collapse collapse

* Who's Online

  • Dot Guests: 49
  • Dot Hidden: 0
  • Dot Users: 0

There aren't any users online.

* Board Stats

  • stats Total Members: 88
  • stats Total Posts: 11163
  • stats Total Topics: 1699
  • stats Total Categories: 4
  • stats Total Boards: 76
  • stats Most Online: 248

Author Topic: A PHP Solution  (Read 2423 times)

0 Members and 1 Guest are viewing this topic.

Offline Jake

  • Newbie
  • *
  • Posts: 5
  • Reputation 0
    • View Profile
A PHP Solution
« on: February 28, 2015, 12:45:07 AM »
After a client whined a little while from FTP taking too long to remove his enormous mistakes, I decided to take a shot at writing a php program to quickly remove files from the addons directory of his garrysmod server. My main goal in this is to prevent any bugs, and any possibility to remove files outside of the addons directory using things like ".." I thought I'd post to see if there was any flaws or security exploits that should be fixed.

Here's the first file that you start at
Code: PHP
  1. <form action="fileman.php" method="post">
  2.         <?php
  3.                 $arr = scandir('C:\sg\darkrp\garrysmod\addons');
  4.                 echo '<select name=\'file\'>';
  5.                 echo '<option>Select a file</option>';
  6.                 foreach ($arr as &$value)
  7.                 {
  8.                         if ($value != "." && $value != "..") {
  9.                                 echo '<option>addons\\' . $value . '</option>';
  10.                         }
  11.                 }
  12.         ?>
  13.         <input type='submit' name='delete' value='Delete Addon'/>
  14. </form>
  15.  

Then here's fileman.php

Code: PHP
  1. <?php
  2. $server_loc = 'C:\sg\darkrp\garrysmod\\'; // escape a slash using a slash?
  3. print_r($_POST);
  4.  
  5. // This function was ripped from stack overflow
  6. function rrmdir($dir) {
  7.         if (is_dir($dir)) {
  8.                 $objects = scandir($dir);
  9.                 foreach ($objects as $object) {
  10.                         if ($object != "." && $object != "..") {
  11.                                 if (filetype($dir."/".$object) == "dir")
  12.                                 {
  13.                                         rrmdir($dir."/".$object);
  14.                                 }
  15.                                 else
  16.                                 {
  17.                                         unlink($dir."/".$object);
  18.                                 }
  19.                         }
  20.                 }
  21.                 reset($objects);
  22.                 rmdir($dir);
  23.         }
  24. }
  25.  
  26. if (isset($_POST['file'])) {
  27.         echo 'File to delete: ' . $_POST['file'];
  28.         if (file_exists($server_loc . $_POST['file']) && strpos($_POST['file'], '..') === false) { // I hope this prevents morons from using '..' hacks to fuck my server
  29.                 echo 'File exists!';
  30.                 rrmdir($server_loc . $_POST['file']);
  31.         }
  32. }
  33. ?>
  34.  

If I decide to move my webserver to apache later, how would I do this remotely? Currently the gameserver and the webserver are both running on a Windows 2008 machine.

Offline Nathan

  • Administrator
  • Hero Member
  • *
  • Posts: 1437
  • Reputation 1768
  • Gender: Male
  • woof woof
    • View Profile
Re: A PHP Solution
« Reply #1 on: March 01, 2015, 08:47:26 AM »
Well...

This is a topic that is always argued but first off I would recommend using htaccess/IIS to have a basic auth prompt - if it's not using SSL it will be in clear text but it will prevent random people from accessing it.

The options have no value so this as is wouldn't work. And if you are thinking what I think you are thinking - you should set the value options to the subdirectory and do a rrmdir on C:\sg\darkrp\garrysmod\\ + $_POST['file']. Also to check to make sure they aren't trying to traverse through the filesystem you could use http://php.net/manual/en/function.realpath.php to check if $_POST["file"] == realpath($_POST['file']). If it's not equal then you know that they included some ../ or ./ in the filename.
Projects:
[ Axios Engine ] [ sourcehub ]
Compilers: Microsoft Visual Studio 2008, GNU C++, FASM, MASM, VB 6/.Net.
Languages: C++, PHP, ASM, JS, VB6/.Net, BASIC, HTML, MySQL
Please buy me some books: Amazon Wishlist

Offline Jake

  • Newbie
  • *
  • Posts: 5
  • Reputation 0
    • View Profile
Re: A PHP Solution
« Reply #2 on: March 01, 2015, 03:52:49 PM »
I'm not using HTTP authentication, but I already have a openid/steam authentication in place before people can access this page. It's part of a larger project. The main thing I wanted was to make sure it would be impossible for anyone to send malicious POST data to transverse the directory tree to somewhere I didn't want them to, even though in theory only authorized users would have access to this resource to start with.

