Logging - Revision history

Dirk: Added category

2008-03-07T13:12:42Z

Added category

Dirk: Fixed typos

2006-05-12T13:05:11Z

Fixed typos

THEMike: Rewritten, still awful though.

2006-03-11T21:14:13Z

Rewritten, still awful though.

Dirk: This is only a stub, but we'll have to start somewhere ...

2006-03-11T20:49:32Z

This is only a stub, but we'll have to start somewhere ...

New page

== Be careful what you log ==

This may sound odd at first but '''you should be careful what you log''' (in Geeklog's error.log or your own logfile).

The problem is that PHP will happily execute any PHP code it will find in the middle of a text file (''any'' file, actually), as long as it's properly enclosed in the <?php and ?> tags.

So while PHP code that gets logged into your error.log file is not an immediate problem, it ''will'' become a problem as soon as someone manages to include the logfile into a PHP script.

[Okay, I'm suffering from writer's block at this point. Someone more eloquent please rewrite and expand this ... [[User:Dirk|Dirk]] 15:49, 11 March 2006 (EST)]

← Older revision		Revision as of 13:12, 7 March 2008
Line 12:		Line 12:

	''Careful!'' remember, <?php ... ?> is not the only way of running PHP code. If enable_short_tags is set, <? .. ?> works. PHP can even be configured to use the ASP tags: <% ... %>. Or, the log files could be used to attack ASP scripts, Coldfusion scripts or anything else that is available on the server.		''Careful!'' remember, <?php ... ?> is not the only way of running PHP code. If enable_short_tags is set, <? .. ?> works. PHP can even be configured to use the ASP tags: <% ... %>. Or, the log files could be used to attack ASP scripts, Coldfusion scripts or anything else that is available on the server.
		+
		+
		+	[[Category:Development]]

@@ Line 1: / Line 1: @@
 == Be careful what you log ==
-The PHP interpretter engine will parse PHP out of any file, no matter what the extension, so long as it contains a valid PHP open tag. It doesn't matter what the rest of the content of the file, so long as it has a section of wrapped in the PHP tags, it will parse and (try to) execute that block of content.
+The PHP interpreter engine will parse PHP out of any file, no matter what the extension, so long as it contains a valid PHP open tag. It doesn't matter what the rest of the content of the file, so long as it has a section of code wrapped in the PHP tags, it will parse and (try to) execute that block of content.
-So, if you have a jpg file, that contains <?php echo('hello!'); ?> in the middle of the binary JPEG content and your PHP interpretter is asked to open that file, that block will be parsed and executed.
+So, if you have a jpg file, that contains <?php echo('hello!'); ?> in the middle of the binary JPEG content and your PHP interpreter is asked to open that file, that block will be parsed and executed.
 Geeklog provides several logging methods, including COM_errorLog, allowing you to log data to one of several files for the administrator to review. If someone crafts a cunning attack, they could arrange to have a block of PHP code logged into one of the core Geeklog log files, or your plugins custom log file.