PHP Vulnerability Checklist

- 2 minutes read - 398 words

Ray(the boss) and I were chatting about how we should implement our secure upload page. The way it should work is, an IP is added to the genhosts database, it sets up a 5 minute wait, and at the end of five minutes, redirects to the data upload page, at which point the computer is allowed to connect, since the new IP has propogated into /etc/hosts.allow(via a cronjob that takes MySQL entries and parses them(via HTTP and XML) into the standard /etc/hosts.allow format). It’s basically working, but we’re having a bunch of trouble getting IE and Firefox to redirect, since IE apparently detects my window.location.href and location.replace calls as popups, and blocks them.

My first reaction was, ‘I wonder if there’s any way we can completely eliminate the wait?’ I can’t really come up with anything though, aside from sudoing to run the genhosts.py command, which is somewhat of a vulnerability since the commands are running as root. This got me thinking, though, that my MySQL -> XML scripts are totally not up to par security-wise, so I looked around a little bit for a good checklist and ended up finding Rob’s PHP Security Guide. It’s a great little guide. I’m trying some more to think outside of the box on this one, and so far all I’ve really come up with is a somewhat more complicated system of:

  1. Admin creates some sort of token, emails the uploader a link to a page(perhaps automatedly).
  2. The uploader enters the token and his email address.
  3. The web server validates the token, adds the IP address, and waits for genhosts to run(ie, for the IP to show up in /etc/hosts.allow. This way we only require read access by apache on /etc/hosts.allow), then emails the user the link to the regular uploading page.

I think this would be pretty sweet, and would also let us cross-reference specific authorizations (by the tokens) to certain IP addresses in the database, and it sortof removes that whole aspect of having the user sit at his web browser and wait for a countdown.

A more probable solution, at least for tonight, is to run a progress bar that’s not tied to anything in particular, since that’s what Ray wants. It actually seems to work okay in this configuration, assuming that our users have enough patience to wait for the meta refresh… Time will tell, I suppose!