• Forum
  • Doc
  • Screenshots
  • Download
  • Donate
  • Contributors
  • Contact

Trying to locate file output

Moderators: OldWolf, re*s.t.a.r.s.*2

Post a reply

Postby theworld » Sun Dec 31, 2006 10:31 pm

Hello, this is in reference to the bug report [ 1619766 ] Several security fail -

I know you are actively working on this, and I have spent the better part of the night looking at this also, but I am still feeling my way through the code.

My initial approach is to try to determine WHERE the contents of the cache file are loaded. As close as I have come is the file_put_contents function in pfctools.class.php

Am I even close? :)

I am trying to pick out those elements and then prevent them from being written to the file. I'm not sure if this is even a good approach since those elements appear to be read from the file as needed. I thought at least that would put me on the right track...


There is another element in that cache file that should not be seen, and that is the admins user and password. I'm sure you have already seen that, but in case you haven't...
theworld
Member
 
Posts: 10
Joined: Wed Dec 27, 2006 12:54 am
Top

Postby theworld » Mon Jan 01, 2007 7:16 am

I think I enjoy talking to myself.. and working on New Years Eve. Anyway, I've spent the day poring over pfcglobalconfig.class.php and mysql.class.php and I have some ideas. If I was any good I would have already finished ;-)

Have been able to prevent the pwd from printing to the cache, but that presents obvious problems. I spent the better part of the day pondering several possible solutions - one is finally taking shape, but it is late and I am tired, so I'll sleep on it for a while. The process seemingly will require encryption and decryption. Any thoughts or comments are appreciated.
theworld
Member
 
Posts: 10
Joined: Wed Dec 27, 2006 12:54 am
Top

Postby mikez » Mon Jan 01, 2007 7:58 pm

I should add that my site, which is remotely hosted on a dedicated server, unexpectedly went offline due to a network script being 'mysteriously' deleted.

I'm not attributing it to a security breach via PFC, although at this point the exact cause is still unknown.

My server needed a complete OS reinstall and had to be moved over to a new box.

No worries, I still have my data. But stuff like this always raises red flags concerning ANY possible security holes in web applications.
mikez
Member
 
Posts: 29
Joined: Wed Dec 13, 2006 1:24 am
Top

Postby theworld » Mon Jan 01, 2007 11:07 pm

Judicious use of an .htaccess will prevent anyone from directly viewing the cache file, but will not prevent a malicious script.
theworld
Member
 
Posts: 10
Joined: Wed Dec 27, 2006 12:54 am
Top
Post a reply

Return to General Support (v1.x)

Who is online

Users browsing this forum: No registered users and 5 guests

Powered by phpBB® Forum Software © phpBB Group
Fork me on GitHub