ebolisa Posted March 26, 2022 Share Posted March 26, 2022 (edited) Hi, I'm using the code below to retrieve a file into a microcontroller running micropython. I understand I'm open for easy attacks so, I appreciate some inputs. TIA <?php $file = $_GET['file']; $dir = getcwd(); $file = $dir.'/'.$file; $myfile = fopen($file, "r") or die("FAIL"); echo file_get_contents($file); fclose($myfile); ?> Edited March 26, 2022 by ebolisa Quote Link to comment Share on other sites More sharing options...
gw1500se Posted March 26, 2022 Share Posted March 26, 2022 What kind of attacks? Based on what you posted I am guessing you mean man-in-the-middle attacks. Once it is on either machine it is a different security issue. Quote Link to comment Share on other sites More sharing options...
Barand Posted March 26, 2022 Share Posted March 26, 2022 BTW,, the fopen() and fclose() are redundant if you are using file_get_contents() Quote Link to comment Share on other sites More sharing options...
ebolisa Posted March 26, 2022 Author Share Posted March 26, 2022 29 minutes ago, gw1500se said: What kind of attacks? Based on what you posted I am guessing you mean man-in-the-middle attacks. Once it is on either machine it is a different security issue. The microcontroller code checks for updates, every so often. If a new firmware is available, it's downloaded. I was wondering if any risks can exist by someone hacking the firmware code which is in Python and stored on a public web site "https://mysite.net/iot/". Quote Link to comment Share on other sites More sharing options...
gw1500se Posted March 26, 2022 Share Posted March 26, 2022 That is a different question from what you originally asked about downloading a file. Whether or not your microcontroller is hacakble is independent of downloading an update. Assuming, of course, that you can trust the download site. Whether or not is can be hacked depends on how well you secure the microcontroller in general. Since you mentioned Python, is it running Raspbian? Quote Link to comment Share on other sites More sharing options...
ebolisa Posted March 26, 2022 Author Share Posted March 26, 2022 9 minutes ago, gw1500se said: That is a different question from what you originally asked about downloading a file. Whether or not your microcontroller is hacakble is independent of downloading an update. Assuming, of course, that you can trust the download site. Whether or not is can be hacked depends on how well you secure the microcontroller in general. Since you mentioned Python, is it running Raspbian? A new firmware is stored on my ISP. The microcontroller is using micropython to request and download, through the php code, the new firmware. My concern is if the php code is hacakble to a pont to modify my firmware code. Quote Link to comment Share on other sites More sharing options...
requinix Posted March 26, 2022 Share Posted March 26, 2022 What's the name of your PHP file? Let's pretend it's get.php. What do you see if you go to /get.php?file=get.php Quote Link to comment Share on other sites More sharing options...
ebolisa Posted March 26, 2022 Author Share Posted March 26, 2022 (edited) 49 minutes ago, requinix said: What's the name of your PHP file? Let's pretend it's get.php. What do you see if you go to /get.php?file=get.php I see the content of the file: https://www.mysite.net/ota/get_ESP_data.php?file=program.py Edited March 26, 2022 by requinix fixing link Quote Link to comment Share on other sites More sharing options...
requinix Posted March 26, 2022 Share Posted March 26, 2022 Not what I'm saying. What if you go to https://www.mysite.net/ota/delete_ESP_data.php?file=delete_ESP_data.php Quote Link to comment Share on other sites More sharing options...
ebolisa Posted March 26, 2022 Author Share Posted March 26, 2022 (edited) 39 minutes ago, requinix said: Not what I'm saying. What if you go to https://www.mysite.net/ota/delete_ESP_data.php?file=delete_ESP_data.php It deletes the file shown below which I call once the new firmware (https://www.mysite.net/ota/delete_ESP_data.php?file=program.py) is downloaded and stored on the microcontroller. <?php $file = $_GET['file']; $dir = getcwd(); $file = $dir.'/'.$file; unlink($file); ?> Edited March 26, 2022 by ebolisa Quote Link to comment Share on other sites More sharing options...
requinix Posted March 26, 2022 Share Posted March 26, 2022 You're not listening to me. I'm not asking you to describe what happens when you run either of these scripts. I'm asking you to actually run the URLs I'm telling you about and see what happens. Because the answer to your original question of "are there security problems here" is a very definite "yes", and I had hoped that the easiest way to tell you about it would be for you to watch it happen yourself. Quote Link to comment Share on other sites More sharing options...
ebolisa Posted March 26, 2022 Author Share Posted March 26, 2022 1 minute ago, requinix said: You're not listening to me. I'm not asking you to describe what happens when you run either of these scripts. I'm asking you to actually run the URLs I'm telling you about and see what happens. Because the answer to your original question of "are there security problems here" is a very definite "yes", and I had hoped that the easiest way to tell you about it would be for you to watch it happen yourself. 😄Thanks!! I realized what happened to the code when I ran the URL. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.