error: parse error, unexpected T_STRING in C:\Program
>> FilesAbyss # Web Server\myfiles\ phpinfo.php on line 5
>> i had only tested it with single quotes (of course).[/color]
>
> ENT_QUOTES is what I was hoping for... The syntax error is because:
> "foo"bar"fo o"
> is just plain wrong:
> "foo\"bar\" foo"
> or
> 'foo"bar"foo'
> or see the manual for heredoc notation.
>[/color]


i played with the second parameter for htmlentities and i get the same
thing in the url every time. i understand if dont escape double quotes
with a \ i can
get a syntax error.

htmlentities($v ariable,ENT_QUO TES)
htmlentities($v ariable,ENT_COM PAT)
htmlentities($v ariable,ENT_NOQ UOTES)

are all the same to me at the moment.
i just dont see how they make a difference.
if someone could post the simplest code they new to explain it that
would be cool. if i had to try and explain it i'd say that
in the url the special characters are all turning to a code like
"confused" looks like http://127.0.0.1:8125/tired.php?tired=%27confused%
27&submit=

and this happens no matter what i use for the second parameter.

thanks daniel.

i need to get some sleep.
i stayed up too late. work ought to be interesting on this little
sleep.

later,
jim

Re: understanding buffer overflow

never mind.

i will search google for htmlentities or related functions and
see what people are using for code. i looked at the manual
and so far it hasnt helped yet.

i have lots of time to complete this project anyways.

thanks for helping,
jim