SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Enthusiast
    Join Date
    Nov 2007
    Posts
    74
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    how to secure log files on open server

    I got an homepage, on a webhotel where I cannot do any chmod(cheap server).

    I am working on creating log files, and a system to automaticaly control it. Like create new log files if old is too big, delete old files if folder is to big, open last used, or create new if old is to big. Just so I can go on vacation and don't worry about log file maintenance. Thats done.

    The homepage is made with ZF, and I have managed to find a way to display the content from log file.

    My concern:
    Hopefully the apache is running in a separate user with priveliges to create, read, write, delete - and the visitors do not get to create, write, delete, but im not sure how to check for that (i have no access to config).

    I was thinking of logging to an .php file. Then I could add some code in the beginning to check for something like ????? and in that way not show the content of the log file. Maybe some kind of define, and die if not set? Then my homepage could set it and show it.

    Next concern is log file poisoning... not sure how to avoid that in an practical way. Maybe open the file with fopen, skip some tekst to get past the check, and escape the rest...?

  2. #2
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, web visitors almost never get the ability to directly modify files. However, especially in budget php hosting, other users who have websites on the same server often have the same access to all files on the server(including your files). This is a typical mod_php setup. Web visitors can exploit a script, which means they gain file privileges.

    Putting a check for a constant at the top of the log file would be effective to prevent a web visitor from requesting the file directly via the url. It won't help against anyone who has filesystem access though, as those people can probably read/write/delete/create as much as they like.

    I'm not sure what you mean by log file poisoning.

  3. #3
    SitePoint Enthusiast
    Join Date
    Nov 2007
    Posts
    74
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    log file poisoning...
    someone who add php code to your log file, which get executed when I view the file in my application.

    Simplest form is when I log actual variable for a user. Could happen. "user tried to log in with $username".

  4. #4
    SitePoint Enthusiast
    Join Date
    Dec 2008
    Posts
    63
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    PHP Code:
    <?php exit; ?>
    //Your data here. To access data you can use php file() command.
    //if you open this file by typing url you will see a blank page only.

  5. #5
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    php code doesnt execute when you read it. You would need to execute it in some way, like include() eval() or requesting the .php file via url.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •