ionCube Logo
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


 
Post new topic   Reply to topic    ionCube Forum Index -> ionCube PHP Encoder

Including an unencoded file

Author Message
dv



Joined: 23 Aug 2009
Posts: 6

PostPosted: Sun Aug 23, 2009 9:05 pm    Post subject: Including an unencoded file Reply with quote

Hi,

I need to include an unencoded php config file in my project.

I can't encode the config file because it contains user configurable variables in it.

How do I prevent someone from injecting unsecure php code inside the config file(such as echo-ing my other important $variables)?

What I read from the user guide is using the include attack protection using property. Which I think only applicable to the case of unencoded file trying to include encoded file.

How about my case, which encoded file including an unencoded file?

Is there any secure feature of Ioncube Encoder that can help me solve the problem or any approach that could solve the problem?

Thanks a lot.
Back to top
View user's profile Send private message
kblessing



Joined: 31 May 2009
Posts: 241
Location: Grand Rapids, Mi

PostPosted: Wed Aug 26, 2009 3:55 pm    Post subject: Reply with quote

I have the exact same setup with my kblinker product, the config is unencoded. However its not usually an issue as long as the config is the first thing to be included at the top of the encoded files.

Since they can't echo out variables that haven't been created yet.

Out of curiosity, what kind of variables being known in your script would cause a security issue? There might be an alternative method to what you're doing that wouldn't pose as much a risk.

Also while an encoded file can include a non-encoded file, I don't believe the reverse is allowed (ie: they couldn't include the encrypted file then have echos out after that).

PS: far as config files go, if you want to step up the security of it, don't store configurations in PHP but use a file format that cannot be executed, and use a function in your encoded file to read in the values. So something like config.xml outside of the web-accessible folder.
Back to top
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger
dv



Joined: 23 Aug 2009
Posts: 6

PostPosted: Wed Aug 26, 2009 5:42 pm    Post subject: Reply with quote

kblessing wrote:
I have the exact same setup with my kblinker product, the config is unencoded. However its not usually an issue as long as the config is the first thing to be included at the top of the encoded files.

Since they can't echo out variables that haven't been created yet.


My script includes the config file whenever there is a need for database call. So, I guess it's not one time include. Another situation is the template files include written in php. This is the most tricky part for me as I'm implementing some simple licensing mechanism myself(I only holding basic version of ioncube fyi, which don't have the license, ip or expiry check function). So, there would be a good chance for hacker exploit from there.

kblessing wrote:

Out of curiosity, what kind of variables being known in your script would cause a security issue? There might be an alternative method to what you're doing that wouldn't pose as much a risk.


For example, Twisted Evil a quick test on your product gives me some information like: (i'm only using standard php functions to do this)

Variables:
[page] => links
[id] => 0
[reg] => 0

Constants:
[_host] => localhost
[_database] =>
[_usr] =>
[_pwd] =>
[_table] => links

Functions:
[0] => error
[1] => is_error
[2] => response_error
[3] => verify
[4] => check

I hope the variable 'reg' and functions 'verify' or 'check' is not related to license checking aren't you? If not there would be a possible threat there. =)

kblessing wrote:

Also while an encoded file can include a non-encoded file, I don't believe the reverse is allowed (ie: they couldn't include the encrypted file then have echos out after that).


Yes, including an encoded file is not a problem since ioncube provides 'include attack protection'(using properties). I'm concerning the other case around.

kblessing wrote:

PS: far as config files go, if you want to step up the security of it, don't store configurations in PHP but use a file format that cannot be executed, and use a function in your encoded file to read in the values. So something like config.xml outside of the web-accessible folder.


