[xdebug-general] Re: excluding code or variables possible?

From: Werner Flamme <werner.flamme[@]ufz.de>
Date: Tue, 26 Jun 2012 14:49:15 +0200

Hash: SHA1

Jerry Stuckle [26.06.2012 14:21]:
> Heck, it's even easier:
> <?php readfile ($_SERVER['DOCUMENT_ROOT'] . '/index.php'); ?>
> Displays the contents of index.php on the user's screen.
> There is no security if they have access to the server.

Really? I never guessed. Maybe you wonder why I mentioned to include a
file manager in the code when I wasn't aware of funktions like
readfile() or file_get_contents()? Plus, I asked about the source code
of a special function. This function may be everywhere in the 1000+
PHP source files on the server.

Plus: in the meantime, I found out that Derick's trick does not work
here, since he only sources the file: the file is obfuscated by some
commercial product (not just ROT-13). So I see the file content, but
it's not the source code of the function. The de-scrambling takes
place on the server, by a closed-source binary, during runtime.

Another problem ist that xdebug shows every variable when the code is
inspected. So, though we use a "password safe", the content of it can
be seen while debugging, and everyone can look at every other's
passwords. This might not be desirable.


> On 6/26/2012 4:17 AM, Werner Flamme wrote: Derick Rethans
> [25.06.2012 19:36]:
>>>> On Mon, 25 Jun 2012, Werner Flamme wrote:
>>>>> Is there a chance that I can read the source code of a
>>>>> function just by invoking PHP methods, right out of memory,
>>>>> because I do not know the file name and directory of the
>>>>> code? Or do I have to include a file manager in the code,
>>>>> tap through every directory, open every PHP source file?
>>>> Quite easily:
>>>> <?php $r = new ReflectionFunction('secret'); $f =
>>>> file($r->getFileName()); var_dump(array_slice($f,
>>>> $r->getStartLine(), $r->getEndLine() - $r->getStartLine() )
>>>> ); ?>
> Derick,
> thanks a lot! I quoted the code to the Chief Developer[tm] :-)
> I'll have a closer look at the variables now. The superglobals are
> transformed into standard variables and emptied then. Maybe
> $GLOBALS will help me.
> Regards, Werner

- --
Werner Flamme, Abt. WKDV
Helmholtz-Zentrum für Umweltforschung GmbH - UFZ
Helmholtz Centre for Environmental Research - UFZ
Permoserstr. 15 - 04318 Leipzig / Germany
Tel./phone: +49 341 235-1921 - Fax +49 341 235-451921
Information nach §§ 37a HGB, 35a GmbHG:
Sitz der Gesellschaft: Leipzig
Registergericht: Amtsgericht Leipzig, Handelsregister Nr. B 4703
Vorsitzender des Aufsichtsrats: MinDirig Wilfried Kraus
Wissenschaftlicher Geschäftsführer: Prof. Dr. Georg Teutsch
(Scientific Managing Director)
Administrative Geschäftsführerin: Dr. Heike Graßmann
(Administrative Managing Director)
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

Received on Tue Jun 26 2012 - 13:49:16 BST

This archive was generated by hypermail 2.2.0 : Mon Jun 25 2018 - 06:00:04 BST