Jump to content

Is the attack possible?

ayan123

By ayan123
in PHP Coding Help

 Share

Recommended Posts

ayan123 Newbie

ayan123

Posted
Posted

Hi All,

 

I have a website say www.abc.com and I have RSS feeds on this website which I allow a webmaster to get the code so that he can put the code on his website and generate content on his site.

 

The feed code which I provide him has a php class and a reference variable which point to the feed file on www.abc.com. Eg  $getfeed="http://www.abc.com/feed.php; he can use the code and generate the content from abc.com to his website.

 

Now my question is , Can some one attack my website. through such feed file or any other means?

 

FYI, I am not giving any database access of www.abc.com to the user, however the feed file, which he uses has a db connection to abc.com and in turn generate the content from the database.

 

Thanks in advance.

Link to comment
Share on other sites
btherl Member

btherl

Posted
Posted

To be 100% sure I'd need to see the feed.php script.  But if feed.php does not take any user arguments, it's most likely to be safe.  Most problems come when you take data sent to you by the user and use it in the database queries.

 

Just to confirm:

 

feed.php is on your website, and is the only script which accesses the database

 

The code the other webmaster gets accesses feed.php and does not have any direct access to the database

 

Is that right?

Link to comment
Share on other sites
ayan123 Newbie

ayan123

Posted
  • Author
Posted

Thanks for the quick reply.

 

The feed.php file which the webmaster uses on his website does not directly connect to the database. However in this feed file there is a variable say $feedfile="www.abc.com/feedfile.php", so the feedfile.php on abc.com access the database.

 

My fear is, if the user modifies the variable $feedfile to something else and inject some code in my abc.com site?

 

Thanks

Link to comment
Share on other sites
btherl Member

btherl

Posted
Posted

I think it's quite unlikely.  If feedfile.php has no arguments, then there is nothing the user can pass in.  An exception may be register_globals, so you must check that it is OFF.  You can check by making a script that does this:

 

phpinfo();

 

That will display your full php configuration, including register_globals.

 

As long as register_globals is off, I can't imagine any way to attack your script.

 

You might want to check that nothing can happen if the user puts one of your other php scripts in place of feedfile.php

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.