Storing user configurations variables inside .xml .ini, .txt etc. could expose user's stored information. You know anyone can just access these plain text file using a browser and your server / database access information is leaked out. =(

The curren't strategies I use would be using file_get_contents instead of include functions. But it has its weakness =/ I wondering Ioncube has other protection mechanism for this. Which I think they don't. =( Rolling Eyes
Back to top
View user's profile Send private message
kblessing



Joined: 31 May 2009
Posts: 241
Location: Grand Rapids, Mi

PostPosted: Thu Aug 27, 2009 2:36 am    Post subject: Reply with quote

dv wrote:

My script includes the config file whenever there is a need for database call. So, I guess it's not one time include. Another situation is the template files include written in php. This is the most tricky part for me as I'm implementing some simple licensing mechanism myself(I only holding basic version of ioncube fyi, which don't have the license, ip or expiry check function). So, there would be a good chance for hacker exploit from there.


You could just simply include the database configuration once on any page that would normally use it, not include-on-the-fly. By the way I was using the online encoder for the early version of KBlinker for a while as a result I wrote my own activation and phone-home scheme, I still use the same scheme, except the difference now is instead of sending back an encrypted activation key, I send back an ioncube license generated by my server on the fly.

Quote:

For example, Twisted Evil a quick test on your product gives me some information like: (i'm only using standard php functions to do this)

Variables:
[page] => links
[id] => 0
[reg] => 0

Constants:
[_host] => localhost
[_database] =>
[_usr] =>
[_pwd] =>
[_table] => links

Functions:
[0] => error
[1] => is_error
[2] => response_error
[3] => verify
[4] => check

I hope the variable 'reg' and functions 'verify' or 'check' is not related to license checking aren't you? If not there would be a possible threat there. =)


reg is simply a $_GET parameter to allow a person to goto the about page in order to type in their activation code. When the license expires they can only get to the error page or about page (by means of reg which is in a link on the error page).

The better question however is... can you see the content of those functions, like the actual code behind them? There's nothing in the product by itself that could circumvent the protection, and since you can't re-declare functions you couldn't modify the code to skip verifications.

besides get_defined_functions() won't show you the source of those functions. If you're really paranoid take the OOP route and make those variables private inside of a class. Very Happy

Quote:

Storing user configurations variables inside .xml .ini, .txt etc. could expose user's stored information. You know anyone can just access these plain text file using a browser and your server / database access information is leaked out. =(


As I already explained, if they're kept outside of the web-accessible location (ie: above public_html), then they can't be read. Course you can also modify an .htaccess file to include a line such as...

RewriteRule file.name$ - [F]

which would make the file forbidden to browsers.

Quote:

The curren't strategies I use would be using file_get_contents instead of include functions. But it has its weakness =/ I wondering Ioncube has other protection mechanism for this. Which I think they don't. =( Rolling Eyes


Don't think you can use file_get_contents or cURL because they behave like a webbrowser requesting a file, as a result the php gets executed before the response even shows up.
_________________
http://ionvz.com
Back to top
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger
dv



Joined: 23 Aug 2009
Posts: 6

PostPosted: Thu Aug 27, 2009 10:00 am    Post subject: Reply with quote

kblessing wrote:

By the way I was using the online encoder for the early version of KBlinker for a while as a result I wrote my own activation and phone-home scheme, I still use the same scheme, except the difference now is instead of sending back an encrypted activation key, I send back an ioncube license generated by my server on the fly.


Wondering if you are using ioncube_write/read_file() for your earlier scheme? Interested to know your scheme if you don't mind to share. =) For the later scheme, it would requires pro/cerberes version already, right?

kblessing wrote:

reg is simply a $_GET parameter to allow a person to goto the about page in order to type in their activation code. When the license expires they can only get to the error page or about page (by means of reg which is in a link on the error page).

The better question however is... can you see the content of those functions, like the actual code behind them? There's nothing in the product by itself that could circumvent the protection, and since you can't re-declare functions you couldn't modify the code to skip verifications.

besides get_defined_functions() won't show you the source of those functions. If you're really paranoid take the OOP route and make those variables private inside of a class. Very Happy


Well, if I can find out what the variable I need to pass, then I could re-assign and pass the verification check function (without the need to know the code inside the function/OO class). Anyhow, are you using ioncube license check function or your own function?

kblessing wrote:

As I already explained, if they're kept outside of the web-accessible location (ie: above public_html), then they can't be read. Course you can also modify an .htaccess file to include a line such as...

