Page 368 - Open Soource Technologies 304.indd
P. 368
Web Technologies-I
Notes (e.g., semicolons to separate commands). For example, suppose your script contains this line:
system(“ls $directory”);
If the user passes the value “/tmp;cat /etc/passwd” as the $directory parameter, your password
file is displayed because system( ) executes the following command:
ls /tmp;cat /etc/passwd
In cases where you must pass user-supplied arguments to a shell command, use escapeshellarg
( ) on the string to escape any sequences that have special meaning to shells:
$cleaned_up = escapeshellarg($directory); system(“ls $cleaned_up”);
Now, if the user passes “/tmp;cat /etc/passwd”, the command that’s actually run is:
ls ‘/tmp;cat /etc/passwd’
The easiest way to avoid the shell is to do the work of whatever program you are trying to call.
Built-in functions are likely to be more secure than anything involving the shell.
Cyber Security
provider of online prescriptions recently experienced a security breach where
account information was stolen out of the company’s database, including patient’s
A social security numbers. You have been hired as a consultant to conduct a thorough
analysis of the information system in order to develop recommendations for improved
security. You need to develop a thorough understanding of the existing system, and of which
security tools, security measures and intrusion detection systems are currently in place.
You also need to gain knowledge of which internal and external “users” of the information
system have access to what information, what level of privilege they hold, and why they
need the information and what they do with it. The research process will involve examining
detailed technical specifications and system administration procedures, interviewing users
of the system, reviewing security procedures and information flow diagrams. As part of the
proposed solution, you will run scenarios to test system vulnerabilities. You will need to
educate yourself on the regulations that are pertinent to the management of information in
the context of online pharmacies.
Recommendations will most likely include technical upgrade to the system, revisions of
information access protocols and upgrade to user authentication. It may include training
of company personnel at all levels of the organization. You may recommend improved
system maintenance and regular security tests of the system for vulnerabilities. Some
of these solutions may require significant investment of money and time and you will
need to clearly show the necessities of these investments against the potential cost of
non-compliance.
Questions:
1. Give some example of Cyber Security.
2. What do you understand by cyber crime?
Self Assessment
Multiple choice questions:
7. preg_replace( ) function is used to
(a) delete the string (b) replace the string
(c) append the string (d) none of these
362 LOVELY PROFESSIONAL UNIVERSITY
