Friday, January 25, 2008

PHP Security in a shared hosting environment

Since its inception in 1994 as a set of basic development components, PHP has grown into one of the web’s most powerful development engines, having since been installed on literally millions of servers worldwide. And although PHP offers both the versatility and the built-in functionality to run in a reasonably secure fashion, most of those servers are configured in such a way that PHP scripts are at high risk for compromise.

Most PHP-enabled webservers are configured in such a way that the mod_php Apache module is loaded along with Apache itself, thereby allowing HTTP requests to be passed through the PHP engine, which preprocesses the data before it is sent to the client. While this configuration provides a simple, efficient way to get PHP up and running, it raises security issues when working in the most common webserver environment: shared virtual hosting.

Generally, it is unnecessary and wasteful to dedicate an entire server to hosting just one website. Since most sites demand only a small fraction of a server’s available resources, it is more common to have one server be home to a large number of virtual hosts. A virtual host is simply a configuration entry that points requests for a specific URL (for instance, www.google.com) to a particular directory (for instance, /home/www/mydomain.com).

The shared hosting model, though economical, immediately presents a security concern, since the HTTP server (for instance, Apache or Microsoft IIS) needs to have a considerable amount of control over the files and directories that are to be served to the client. If your application offers the ability to upload files posted through web forms, the problem is further compounded since the HTTP server now needs write permission on the destination directory. In the common virtual hosting configuration discussed above, if the HTTP server has write permission to that directory, then any user running a PHP script on that same server can also write to the directory. Obviously, this presents a major security concern. However, there are steps that can be implemented, as a server administrator or as a user, that will eliminate or mitigate the security issues, or at least isolate individual users so that a script exploit on one host cannot easily affect other hosts on the same server. In this article, I will discuss a few methods for more securely configuring PHP, and will offer some security-conscious techniques to use when writing applications. For the sake of convenience, I have grouped the article into three categories: Configuration directives and environment settings that can only be changed by a server administrator, a basic overview of PHP wrapping for the application developer, and general practices for securing PHP code. Even if you are not administrating your own server, I recommend reading through the first section in order to gain an understanding of the problem so that you can know what to expect from your web host. This article makes the assumption that your environment has PHP running on a Linux/Unix variant, with Apache acting as the HTTP server.


From the administrator’s perspective: Configuring your shared PHP environment

As the administrator of a virtual hosting server, you have full control over the HTTP server and the PHP engine, which is the ideal condition for tuning and securing your environment. First, let’s talk about separating the PHP interpreter from the Apache server, so that we negate the file permissions problem discussed above.

The PHP interpreter can be invoked in three different ways: as an Apache module (discussed above), as a CGI binary, and as a CLI. Since the CLI (Command Line Interface) isn’t relevant for serving web pages, I won’t be addressing it in this article. As mentioned above, the most common (and often default) method for invoking PHP is as an Apache module. However, let’s look at an alternative way of invoking PHP – namely, as a CGI binary.

When invoked as a CGI binary, Apache loads the PHP interpreter only when needed, passing necessary input (environment variables, POST data, etc) to the PHP executable, then collecting the output and sending it to the client. In this scenario, the PHP process is separated from the Apache thread, which makes it possible to run the processes as different users, thereby eliminating the permissions problem discussed above. However, by default, PHP is run as the Apache user, so we haven’t yet solved the problem simply by running PHP as a CGI binary. Our next step is to “wrap” PHP so that it is invoked as a user that we specify, not as the Apache user.

Note: Installing PHP as a CGI Binary can introduce other security concerns that are worth being aware of. While PHP is generally secure out of the box, It is advisable to take a look at http://us.php.net/manual/en/security.cgi-bin.php.

While Apache does have its own mechanism, suEXEC, for wrapping CGI programs, I will not be discussing it in this article. Instead, we’re going to look at another open source package: suPHP. Written by Sebastian Marsching, suPHP is a fairly simple Apache module that nicely wraps the PHP binary “in order to change the UID of the process executing the PHP interpreter” (suphp.org).

In my experience, installing suPHP has always been a fairly pleasant (as far as these things go) endeavor. You will need to refer to the suPHP instructions at http://www.suphp.org for installation information for your particular UNIX distribution, but as a lightweight application that makes use of Apache’s dynamic module API, installation of suPHP should be trivial.

There are many articles on using PHP’s ini directives to help lockdown your

server, and although that is not the focus of this article, I would now like to briefly touch on a few directives you should be aware of.

First, be sure to enable PHP’s safe_mode. Although some older applications have trouble running with safe_mode enabled, most have been updated to account for this directive, and its benefits are simply too numerous to ignore, especially if you are not able to use a PHP wrapper such as suPHP. Safe mode will be removed in PHP 6 in favor of alternative methods of implementing file and directory security, but for now, you should leave it enabled.

Next, if you cannot implement suPHP or another PHP wrapper, it’s a good idea to set open_basedir in all of your virtual hosts. Set “php_admin_value open_basedir /path/to/vhost/root” as a directive in your virtual host configuration to ensure that PHP is restricted from reading any files outside of the virtual host’s document root.

Finally, have a look at the disable_functions directive. While you do want to

make sure that your security procedures don’t prevent your users’ applications from running as they should, it’s often the case that few, if any, users will need any of the more potentially hazardous functions such as passthru(), exec(), and shell_exec(). If it is the case that none of your users need these functions, it’s a good idea to disable them.

(Note: In the event that only one user or application needs these functions, suPHP allows you to specify individual php.ini files for specific virtual hosts, which offers a middle ground between allowing these functions globally and restricting applications that need to use them for legitimate purposes.)

From the developer’s perspective: Why do I want a PHP wrapper?

Why do you want suPHP, or a PHP wrapper at all? Let’s look at a very common example – uploading images.

It’s a common condition that an application needs to accept image uploads via the web, and many developers operating in a shared hosting environment have run into the problem where, on the first try, PHP displays a “permission denied” error when trying to move the uploaded file into its destination directory. Our User vs. HTTP server permission problem is back again, where the HTTP server - user “www” or “apache” -does not have the proper permissions to write to a directory owned by the developer’s account. The common solution to this problem is to set the permissions on the destination directory to 777, giving all users system-wide read, write, and execute access. While this does work and your uploads can now flow freely, you’ve just ensured that any other user on the system – there are probably hundreds – could very easily issue an “rm –rf /path/to/your/uploads”, which would quickly and effectively delete everything in the directory. While I personally like to think that there exists camaraderie between users on the same server, this probably isn’t true, and you also have to consider that someone else’s account may have been compromised (probably by a lack of input checking on an upload form – more on that below).

With suPHP (or another PHP wrapper) enabled, you are free to leave your upload destination directories with the same permission as your other web-accessible files – namely that only your user account has write access, and the Apache user can read files and traverse directories. In fact, if your user account is in the same group as the Apache user, you can set these directories to have permission of 750, which is much more restrictive than a wide-open 777.

The primary downside to using a PHP wrapper is that there is in fact a performance hit, since the PHP interpreter has to be invoked for every request, rather than being started as part of the Apache server. However, in my experience, the performance decrease is generally unnoticeable. If your application is extremely performance-critical, you will want to run benchmarks before deciding to use a wrapped PHP environment, or consider graduating to your own dedicated server where you can ensure that only you and your developers have any kind of access to your application files. In the dedicated server scenario, the security concerns of using PHP as an Apache module are largely mitigated. ( Note, however, that if one site on your dedicated server is exploited in a mod_php setup, other sites or files will most likely be vulnerable as well, whereas a server running suPHP with PHP’s safe_mode enabled and open_basedir directive configured will generally be able to jail the attack to one virtual host’s document root)

General practices for PHP application security

At this point, I’d like to briefly go over just a few coding techniques you can use to increase the security of your application. Please understand that this is by no means a comprehensive list, and simply adhering to the suggestions below does not ensure that your application is secure. However, you should make it a point to be security conscious when writing code, rather than trusting your environment to eliminate or mitigate any potential attacks on your application.

1. Sanity-check your data

- This is probably the simplest and most effective way of preventing exploits in your application. Sanity checking just means that if you’re expecting the user to enter a number, make sure you actually received a number. If you’re expecting a string with alphanumeric characters only, verify that that’s what you got. Also, never trust this kind of validation to javascript only, as javascript can easily be disabled on the client side. Finally, never pass user data directly to an SQL query without validating it first. While PHP’s magic_quotes mechanism is great for helping to prevent SQL injection attacks (an attack where a user can enter data in such a way as to run their own arbitrary queries), again you should not rely exclusively on the environment for your application security.