RewriteRule file.name$ - [F]

which would make the file forbidden to browsers.


I think by letting customer know your product requires Ioncube to run would already affect their purchasing decision. Not to mention asking them to manually upload/move the files to different folders, chmod-ing or configuring .htaccess etc. So, keeping it in the configuration in php file would be enough for the time being(I hope Rolling Eyes). If I use template files, then it would mess up user's root folder.

Quote:

Don't think you can use file_get_contents or cURL because they behave like a webbrowser requesting a file, as a result the php gets executed before the response even shows up.


Nope, the function is just like fopen. Just the file_get_contents skipped fopen/fclose step. So, it won't get executed. Where as 'include' or 'require' will execute the php file.



Hm, I was wondering if I can store some variable in Ioncube, and retrieve it for later use? In that case I'm safe from get_defined_vars()? (Does Nick notice my thread? -.-')
Back to top
View user's profile Send private message
liaison
ionCube Support


Joined: 16 Dec 2004
Posts: 2811

PostPosted: Thu Aug 27, 2009 11:12 am    Post subject: Reply with quote

Karl's comments are good and valid on this thread. If a user can execute PHP code via a configuration file or template, then certain PHP functions can reveal state, though this need not be an issue in practice, and you could store data encrypted. Don't forget that with PHP being opensource, if an unauthorised user is able to execute scripts on a PHP installation that they can modify, then data passed to functions such as mysql_connect can be trivially exposed simply by modifying the mysql module or the underlying library code and rebuilding the PHP installation, so there are fundamental limitations to what can be achieved in terms of data protection with a PHP system.
_________________
Community Admin
Back to top
View user's profile Send private message
dv



Joined: 23 Aug 2009
Posts: 6

PostPosted: Fri Aug 28, 2009 6:58 am    Post subject: Reply with quote

nick wrote:
Karl's comments are good and valid on this thread. If a user can execute PHP code via a configuration file or template, then certain PHP functions can reveal state, though this need not be an issue in practice, and you could store data encrypted. Don't forget that with PHP being opensource, if an unauthorised user is able to execute scripts on a PHP installation that they can modify, then data passed to functions such as mysql_connect can be trivially exposed simply by modifying the mysql module or the underlying library code and rebuilding the PHP installation, so there are fundamental limitations to what can be achieved in terms of data protection with a PHP system.


Ok, understood. Looks like have to settle the data manually then.
Back to top
View user's profile Send private message
kblessing



Joined: 31 May 2009
Posts: 241
Location: Grand Rapids, Mi

PostPosted: Sat Sep 05, 2009 4:25 am    Post subject: Reply with quote

dv wrote:
nick wrote:
Karl's comments are good and valid on this thread. If a user can execute PHP code via a configuration file or template, then certain PHP functions can reveal state, though this need not be an issue in practice, and you could store data encrypted. Don't forget that with PHP being opensource, if an unauthorised user is able to execute scripts on a PHP installation that they can modify, then data passed to functions such as mysql_connect can be trivially exposed simply by modifying the mysql module or the underlying library code and rebuilding the PHP installation, so there are fundamental limitations to what can be achieved in terms of data protection with a PHP system.


Ok, understood. Looks like have to settle the data manually then.



One approach I was looking at was saving the configuration file via the script itself (or loader API), kinda makes a tad difficult to debug when you gota encode then test each time. But, here's an example based on what would have been my config.php

Code:

$config_path = realpath('./')."/config";
if(file_exists($config_path))
{
   if(!is_writable($config_path))
   {
      echo "The file config in the KBLinker installation folder is not writable. Please make this file writable (ie: chmod 777) before proceeding.";
      exit();
   }
}
else
{
   if(!is_writable(realpath('./'))
   {
      echo "The file 'config' in the KBLinker installation folder cannot be found. Please ensure that the file exists (it can be empty) and that it is writable (ie: chmod 777) before proceeding.";
      exit();
   }
   else
      touch($config_path);
}
$host = $database = $usr = $pwd = $table = ""; // use whatever you use
$config = ioncube_read_file($config_path, $encrypted);
if($encrypted)
{
   $config_data = unserialize(base64_decode($config));
   if(!is_array($config_data))
   {
      $page = "install";
      $smarty->assign('imsg', "Was unable to connect to database.");
      if(!file_exists(realpath("pages/install.php"))) { $page = "error"; $errmsg = "Unable to load requested page"; }

