Security question

[ebolisa]

Hi,

I'm using the code below to retrieve a file into a microcontroller running micropython.

I understand I'm open for easy attacks so, I appreciate some inputs.

TIA

<?php
  $file = $_GET['file'];
  $dir = getcwd();
  $file = $dir.'/'.$file;
  $myfile = fopen($file, "r") or die("FAIL");
  echo file_get_contents($file);
  fclose($myfile);
?>

 

Edited March 26, 2022 by ebolisa

[gw1500se]

What kind of attacks? Based on what you posted I am guessing you mean man-in-the-middle attacks. Once it is on either machine it is a different security issue.

[Barand]

BTW,, the fopen() and fclose() are redundant if you are using file_get_contents()

[ebolisa]

29 minutes ago, gw1500se said:

What kind of attacks? Based on what you posted I am guessing you mean man-in-the-middle attacks. Once it is on either machine it is a different security issue.

The microcontroller code checks for updates, every so often. If a new firmware is available, it's downloaded.

I was wondering if any risks can exist by someone hacking the firmware code which is in Python and stored on a public web site "https://mysite.net/iot/".

[gw1500se]

That is a different question from what you originally asked about downloading a file. Whether or not your microcontroller is hacakble is independent of downloading an update. Assuming, of course, that you can trust the download site. Whether or not is can be hacked depends on how well you secure the microcontroller in general. Since you mentioned Python, is it running Raspbian?

[ebolisa]

9 minutes ago, gw1500se said:

That is a different question from what you originally asked about downloading a file. Whether or not your microcontroller is hacakble is independent of downloading an update. Assuming, of course, that you can trust the download site. Whether or not is can be hacked depends on how well you secure the microcontroller in general. Since you mentioned Python, is it running Raspbian?

A new firmware is stored on my ISP. The microcontroller is using micropython to request and download, through the php code, the new firmware. My concern is if the php code is hacakble to a pont to modify my firmware code.

[requinix]

What's the name of your PHP file? Let's pretend it's get.php. What do you see if you go to

/get.php?file=get.php

 

[ebolisa]

49 minutes ago, requinix said:

What's the name of your PHP file? Let's pretend it's get.php. What do you see if you go to

/get.php?file=get.php

 

I see the content of the file: https://www.mysite.net/ota/get_ESP_data.php?file=program.py

Edited March 26, 2022 by requinix
fixing link

[requinix]

Not what I'm saying. What if you go to

https://www.mysite.net/ota/delete_ESP_data.php?file=delete_ESP_data.php

 

[ebolisa]

39 minutes ago, requinix said:

Not what I'm saying. What if you go to

https://www.mysite.net/ota/delete_ESP_data.php?file=delete_ESP_data.php

 

It deletes the file shown below which I call once the new firmware (https://www.mysite.net/ota/delete_ESP_data.php?file=program.py) is downloaded and stored on the microcontroller.

<?php
  $file = $_GET['file'];
  $dir = getcwd();
  $file = $dir.'/'.$file;
  unlink($file);
?>

 

Edited March 26, 2022 by ebolisa

[requinix]

You're not listening to me.

I'm not asking you to describe what happens when you run either of these scripts. I'm asking you to actually run the URLs I'm telling you about and see what happens.

Because the answer to your original question of "are there security problems here" is a very definite "yes", and I had hoped that the easiest way to tell you about it would be for you to watch it happen yourself.

[ebolisa]

1 minute ago, requinix said:

You're not listening to me.

I'm not asking you to describe what happens when you run either of these scripts. I'm asking you to actually run the URLs I'm telling you about and see what happens.

Because the answer to your original question of "are there security problems here" is a very definite "yes", and I had hoped that the easiest way to tell you about it would be for you to watch it happen yourself.

😄Thanks!! I realized what happened to the code when I ran the URL.