• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

Reply to: Odd CURL problem

Collapse

You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:

  • You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
  • You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
  • If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.

Previously on "Odd CURL problem"

Collapse

  • xoggoth
    replied
    Darn it, forgot to log Albert out.

    Leave a comment:


  • Albert Steptoe
    replied
    Eh! All a bit over me 'ead. Only had 2 hacks in many years, one was an iframe in the HTML, think due to using an insecure version of Filezilla. Once bit of fiddling with database due to security errors, fixed that.

    Leave a comment:


  • fool
    replied
    Originally posted by NickFitz View Post
    Even if you use a framework like Symfony, it's still getting POSTed data from $_POST, because that (and the other special vars) is how PHP provides access to the contents of the HTTP request. As I recall, Symfony just applies some extra sanitation to it and restructures it in some way to make it easier to use within the context of your application, but it's still coming from $_POST.
    Admitiedly it's been 4 years since I've did any PHP coding, but I did believe there were other ways to handle input data, but I believe depends on how you run the app such as mod_php vs FPM.

    Still, either way, you are just getting unvalidated data into your app, the point of using a framework, is to make sure you pass through the input and output validation layers, and then you could use SAST to help confirm this in PRs and such. Basic Globals are bad m'kay advice.

    Still, it does sound like the OP has made an attempt to validate, so hopefully he's okay.

    Originally posted by NickFitz View Post
    Anyway, to get back to the matter at hand: as you say, if you're just grabbing stuff from $_POST and sending it along to WorldPay via CURL, it should be all right as they'll have their own checks and balances. You might want to do a bit of sanity checking on it before passing it through just to avoid annoying them, but it'll probably be OK
    The warning isn't that'd he'd hack worldpay, it's that his own server / php stack could be owned before the POST. If he's doing a redirect, then the actual payment data probably isn't included in his app, which mitigates the issue.

    I haven't seen the actual code he's written though, so who knows, it's possible he's fine.
    Last edited by fool; 9 April 2019, 09:30.

    Leave a comment:


  • NickFitz
    replied
    Originally posted by NickFitz View Post
    Even if you use a framework like Symfony, it's still getting POSTed data from $_POST, because that (and the other special vars) is how PHP provides access to the contents of the HTTP request. As I recall, Symfony just applies some extra sanitation to it and restructures it in some way to make it easier to use within the context of your application, but it's still coming from $_POST.
    [citation needed] - in Symfony\Component\Form\NativeRequestHandler you'll find the code that grabs the request data from $_POST or $_GET and stuffs it into the Symfony form object: symfony/NativeRequestHandler.php at master . symfony/symfony . GitHub

    Leave a comment:


  • NickFitz
    replied
    Originally posted by TheGreenBastard View Post
    Did you pay a premium for his services? Master kudos to him if you did. Infect companies with your product and hold the secret key.
    Nah, as mentioned upthread I was contracting at Yahoo! at the time and they'd given him a job, just like they had with Rasmus Lerdorf. Their business management was generally terrible, but they had the right idea of hiring the people who'd made the stuff they used

    Leave a comment:


  • TheGreenBastard
    replied
    Originally posted by NickFitz View Post
    The fact that after six months working with Symfony, in a department filled with extremely smart people who'd been working with it for a year or more who tried to help, I still had to get the bloke who'd invented it to come and fix it, suggests you have the right attitude
    Did you pay a premium for his services? Master kudos to him if you did. Infect companies with your product and hold the secret key.

    Leave a comment:


  • NickFitz
    replied
    Originally posted by xoggoth View Post
    I am never keen on using third party libraries/packages, great until something goes wrong, then you have to grapple with masses of unfamiliar and mostly irrelevant code.
    The fact that after six months working with Symfony, in a department filled with extremely smart people who'd been working with it for a year or more who tried to help, I still had to get the bloke who'd invented it to come and fix it, suggests you have the right attitude

    Leave a comment:


  • xoggoth
    replied
    Cheers all. All the input has length limits and and strip_tags when taken by self post and the inputs are all hidden in the redirection page anyway. Think has all the security I can be bothered with.

    I am never keen on using third party libraries/packages, great until something goes wrong, then you have to grapple with masses of unfamiliar and mostly irrelevant code. Prefer to stick to my simple stuff. Database is regularly backed up, downloaded to Excel at 2 locations and orders are also in emails/paper invoices.

    Leave a comment:


  • NickFitz
    replied
    Even if you use a framework like Symfony, it's still getting POSTed data from $_POST, because that (and the other special vars) is how PHP provides access to the contents of the HTTP request. As I recall, Symfony just applies some extra sanitation to it and restructures it in some way to make it easier to use within the context of your application, but it's still coming from $_POST.