2. Check the type and extension of uploaded files.

- Allowing file uploads is inherently risky, but very often it’s a necessary part of an application. PHP allows you to gain a lot of information about uploaded files before they’re ever written to their final destination, so make use of the information contained in the $_FILES array to ensure that you’re getting the type of file you’re expecting. A basic way of validating the file type is simply to ensure that the extension of the file indicates that it is (or is purported to be) the type of file you’re expecting. A common exploit for upload scripts is for an attacker to upload a malicious PHP script to your site, then browse to the uploaded script to gain control of your files. Even a basic check to make sure that, for instance, only files with a .jpg extension are allowed to be uploaded would prevent this type of exploit. However, I also recommend verifying the MIME type of the file, which is contained in the $_FILES array under the key ‘type’, and will look like: “image/jpeg” or “application/pdf”. Be as restrictive as possible – rather than validating against a list of extensions that are NOT allowed (php, exe, etc), check to make sure that the extension and/or MIME type matches a small group of file types that ARE allowed.

3. Use a .php extension for ALL files with PHP code contained in them.

Often I come across files in PHP projects that have a .inc extension, because they are meant to be included, not browsed to directly from the web. This is a common condition, but there’s a potential security issue here if those files contain any sensitive data (e.g. database passwords). Because .inc files are not parsed by the PHP interpreter, they can be passed directly to the client side if they’re available via a web request, which would allow anyone to read the php code directly. Hopefully the directory these files reside in is denied read access by webserver rules (see below), but even so, there’s no sense in risking an accident where the user ends up being able to browse directly to the file. Use .inc.php.

4. Make use of your webserver’s access control rules (e.g. .htaccess)

- Even if all the php files in your application have a .php extension as discussed in #3, you should still make use of your HTTP server’s access control to prohibit any files in sensitive directories from being served via the web. For instance, if you keep your database passwords in “include/db.inc.php”, this file, and all files in the include/ directory should be prevented from being served via the web. Even though the .php extension will ensure that client-side users can’t read the code if the PHP interpreter is functioning, there is the potential condition that the HTTP server has loaded without the PHP interpreter. Botched upgrades or configuration errors can sometimes cause this condition, and in the event that someone browses to a PHP file without the PHP interpreter ever having been loaded, they will again see the code just as you do when editing the files. In Apache, disabling directory access is usually as simple as creating a file called .htaccess (note the leading period) in the directory, then adding the line: “Deny from All” (no quotes) to that file and saving it.

41 comments:

Anonymous said...

Ultima Online Gold, UO Gold, crestingwait
buy uo gold
buy uo gold
buy uo gold
buy uo gold
buy uo gold
buy uo gold
buy uo gold
buy uo gold
buy uo gold
buy uo gold
lotro gold
wow gold
warhammer gold
buy aoc gold
buy aoc gold
buy aoc gold
buy aoc gold
buy aoc gold
buy aoc gold
buy aoc gold
Age of Conan Gold, AOC Gold

Anonymous said...

they are like me and tell me anything about them wakfu kamas, I know wakfu gold. one of my friend likes to go to play buy wakfu kamas, I can not stand praising the land and the nature wakfu money, It makes us to be wakfu kama.

My another friend do not like FFXI Gil, She like in home along FFXI gold, she like quiet and Final Fantasy XI gold, she always read books in the library and buy buy FFXI Gil, I will go to library with he cheap Final Fantasy XI Gold.

xxmy said...

Weekends to people ig2tmean that they can have a two-day wowgold4europe good rest. For example, people [url=http://www.gameusd.org ]gameusd[/url]can go out to enjoy themselves or get meinwowgold together with relatives and friends to talk with each storeingame other or watch interesting video tapes with the speebie whole family.
Everyone spends agamegold weekends in his ownmmofly way. Within two days, some people can relax themselves by listening to music, reading novels, or watching ogeworld films. Others perhaps are more active by playing basketball, wimming or mmorpgvip dancing. Different people have different gamesavor relaxations.
I often spend weekends withoggsale my family or my friends. Sometimes my parents take me on a visit to their old friends. Sometimesgamersell I go to the library to study or borrow some books to mmovirtex gain much knowledge. I also go to see various exhibition to broaden rpg trader my vision. An excursion to seashore or mountain resorts is my favorite way of spending weekends. Weekends are always enjoyable for me.

Anonymous said...

rohan crone has many ways for us to use. When you start the Rohan Online game, your character will be level 1. I remembered that when I started playing this Rohan game with some little cheap rohan money. My friends all told me that the best way to spend rohan online gold is a good way. But I could not like spending my own rohan online crone. If you do not like upgrading level step by step, you can cost rohan gold to help your character to reach level high.

