| |
| |
| |
|
Page: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
Comments:
<0> section-
<1> What automated vulnerability scanner do you use to test your LAMP servers ?
<0> a black cloth, I cover the LAMP, see if it shines through.
<2> nessus
<3> ryty: i don't know what to look for ... i find nothing with section ..
<4> Warning: move_uploaded_file(): open_basedir restriction in effect. File(/var/www/4.jpg) is not within the allowed path(s): (/var/users:/tmp:/usr/local/hmc/htdocs/default:/usr/lib/php) in /var/users/pdnz/p2psouthpacific.com/htdocs/admin/misc.php on line 36
<4> There was an error uploading the file, please try again!
<4> yikes =(
<4> I've tried a few different directories
<5> I'm doing an admin login and basically I want to secure everything inside the /admin directory. What I was going to do is simply put an if($_SESSION['admin_username'] and $_SESSION['admin_p***word'] then check that in the database and if it matches, display page, if not then forward to the /admin/login page. Am I on the right track? What would I do about include files, images, etc? Well mainly just worried about the includes
<6> Warning: main(): open_basedir restriction in effect. File(/var/www/vhcs2/gui/include/vhcs-lib.php) is not within the allowed path(s): (/var/www/virtual/dolox.com/:/usr/share/php/:/tmp/) in /var/www/virtual/dolox.com/htdocs/rau3.php on line 20
<2> kritical: i believe the default upload dir is /tmp, but you can change it in your php.ini
<0> mugger: mostly works. I would have is use an md5sum of the p*** against an md5sum of the correct p***word
<6> cant anyone help me with this ?
<5> ryty: yeah of course
<5> ryty: will definately have it md5ed as the p*** is stored as an md5 hash inside t he database
<0> mugger: sounds alright then, just add it to every page
<7> Sal: what in the error dont you understand?
<6> Warning: main(): open_basedir restriction in effect. File(/var/www/vhcs2/gui/include/vhcs-lib.php) is not within the allowed path(s): (/var/www/virtual/dolox.com/:/usr/share/php/:/tmp/) in /var/www/virtual/dolox.com/htdocs/rau3.php on line 20
<6> err sorry
<6> wrong paste
<6> open_basedir = /var/www/vhcs2:/var/www/virtual/dolox.com/:/usr/share/php/:/tmp/
<6> that is set in my ini file
<6> so i don't understand the error
<6> ;l
<8> Either wrong INI file or you just made that change and havn't restarted your webserver yet
<6> i restarted apache
<6> :l
<8> The it's the wrong INI file.
<8> QED
<6> /etc/php4/apache2/php.ini
<6> /etc/php4/cli/php.ini
<6> i set it in both of them :l
<8> PHP is looking somewhere else then
<8> Consule phpinfo()
<2> phpinfo() will tell you where it is looking, i think.
<0> Sal: phpinfo.
<8> Consult rather
<7> Pollita: you saw that the session handler calls write() no matter what? tested
<6> phpinfo ?
<0> <?php phpinfo(); ?>
<9> :)
<7> i already ate it
<6> ./var/www/virtual/dolox.com/:/usr/share/php/:/tmp//var/www/vhcs2:/var/www/virtual/dolox.com/:/usr/share/php/:/tmp/
<6> its not registering locally
<6> but is globally
<6> :l
<0> Sal: there's your prob
<6> how can i fix it gloablly?
<6> err locally**
<0> no se
<6> ryty ?
<10> im getting a reg_badbr error with this "^( _ | [a-z]){2, }$" can anyone see whats wrong with it?
<7> reg_badbr?
<7> well for starters that isn't a valid regex expression
<0> Sal?
<11> is badbr - bad breath?
<12> general slightly OT question: can anyone recommend a decent merchant service?
<13> lig: :)
<7> soconnor: it would help when asking that, being more specific
<14> is there any way that $_SERVER['REMOTE_ADDR'] could contain anything other than an ip address?
<7> litage: a proxy?
<3> if you start from the command line =)
<0> litage: no.
<7> or a bad webserver not setting the var correctly
<3> ryty: what else can i do to make my logfile stuff going ? (file permission)
<14> zircu, ryty: i'm just wondering if i should validate the value of $_SESSION['REMOTE_ADDR'] before using it
<3> to create files
<7> or you typed it wrong
<8> REMOTE_ADDR is populated by the server, not the client, it's safe-enough
<12> zircu: basically a way for a to accept payment through credit cards... i can handle the cart-end, but the https business is out of my league
<0> litage: not $_SESSION['REMOTE_ADDR']
<8> Though a quick run through long2ip((int)ip2long($_SERVER['REMOTE_ADDR'])) wouldn't hurt...