    Fun fact: when I was at Yahoo! (over a decade ago now) we used Symfony and PHP, but Y! had its own internal build of PHP which had a bunch of extra sanitation built into the construction of $_POST and the others. The raw versions, equivalent to normal PHP, were available under different names (something like $_POST_RAW and so on), but any code which accessed them had to have prior written approval, undergo a special code review by senior Paranoids (the name for Y!'s security specialists), and have the Paranoids' written signoff and be fully documented before it could be put into production.

    Also, one day I was having a problem with a Symfony setup, and it so happened the creator of Symfony had been hired by Y! and had just been flown to London for an internal conference we were having. So he came to my desk and sorted it all out for me there and then

    (Another speaker knocking around the department that day was Rasmus Lerdorf, the creator of PHP.)

    Anyway, to get back to the matter at hand: as you say, if you're just grabbing stuff from $_POST and sending it along to WorldPay via CURL, it should be all right as they'll have their own checks and balances. You might want to do a bit of sanity checking on it before passing it through just to avoid annoying them, but it'll probably be OK

    Leave a comment:


  • fool
    replied
    Originally posted by xoggoth View Post
    Cheers. Only had a quick look so far but I can't see anything online suggesting a problem with post if htmlspecialchars is used. I also apply length limits to values taken on my form. Since the values are being passed to Worldpay, i would expect them to protect against any dodgy data.

    The WP code, which I've looked into already, and Symfony do look like too much work, given that this is a tiny family company with negligible profits, more of a hobby really. Ta for the tips though, I will have a look at improvements.
    I dunno, try posting the following from a user point of view.

    PHP Code:
    phpinfo(); die(); 
    If that works, it means an attacker could probably curl and exec a reverse shell. Basically you're handing out RCEs. This obviously all depends where you get the variables from, if they're generated by your script, and not actually user input, then the issue is less valid.

    You want to be using functions like preg_match within php to validate input, as opposed to (as well as) doing it in javascript. Apologies if this is stuff you already know, just a tad worried from your original post.

    Leave a comment:


  • xoggoth
    replied
    The form example is using htmlspecialchars but I'm not convinced this is adequate, though I haven't written PHP in years
    Cheers. Only had a quick look so far but I can't see anything online suggesting a problem with post if htmlspecialchars is used. I also apply length limits to values taken on my form. Since the values are being passed to Worldpay, i would expect them to protect against any dodgy data.

    The WP code, which I've looked into already, and Symfony do look like too much work, given that this is a tiny family company with negligible profits, more of a hobby really. Ta for the tips though, I will have a look at improvements.

    Leave a comment:


  • DoctorStrangelove
    replied
    No answer came the stern reply from the ape.

    I wonder if he knows more about div and grad.

    Leave a comment:


  • fool
    replied
    Originally posted by xoggoth View Post
    Ta for reply. Former. Think it came from Worldpay docs and was working fine for years.

    Anyway, found a good easy method using self post, pass values to a new page with session and submit form on that page to Worldpay using jscript.

    PHP - Redirecting a form with POST variables

    Think this method must be used a lot, often seeing pages that say summit like "Click here if not redirected to...
    Yeah, as stated by yourself curl just makes a web request and indeed you're actually looking to post the user, with some data, elsewhere. Thus you probably do want a form.

    However, your PHP examples are ancient and insecure. You shouldn't be using $_POST or $_GET in PHP code, and if you do for some reason, you need to be validating and escaping your input, which your example isn't doing.

    The form example is using htmlspecialchars but I'm not convinced this is adequate, though I haven't written PHP in years.

    Backing up a second. Modern PHP should be using a framework and composer to install packages. With composer, you can download the worldpay library to take care of this crap without needing to get into messing with curl directly.

    GitHub - Worldpay/worldpay-lib-php: PHP Library for Worldpay REST API

    Wonderfully, worldpay lib examples are also grabbing from $_POST, so use a framework. Symfony, High Performance PHP Framework for Web Development. I suspect you're going to decide this is too much work, but you're gonna get hacked doing what you're doing.

    Leave a comment:


  • xoggoth
    replied
    Ta for reply. Former. Think it came from Worldpay docs and was working fine for years.

    Anyway, found a good easy method using self post, pass values to a new page with session and submit form on that page to Worldpay using jscript.

    PHP - Redirecting a form with POST variables

    Think this method must be used a lot, often seeing pages that say summit like "Click here if not redirected to...
    Last edited by xoggoth; 5 April 2019, 10:50.

    Leave a comment:


  • darrylmg
    replied
    Is the code you've pasted taken from inside your source Web page, or is it perl from your cgi-bin?


    Sent from my SM-T280 using Contractor UK Forum mobile app

    Leave a comment:

Working...
X