Anonymous said...

At one time or another, I do not have the rf gold ; at the first time, I am not willing to buy rf online gold . But I do not wonder I buy the rf money , my friend thinks that I am ill. But when I have it, it carries the magic from such a group, such a link in the world, rf cp , it is the key bring you to this world. But cheap rf gold is the best desire that I make.

Anonymous said...

Without hesitate, I bought second life linden , in the game I can find myself. I feel lonely, but I do not want to talk with anyone, so I buy lindens . At present, think the happy day I spend in knight, I am eager to enter it, and cheap linden . Own linden dollars , it means that you own the life of happiness. So I will not leave secondlife money . It is the origin of the happiness.

Anonymous said...

Buy Rom Gold is the chance. I always have a bad dream when my account was theft, since I buy Rom Gold ; I had not had the bad memory. At present, I want to say thanks to the people who stole my account, if he did not to do that, I would not play game, I would not have Runes of Magic Gold . Although I have little Runes of Magic money , I will on the way of the game for long time. At one time or another, I am a pessimistic person, but when I have cheap Runes of Magic Gold , it changes my attitude of life.

Anonymous said...

Have you heared about a game which you need use Atlantica online Gold to play, and you can also borrow Atlantica Gold from other players? But you can buy Atlantica online Gold, or you will lose the choice if you do not have cheap Atlantica online Gold. If you get Atlantica online money, you can continue this game.

Anonymous said...

Have you heared about the game which you need use Entropiauniverse ped to play, and you can also borrow Entropia Universe Gold from other players? But you can Buy Entropia Universe Gold, or you will lose the choice if you do not have Entropia Universe Money. If you get cheap Entropiauniverse ped, you can continue this game.

Anonymous said...

Have you heared about the game which you need use kal geons to play, and you can also borrow kal gold from other players? But you can buy kal online geons, or you will lose the choice if you do not have kal online gold. If you get kalonline Geons, you can continue this game.

Anonymous said...

Do you want to know the magic of online games, and here you can get more Rose zuly. Do you want to have a try? Come on and rose zulie can make you happy.You can change a lot rose online zuly for play games. Playing online games can make much rose online zulie. And you can Arua ROSE zuly do what you want to do in the online game.

Anonymous said...

Do you know that the wow gold? The players often forget to eat meal when they play the online games. In the game many players need the World of Warcraft Gold to up their levels. so they often search where can warcraft gold, I think our website maybe is your best choice. Many friends told me that in here can get buy wow gold, and here you can also relax yourself. so i hope more and more players come here to buy the cheap wow gold.

Anonymous said...

Do you want to know the magic of online games, and here you can get more requiem gold. Do you want to have a try? Come on and requiem lant can make you happy. You can change a lot requiem money for play games. Playing online games can make much cheap requiem lant. If you want your game level to up highly, you can come here. And you can use the requiem online gold do what you want to do in the online game.

best-tutor said...

Hello!

very nice post... enjoyed it very much.

Thank you

http://www.best-tutor.com
http://best-tutor.com"

good site

tutor
tutor

kalai said...

miOOt is an excellent live chat and visitor-tracking tool. Offers secured live chat, customer support, web stats, tickets and survey techniques.
http://www.mioot.com

Anonymous said...

喝花酒
酒店喝酒
暑假打工
寒假打工
酒店小姐
酒店兼職
禮服店
酒店經紀
酒店兼差
酒店
酒店經紀人
酒店現領
酒店經紀爆米花
酒店經紀
酒店打工
酒店上班
假日打工
台北酒店經紀
酒店pt
酒店pt
酒店應酬
粉味
酒店經紀PRETTY GIRL
酒店經濟
酒店經濟
晚上兼差

Wow Gold said...

WOW GOLD from randyrun. Most cheapest wow gold supplier.More than 10,000 online satisfied customers bears to the fact that we are genuine and fastest wowgold provider!

wuyuezhilian said...

