Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: How secure is PHP ?
From: Matt <smp.repicky () gmail com>
Date: Fri, 5 Nov 2004 15:53:25 -0500

I was actually thinking of a way to incorporate it into an already
existing network setup that they probably have.  Most universities
still run LDAP access to information for student directory purposes. 
It also is easy to authenticate against without requiring extra
special permissions or having people register to use the website with
new user accounts.  Of course authenticating against an apache
htpasswd is do-able.

As far as storing the information, i forgot what the beginning of the
posted question was and was going by what JB was saying instead of
what Nayana first posted.  If you're using a L-A-M-P system you could
make separate users in the mysql database for each student.  That
would keep students from seeing each other's data.  Depending how you
want to set up tables and access rights becomes a database issue of
design for grants and such, but it wouldn't be hard to make a new user
in the database with a database script called by the php interface.

Once a user is authenticated through LDAP then you know that it's not
someone typing in their username incorrectly.  If the user account
exists in the database, you can allow the student back through to see
their own data and edit, add, remove whatever you see that the project
requires their access to be.  If the user doesn't exist, you can then
run a user creation script which gives predetermined roles and privs
to the user.  Remember it's all SQL anyways, just set up a file with
the commands and then feed it the user and password from the php
interface to create the user with specified password.

Each student can get their own table for storing information in the
database and then the database can take it all and bring it to a
central store table accessible by someone with higher privs if that's
part of what you're looking for.

If you wanted to go deep enough, you could even write a php interface
for the higher privileged user to access the data and see it all in
pretty tables or graphs or however the information is to be displayed.


On Fri, 5 Nov 2004 09:56:57 -0800 (PST), Gary E. Miller <gem () rellim com> wrote:
Hash: SHA1

Yo Matt!

On Fri, 5 Nov 2004, Matt wrote:

There is actually a very easy way around this.  If you are running an
LDAP or AD environment, you can use the LDAP to authenticate the
users, then once the user is authenticated, take the username and
store that into a variable which you can then use to chown and chgrp
the resulting files for that user after they are written.

You do not need LDAP or AD for this.  Apache can happyly validate
against the local /etc/password or an htpasswd file.  Then use suexec to
get the perms right.  All the config you need for this will fit nicely
in your httpd.conf.

OTOH, you better have a better than average Apache Admin to noodle this

- ---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
        gem () rellim com  Tel:+1(541)382-8588 Fax: +1(541)382-8676

Version: GnuPG v1.2.3 (GNU/Linux)


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]