So I could take the realpath substring length of the POSTed directory, and make sure that it is C:\sg\darkrp\garrysmod\addons? And + is the correct concatenation operator? I was using . or something I think... I was also confused why they named the function unlink, I wasn't thinking it would delete because I remember that on *nix systems it is used to remove a symbolic or hard link, which may not actually be the original file, but it appears to have the desired effect on a windows system.

Next up is how to use php to execute a batch file on my system. I wrote a small batch that essentially executes another program for FastDL sync (as gmod caps DL at 20kb/s) but this program can take a while to complete compressing and copying files. Does something like system("C:\program.bat") work? This particular program requires me to press enter when it is finished, is there a way I could get a program to do this for me? And would the program have to hold up the entire PHP while it takes its 10+ minutes to complete? Any ways around this if it is the case? I feel like all the things I'm trying to do have horrible security concerns.

Would I be better off writing something to run on the system rather than attempting to do all this through php? I want these functions to be accessible to the web, so that I can use them.
« Last Edit: March 01, 2015, 04:09:42 PM by Jake »

Offline Celestialkey

  • Administrator
  • Hero Member
  • *****
  • Posts: 3962
  • Reputation 4874
  • Gender: Male
  • Its Alive!!
    • View Profile
    • www.CelestialCoding.com
Re: A PHP Solution
« Reply #3 on: March 05, 2015, 09:04:41 PM »

Next up is how to use php to execute a batch file on my system. I wrote a small batch that essentially executes another program for FastDL sync (as gmod caps DL at 20kb/s) but this program can take a while to complete compressing and copying files. Does something like system("C:\program.bat") work? This particular program requires me to press enter when it is finished, is there a way I could get a program to do this for me? And would the program have to hold up the entire PHP while it takes its 10+ minutes to complete? Any ways around this if it is the case? I feel like all the things I'm trying to do have horrible security concerns.

Would I be better off writing something to run on the system rather than attempting to do all this through php? I want these functions to be accessible to the web, so that I can use them.

Due to the inherent nature of php and what it is designed to do, your best option would be to write an extension for it if you want it to communicate with an outside application. I'm not very familiar with the process, but the link below is a good starting spot. What your are trying to do goes against the SOP for php, if you half-ass it and work through lots of different "work arounds" you will end up creating a convoluted system that would inherently be far more vulnerable to outside hacks, abuse or internal errors than you would doing it via an extension.

http://devzone.zend.com/303/extension-writing-part-i-introduction-to-php-and-zend/
Created By: Eczuo
Quote
I have noticed that people who claim that everything is predestined, and we can do nothing to change it, look both ways before they cross the road.
Quote
I'd prefer to die standing, than to live on my knees - Che Guevara
Quote
If you change the way you look at something, does that something change in any way?
- Quantum Theory

Hacking
Quote
Never in the field of human conflict was so much owed by so many to so few. - Winston Churchill


Quote from: Revelations 12:4
And his tail drew the third part of the stars of heaven, and did cast them into the earth; and the dragon stood before the woman which was ready to be delivered, for to devour her child as soon as it was born.

Quote
It takes skill to build an empire. It takes an idiot to maintain it.

 

Donate


* Search


* Recent Posts

Image Comparison by Shishka
[May 15, 2017, 01:18:02 PM]


Re: srchub - free source code hosting by Nathan
[December 14, 2015, 11:37:02 PM]


Re: srchub - free source code hosting by Celestialkey
[November 27, 2015, 08:51:42 AM]


Updates by Nathan
[October 30, 2015, 08:27:36 PM]


Re: Client-Server Messaging by Nathan
[October 25, 2015, 05:48:57 PM]