I like your blog, it's very good!
By the way, do you like spyder down jackets, I think they are very fashionable and chic, especially the spyder ski jackets, I love them so much. In my spare time, I also like playing tennis rackets, it can keep healthy, what do you like to do?
kids north face jackets
polo vest
polo jacket
abercrombie fitch mens shirts
polo jackets for men
polo jackets for women
burberry shirts for men
polo hoodies for women
columbia jackets women
polo sweatshirts for women
north face jackets on sale
polo shirts for women
polo shirts wholesale
spyder jackets
ralph lauren polo shirt
polo pants for men
abercrombie fitch shirt
wholesale abercrombie fitch shirts
polo vests
polo jackets
polo hoodies for men
burberry shirts for women
burberry shirts on sale
polo shirts for men
north face jackets cheap
north face jackets for women
north face jackets for men
polo sweatshirts for men
columbia jackets for men
columbia jackets discount
spyder jackets for men
discount spyder jackets
cheap spyder jackets
spyder jacket
spyder jackets for women
tennis rackets
cheap tennis rackets
discount tennis rackets
tennis rackets on sale
prince tennis racquets
head tennis racquets
wilson tennis racquets
babolat tennis racquets

lady said...

I like the side of the article, and very like your blog, to write well and hope to continue their efforts, we can see more of your articles. ed hardy clothes. After reading this article has strong feelings, the future will be ed hardy womens longsleeve.ed hardy longsleeve
ed hardy hoodies
ed hardy jeans
ed hardy
ed hardy clothing
ed hardy t-shirts
cheap ed hardy clothing
ed-hardy.co.uk
ed hardy shirts
wholesale ed hardy clothing
ed hardy outerwear
ed hardy mens outerwear
ed hardy womens outerwear
ed hardy clothes
ed hardy boots
ed hardy outerwear
ed hardy hoodies
ed hardy Jeans
ed hardy hoodies
ed hardy jackets
ed hardy womens jackets
ed hardy mens jackets
ed hardy bags
ed hardy trousers
ed hardy shoes
ed hardy longsleeve
ed hardy mens longsleeve
ed hardy womens longsleeve
ed hardy jackets
ed hardy suits
ed hardy clothing
ed hardy shoes
ed hardy jeans
ed hardy boots
ed hardy mens sweater
ed hardy womens cotton
ed hardy womens boots
ed hardy
ed hardy womens clothing

cheap nike shoes said...

Nike shoes
puma shoes
Cheap nike shoes
NIKE’s headquartered in Beaverton, Oregon.Nike may be one of the youngest of the major brands, but it is the dominant brand around the world.In 1963-1964 when University of Portland track coach, Bill Bowerman, and Phil Knight, a mid-distance runner joined forces to import and provide low-cost, high tech running shoes from Japan in order to provide alternatives to the German-dominated athletic shoe market.
Discount nike shoes
Wholesale nike shoes
Nike shox r4
Operating under the name Blue Ribbon Sports, Bowerman and Knight began to sell the Japanese Onitsuke Tiger (Nike SB) running shoes. Jeff Johnson, a former rival of Knight, joins the company in 1965 as their first full-time salesperson and sells shoes from the back of his van at local and regional track meets until opening Blue Ribbon Sports’ first retail outlet at 3107 Pico Blvd, Santa Monica California.
nike shox shoes
nike air max
nike running shoes
The Superstar is one of the first designs the Adidas manufactured.The tongue is leather on the outside and cloth of the inside and is thick enough to feel padded, but thin enough to not feel like an obstruction. The heel of the shoe holds up well the curve of the front is great for any kind of feet.
cheap puma shoes
discount puma shoes
nike air max tn
Therefore, Adidas is a collection of trust and respect. Product and marketing initiatives at Adidas primarily focus on five global priorities: football, running, training, basketball and Adidas Originals sneakers. Adidas sports the recognizable logo of three slanted parallel bars of ascending height.
puma mens shoes
puma running shoes
wholesale puma shoes
Everybody like beauty, which is quite commen, especailly womens. Welcom to our store which is focused on sellingghd hair straighteners mk4and hair straightners. For women, especially the young girls, this ghd iv styler hair straightener is the best choice. ghd hair straightners is famouse for the pretty outlook and the top quality. The price of this cheap ghd hair straighteners is acceptable and rational. Ed Hardy Jeans, Ed Hardy Hoodies ed hardy shirts ed hardy clothes ed hardy clothing
ed hardy trousers

Bruce said...

Today,we are proud to announce the launch of the new wedding support service sell ffxi gil,packed with features sure to sell ffxi gils delight adventurers across Vana'diel looking to exchange eternal vows with their beloved!Responding to player demands for greater customization,the new service will grant brides and grooms freedom in choosing location,timing,dialogue,and sell Final Fantasy XI Gil more for their ceremony,allowing them to create a truly memorable event all their own.Information on all the features,including in-game sell ffxi gil item vendors and wedding certificates,can be found on the new wedding support site,so head on over sell ffxi gils and get started planning the wedding of your dreams sell Final Fantasy XIGil!

wow gold kaufen said...