<13> soconnor: PayPal?
<7> soconnor: well, there is authoriznet
<14> ryty: not sure what you just said there...
<0> I wasn't sure what you just said either.
<8> litage: He said that you're thinking of the wrong superglobal
<12> tws: i've heard of paypal losing orders and other problems
<0> font color="#AF7F00">litage: zircu, ryty: i'm just wondering if i should validate the value of $_SESSION['REMOTE_ADDR'] before using it
<0> damn html client.
<12> zircu: i was looking at authizenet, but they have this vendor thing going on?
<7> soconnor: you will need some sort of gateway
<3> ryty: i've set all files and folders to +wx, but my log function cannot create a file =(
<0> defbyte: could always create a file using p***thru() and then edit it
<7> well validate would require a reverse lookup match
<15> soconnor: how are you going to process the cards?
<12> zircu: ya, ideally something like paypal ipn...
<12> Rubberneck: ideally i wouldn't, simply post a "merchant-id" and amount to charge, and recieve a post back
<3> ryty: how to create a file with exec ? (and is this method also ok for my webspace?)
<3> (because the code works on the webspace ... only on my server i have problems)
<16> I have a problem, i have a domain in dyndns.org, and i'm writing an application.. i'm using $_SESSION array to store values among pages.. in some place of my code, i need to redirectionate the page to anoter, but if i use my dyndns domain in header("Location") instead of "localhost" it doesn't work...
<16> why?
<7> soconnor: there are other payment systems like that but paypal is pretty much the only one that does that
<15> soconnor: if your using paypal they have al kinds of docs and sample code for using ipn and any of there other services on there developer netowrk
<17> hey
<7> schnoods: i would suggest paypals merchant account interface instead of their IPN stuff, it is as you understand troublesome
<18> JoelR: what means "does nto work" exactly?
<18> s/nto/not/
<7> soconnor: ^^
<15> soconnor: also pretty much any place that authorizes ccs for you will do the same
<16> jbpros: i mean that, $_SESSION is like empty, it doesn't show up anything..
<16> but if i do header("Location: http://localhost...";);
<16> then it works..
<7> soconnor: the problem with IPN is there are to many places where things can go wrong and you dont know about it till someone says.. heh.. i purchased of your site but didn't get credits
<7> ipn supposly has this callback in your callback script to tell them it is ok, but they ignore it
<15> zircu: i have used it on some sites alot don't really have lost transactions but there is times when they won't show up for hours
<17> if I include a file, will the contents of the included file be escaped back to HTML?
<7> Rubberneck: do you have a handler when someone pays by echeck to paypal?
<16> anyone..?
<18> JoelR: No idea, sorry.
<15> zircu: yeah they send that they have cleared now
<7> IamEthos: if you open <?php then close it ?> it will be back in html
<19> where I can find video good lessons for low on php?
<7> Rubberneck: have you ever had a parse error or logic error that doesn't call back to them? but they still process the transaction even though your callback didn't verify it?
<17> so if I just include(page.html); and page.html has no PHP in it at all, I should get erros?
<17> *errors?
<7> shouldn't*
<0> IamEthos: shouldn't.
<17> okay good
<15> zircu: no but yeah you are correct they will still take the payment from the person no matter what you tell them
<7> IamEthos: an include starts a HTML like any php file
<20> NIGHT!
<0> DAY!
<20> YAY!
<20> :)
<20> ryty please say goodnight
<0> nightgood
<7> Rubberneck: that is where there is a big flaw in the system, the callback script is suppose to verify and tell them the person is ok. if this isn't the case, then people can inject data rather easily
<20> well i know
<20> zircu night man
<20> ryty rusty yens thank you. say night!
<20> lol
<0> DAY!
<20> ARGERITH!
<17> zircu, right, got it.
<20> right you are thank you, say night good!
<7> that is why a direct interface where php talks to is much better cause you can handle thing all yourself
<7> whats with all these nights and days and nights?
<0> not sure
<12> zircu, Rubberneck: hey, sorry guys.. talked it over with the "client" and she conceded to paypal. zircu: what were you talking about in regards to the callback method in the callback script?
<21> What provides DB::Connect .. I ***ume it might be something I can install from apt?
<12> Woosta: PEAR i think... ?
<7> soconnor: it is defined in the paypal docs
<21> mmm .. it's there .. must be a problem in my include path
<7> Woosta: good conclusion, that is where i would look first
Return to
#php
or
Go to some related
logs:
#mysql
kdm_greet cant open default user space
amarok+suse+libslang
#python
xmms-wma masked
webware dreamhost
perl if match failed
gentoo audigy drivers
#linux
#perl
|
|