[xdebug-general] Re: excluding code or variables possible?

From: Jerry Stuckle <jerry[@]smartechhomes.com>
Date: Tue, 26 Jun 2012 09:11:00 -0400

If I have access to the server, it is a simple matter to track down the
include files. One does not have to look through all 1000+ files. Even
with knowing nothing about your system I suspect I could have your
"special function" dumped in an hour or two. It's not that hard.

As for it being "obfuscated by some commercial product" - there isn't a
product out there which can't be easily broken by someone with a little
PHP experience. Even those which supposedly "de-scrambled by a closed
source binary at runtime".

You are only fooling yourself if you think you have security of your code.

On 6/26/2012 8:49 AM, Werner Flamme wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jerry Stuckle [26.06.2012 14:21]:
>> Heck, it's even easier:
>>
>> <?php readfile ($_SERVER['DOCUMENT_ROOT'] . '/index.php'); ?>
>>
>> Displays the contents of index.php on the user's screen.
>>
>> There is no security if they have access to the server.
>>
>>
>
> Really? I never guessed. Maybe you wonder why I mentioned to include a
> file manager in the code when I wasn't aware of funktions like
> readfile() or file_get_contents()? Plus, I asked about the source code
> of a special function. This function may be everywhere in the 1000+
> PHP source files on the server.
>
> Plus: in the meantime, I found out that Derick's trick does not work
> here, since he only sources the file: the file is obfuscated by some
> commercial product (not just ROT-13). So I see the file content, but
> it's not the source code of the function. The de-scrambling takes
> place on the server, by a closed-source binary, during runtime.
>
> Another problem ist that xdebug shows every variable when the code is
> inspected. So, though we use a "password safe", the content of it can
> be seen while debugging, and everyone can look at every other's
> passwords. This might not be desirable.
>
> Regards,
> Werner
>
>
>> On 6/26/2012 4:17 AM, Werner Flamme wrote: Derick Rethans
>> [25.06.2012 19:36]:
>>>>> On Mon, 25 Jun 2012, Werner Flamme wrote:
>>>>>
>>>>>> Is there a chance that I can read the source code of a
>>>>>> function just by invoking PHP methods, right out of memory,
>>>>>> because I do not know the file name and directory of the
>>>>>> code? Or do I have to include a file manager in the code,
>>>>>> tap through every directory, open every PHP source file?
>>>>>
>>>>> Quite easily:
>>>>>
>>>>> <?php $r = new ReflectionFunction('secret'); $f =
>>>>> file($r->getFileName()); var_dump(array_slice($f,
>>>>> $r->getStartLine(), $r->getEndLine() - $r->getStartLine() )
>>>>> ); ?>
>>
>> Derick,
>>
>> thanks a lot! I quoted the code to the Chief Developer[tm] :-)
>>
>> I'll have a closer look at the variables now. The superglobals are
>> transformed into standard variables and emptied then. Maybe
>> $GLOBALS will help me.
>>
>> Regards, Werner
>>
>>>
>>>
>>>
>>
>
> - --
> Werner Flamme, Abt. WKDV
> Helmholtz-Zentrum für Umweltforschung GmbH - UFZ
> Helmholtz Centre for Environmental Research - UFZ
> Permoserstr. 15 - 04318 Leipzig / Germany
> Tel./phone: +49 341 235-1921 - Fax +49 341 235-451921
> Information nach §§ 37a HGB, 35a GmbHG:
> Sitz der Gesellschaft: Leipzig
> Registergericht: Amtsgericht Leipzig, Handelsregister Nr. B 4703
> Vorsitzender des Aufsichtsrats: MinDirig Wilfried Kraus
> Wissenschaftlicher Geschäftsführer: Prof. Dr. Georg Teutsch
> (Scientific Managing Director)
> Administrative Geschäftsführerin: Dr. Heike Graßmann
> (Administrative Managing Director)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.18 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk/pr8sACgkQk33Krq8b42Mx+gCeNFVoInusBxN+CZSXDpc+BYVk
> KZEAn09/Ks7MmXjosnFmOTbbAhH35AcR
> =lIUQ
> -----END PGP SIGNATURE-----
>
>
>
Received on Tue Jun 26 2012 - 14:11:20 BST

This archive was generated by hypermail 2.2.0 : Mon Jun 25 2018 - 06:00:04 BST