Nice post

Anonymous said...

o‰ï‚¢‹i’ƒo‰ï‚¢ƒJƒtƒFƒeƒŒƒNƒ‰•s—σZƒbƒNƒXƒtƒŒƒ“ƒhƒZƒtƒŒo‰ï‚¢o‰ï‚¢o‰ï‚¢ŒfŽ¦”o‰ï‚¢o‰ï‚¢o‰ï‚¢lÈ•—‘­ƒfƒŠƒwƒ‹ƒfƒŠƒoƒŠ[ƒwƒ‹ƒXo‰ï‚¢o‰ï‚¢–³—¿ƒtƒBƒŠƒsƒ“ƒ‰ƒCƒuƒ`ƒƒƒbƒgƒAƒ_ƒ‹ƒgƒ‰ƒCƒuƒ`ƒƒƒbƒgƒfƒŠƒwƒ‹

Anonymous said...

•s“®ŽYƒ\[ƒvƒ‰ƒ“ƒhƒAƒNƒZƒXƒJƒEƒ“ƒ^[ƒRƒŒƒXƒeƒ[ƒ‹’†«Ž‰–b‰Ô•²ÇÝ‘[ƒN“àEÝ‘îƒAƒ‹ƒoƒCƒgŠ£‘‡”§ƒ_ƒCƒGƒbƒg@HŽ–ƒTƒvƒŠƒƒ“ƒg–³—¿è‚¢o‰ï‚¢ŽRŒûƒNƒŒƒWƒbƒgƒJ[ƒhŒ»‹à‰»ƒNƒŒƒWƒbƒgŒ»‹à‰»ƒ‰ƒCƒuƒ`ƒƒƒbƒgƒtƒBƒŠƒsƒ“ƒ`ƒƒƒbƒgƒŒƒfƒBƒpƒ\ƒRƒ“Ý‘[ƒN

Anonymous said...

ƒjƒLƒrCholesterol…’Ž—₦«‚Þ‚­‚ÝŽYŒã‚í‚«‚ªŽÔ”ƒŽæ“]E‰Á—îL“V‘RƒIƒŠƒS“œ’ܐ…’Ž‹ž“s‚«‚à‚̍ݑîŽdŽ–

Anonymous said...

o‰ï‚¢ŒF–{o‰ï‚¢‹ž“so‰ï‚¢ŽOdo‰ï‚¢‹{éo‰ï‚¢‹{èo‰ï‚¢’·–ìo‰ï‚¢’·èo‰ï‚¢“ޗǏo‰ï‚¢VŠƒo‰ï‚¢‘啪o‰ï‚¢‰ªŽRo‰ï‚¢‰«“êo‰ï‚¢‘åão‰ï‚¢²‰êo‰ï‚¢é‹Êo‰ï‚¢Ž ‰êo‰ï‚¢“‡ªo‰ï‚¢Ã‰ªo‰ï‚¢“Ȗ؏o‰ï‚¢“¿“‡

Anonymous said...

o‰ï‚¢“Œ‹žo‰ï‚¢’¹Žæo‰ï‚¢•xŽRo‰ï‚¢˜a‰ÌŽRo‰ï‚¢ŽRŒ`o‰ï‚¢ŽRŒûo‰ï‚¢ŽR—œo‰ï‚¢–k‹ãBo‰ï‚¢‰ºŠÖo‰ï‚¢ìèo‰ï‚¢_ŒËo‰ï‚¢‹v—¯•Äo‰ï‚¢…ŒËo‰ï‚¢–¼ŒÃ‰®o‰ï‚¢‘å–´“co‰ï‚¢é‹Êo‰ï‚¢äo‰ï‚¢å‘äo‰ï‚¢‰¡•lo‰ï‚¢‰¡{‰êo‰ï‚¢ŽD–yo‰ï‚¢ìè

Anonymous said...

•Ÿˆäo‰ï‚¢ˆ¤’mo‰ï‚¢Šò•Œo‰ï‚¢Ã‰ªo‰ï‚¢ŽOdo‰ï‚¢•ºŒÉo‰ï‚¢‘åão‰ï‚¢˜a‰ÌŽRo‰ï‚¢Ž ‰êo‰ï‚¢‹ž“so‰ï‚¢“ޗǏo‰ï‚¢ŽRŒûo‰ï‚¢’¹Žæo‰ï‚¢“‡ªo‰ï‚¢‰ªŽRo‰ï‚¢L“‡o‰ï‚¢“¿“‡o‰ï‚¢ìo‰ï‚¢ˆ¤•Qo‰ï‚¢‚’mo‰ï‚¢

Anonymous said...

o‰ï‚¢ŒF–{o‰ï‚¢‹ž“so‰ï‚¢ŽOdo‰ï‚¢‹{éo‰ï‚¢‹{èo‰ï‚¢’·–ìo‰ï‚¢’·èo‰ï‚¢“ޗǏo‰ï‚¢VŠƒo‰ï‚¢‘啪o‰ï‚¢‰ªŽRo‰ï‚¢‰«“êo‰ï‚¢‘åão‰ï‚¢²‰êo‰ï‚¢é‹Êo‰ï‚¢Ž ‰êo‰ï‚¢“‡ªo‰ï‚¢Ã‰ªo‰ï‚¢“Ȗ؏o‰ï‚¢“¿“‡

Anonymous said...

•Ÿˆäo‰ï‚¢ƒJƒtƒFˆ¤’mo‰ï‚¢ƒJƒtƒFŠò•Œo‰ï‚¢ƒJƒtƒFÃ‰ªo‰ï‚¢ƒJƒtƒFŽOdo‰ï‚¢ƒJƒtƒF•ºŒÉo‰ï‚¢ƒJƒtƒF‘åão‰ï‚¢ƒJƒtƒF˜a‰ÌŽRo‰ï‚¢ƒJƒtƒFŽ ‰êo‰ï‚¢ƒJƒtƒF‹ž“so‰ï‚¢ƒJƒtƒF“ޗǏo‰ï‚¢ƒJƒtƒFŽRŒûo‰ï‚¢ƒJƒtƒF’¹Žæo‰ï‚¢ƒJƒtƒF“‡ªo‰ï‚¢ƒJƒtƒF‰ªŽRo‰ï‚¢ƒJƒtƒFL“‡o‰ï‚¢ƒJƒtƒF“¿“‡o‰ï‚¢ƒJƒtƒFìo‰ï‚¢ƒJƒtƒFˆ¤•Qo‰ï‚¢ƒJƒtƒF‚’mo‰ï‚¢ƒJƒtƒF

Anonymous said...

•ŸˆäƒeƒŒƒNƒ‰ˆ¤’mƒeƒŒƒNƒ‰Šò•ŒƒeƒŒƒNƒ‰Ã‰ªƒeƒŒƒNƒ‰ŽOdƒeƒŒƒNƒ‰•ºŒÉƒeƒŒƒNƒ‰‘åãƒeƒŒƒNƒ‰˜a‰ÌŽRƒeƒŒƒNƒ‰Ž ‰êƒeƒŒƒNƒ‰‹ž“sƒeƒŒƒNƒ‰“ޗǃeƒŒƒNƒ‰ŽRŒûƒeƒŒƒNƒ‰’¹ŽæƒeƒŒƒNƒ‰“‡ªƒeƒŒƒNƒ‰‰ªŽRƒeƒŒƒNƒ‰L“‡ƒeƒŒƒNƒ‰“¿“‡ƒeƒŒƒNƒ‰ìƒeƒŒƒNƒ‰ˆ¤•QƒeƒŒƒNƒ‰‚’mƒeƒŒƒNƒ‰

Anonymous said...

•ŸˆäƒZƒtƒŒˆ¤’mƒZƒtƒŒŠò•ŒƒZƒtƒŒÃ‰ªƒZƒtƒŒŽOdƒZƒtƒŒ•ºŒÉƒZƒtƒŒ‘åãƒZƒtƒŒ˜a‰ÌŽRƒZƒtƒŒŽ ‰êƒZƒtƒŒ‹ž“sƒZƒtƒŒ“ޗǃZƒtƒŒŽRŒûƒZƒtƒŒ’¹ŽæƒZƒtƒŒ“‡ªƒZƒtƒŒ‰ªŽRƒZƒtƒŒL“‡ƒZƒtƒŒ“¿“‡ƒZƒtƒŒìƒZƒtƒŒˆ¤•QƒZƒtƒŒ‚’mƒZƒtƒŒ

Anonymous said...

•Ÿˆä•s—ψ¤’m•s—ÏŠò•Œ•s—ϐɪ•s—ÏŽOd•s—Ï•ºŒÉ•s—Ï‘åã•s—Ϙa‰ÌŽR•s—ÏŽ ‰ê•s—Ï‹ž“s•s—Ï“Þ—Ç•s—ÏŽRŒû•s—Ï’¹Žæ•s—Ï“‡ª•s—ωªŽR•s—ύL“‡•s—Ï“¿“‡•s—ύì•s—ψ¤•Q•s—ύ‚’m•s—Ï

Anonymous said...

—D—Ǐo‰ï‚¢ƒTƒCƒgƒAƒ_ƒ‹ƒg“ŽB‘fln—ƒGƒƒAƒjƒAV——Doˆ§‚¢o‡‚¢ŒnƒTƒCƒg‚Å‚ ‚¢deai•s—Ï•s—Ï‚µ‚Ä‚Ý‚Ü‚¹‚ñ‚©•s—σp[ƒgƒi[•s—ψ¤l2ƒVƒ‡ƒbƒgƒ`ƒƒƒbƒgo‰ï‚¢•s—ϐlÈƒNƒŒƒWƒbƒgƒJ[ƒh

buy WoW Gold said...

Good blog

qishaya said...

abercrombiefitch.uk.com propose Concise design model, whether it is Abercrombie fitch or a shirt, jacket is a good array oh.Ultra-Zan’s pants manner. buy Abercrombie Make up your body a little less than the curve.Abercrombie sale Easily with any clothing, different shoes and boots with different styles. Both kind, genial comfort, you can also cool very special Abercrombie .Designed to highlight hurtful the chest, waist and hip, quite close, sexy extraordinary.Companies consider the use of at least 4 time in-gravity Japanese market. Ginza stockroom Abercrombie & FitchAbercrombie Sweaters may be the most costly ever built one of the flagship storeroom, flagship stockpile in cheap Abercrombie compared to superior construction expenses for 1800-2000 million. The circle spokesman said in Tokyo supplies opened for the Abercrombie & Fitch's worldwide growth policy in provisos of a very important measure. Ginza supply is the circle's first mass in Asia, the business campaign to open next year in Fukuoka, Japan, out of a moment Asian restaurant. However, abercrombie stores the spokeswoman did not disclose more shop list.present high level and high assess clothing for youngsters. The food extended of Abercrombie and Fitch embrace not only casual wears,breitling watches, shirts and dresses for the youngsters but it also includes luxury matter such as perfumes and discount Abercrombie accessories. The new limit of yield from Abercrombie and Fitch has superb designs for kids and teenagers. The strain is also recognized for its advertisements,model watches, where you have physically attractivpoorly clad men and women, who begin vigorous, abercrombie outlet enthusiastic, smart and outgoing.Abercrombie 2010

songsong_like said...

Young and creative style.
abercrombie and fitch
abercrombie & fitch
You can have a look at it.
Abercrombie and fitch outlet
ED Hardy clothing bring you a super surprise!
ed hardy wholesale clothing
If you really want it.
nike outlet

jacket said...

You can have a look at it.
coats & jackets
jordan shoes
The quality is so good.
abercrombie and fitch
abercrombie & fitch
Abercrombie and

fitch outle

China travel service said...

This is so much more than i needed!!! but will all come in use thanks!!I am a china tour lover,You can learn more: luxury China tours | China tour operator | Tibet Travel

Learn Mandarin Chinese said...

The best place to learn Chinese language is in China. However, we understand that it isn't always possible to move here to study Chinese language. The next best thing is to study with our experienced teachers in a virtual classroom. Online students enjoy the same excellent way of Chinese language class and custom designed courseware that we provide for our face to face clients.

jaring futsal said...


The article posted was very informative and useful
thanks for sharing..
jaring futsal | jaring golf | jaring kassa / jaring polynet | jaring pengaman proyek | jaring pengaman bangunan | jaring pengaman gedung | jaring gawang | jaring paranet / jaring tanaman | rumput sintetis / rumput futsal |
tangga darurat | jaring cargo | agen jaring | jaring outbound | jaring truk | tali tambang
http://jaringfutsal.wordpress.com
http://jualjaringfutsal.wordpress.com
http://tokojaring.wordpress.com
http://jualtambangmurah.wordpress.com
http://pasangjaringfutsal.wordpress.com
http://pancasamudera.wordpress.com