                 //set defaults and goto the install screen
                 //where it will write a new config file with ioncube_write_file
          
      include('pages/'.$page.'.php');
      $smarty->assign("page", $page);
      $smarty->display($page.".tpl");
      exit();
   }
   else
   {
                //Load the values from config such as $config_data['host']
   }
}
else
{
      $page = "install";
      $smarty->assign('imsg', "Was unable to connect to database.");
      if(!file_exists(realpath("pages/install.php"))) { $page = "error"; $errmsg = "Unable to load requested page"; }

      include('pages/'.$page.'.php');

      $smarty->assign("page", $page);
      $smarty->display($page.".tpl");
      exit();
}   



Also because now you don't need to include a non-encoded file you can encode your projects with the following:

--include-if-property "variable='my_value'" --property "variable='my_value'"

This way only the files that were built with the project as a whole can be included into one another, or would have to be read in via ioncube_read_file (which doesn't execute php unless you did something like eval() )

Also as stated by the user guide, if you encrypt a non-php file (such as a smarty template, or a serialized configuration array) without providing a passphrase , it can only be decrypted by files encoded with your specific encoder license, otherwise if you pass a passphrase any encoded file can decrypt it, assuming it provides the right pass code. So generally speaking don't pass a passcode for maximum security (as odd as that sounds).
_________________
http://ionvz.com
Back to top
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger
dv



Joined: 23 Aug 2009
Posts: 6

PostPosted: Tue Sep 08, 2009 7:33 pm    Post subject: Reply with quote

kblessing wrote:

Also as stated by the user guide, if you encrypt a non-php file (such as a smarty template, or a serialized configuration array) without providing a passphrase , it can only be decrypted by files encoded with your specific encoder license, otherwise if you pass a passphrase any encoded file can decrypt it, assuming it provides the right pass code. So generally speaking don't pass a passcode for maximum security (as odd as that sounds).


Ya, sounds odd to me too. Mostly I encode with a passphrase.

Anyhow, I end up writing different scheme using AES instead of using ioncube_write/read_file(). 'Why' u asked? I've also forgotten why(research was done weeks ago, now already occupied in other projects), but guess is I want more control and flexibility on the encoded string. But ioncube_write/read_file() should be fine in term of security. =)
Back to top
View user's profile Send private message
kblessing



Joined: 31 May 2009
Posts: 241
Location: Grand Rapids, Mi

PostPosted: Tue Sep 08, 2009 8:20 pm    Post subject: Reply with quote

dv wrote:
kblessing wrote:

Also as stated by the user guide, if you encrypt a non-php file (such as a smarty template, or a serialized configuration array) without providing a passphrase , it can only be decrypted by files encoded with your specific encoder license, otherwise if you pass a passphrase any encoded file can decrypt it, assuming it provides the right pass code. So generally speaking don't pass a passcode for maximum security (as odd as that sounds).


Ya, sounds odd to me too. Mostly I encode with a passphrase.

Anyhow, I end up writing different scheme using AES instead of using ioncube_write/read_file(). 'Why' u asked? I've also forgotten why(research was done weeks ago, now already occupied in other projects), but guess is I want more control and flexibility on the encoded string. But ioncube_write/read_file() should be fine in term of security. =)


Well in the manual it's talking bout using a phasephrase when using the ioncube_write_file() function, if you do that then any encoded file can read the encrypted content provided you pass the correct passphrase to ioncube_read_file(), otherwise when no passphrase is passed to ioncube_write_file(), only a file encoded by the same encoder can read the file.
_________________
http://ionvz.com
Back to top
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    ionCube Forum Index -> ionCube PHP Encoder All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum