Re: [PHP] Protecting index.php
On 4/26/06, P. Guethlein [EMAIL PROTECTED] wrote: Initial index.php file: ?php if(isset($_GET['d'])){setcookie('disp',$_GET['d'],time()+(60*60*24*60));$_COOKIE['disp']=$_GET['d'];} include_once('writemenus.php'); if(!isset($_GET['href'])) $include = 'startpage.htm'; else { $include = $_GET['href']; $include = $include.php; if($include=='index.php')$include = 'startpage.htm'; } include_once($include); include_once('footer.htm'); ? = Hackers seem to be able to call a remote script by appending the URL to the href= command line . ( $include ) ..because you're not checking it, you're just including it. If you turn off allow_url_fopen then this will stop it, but it's best to fix it properly. You could do something like this: $mydir = dirname(__FILE__); $include = $_GET['href'].'.php'; if (realpath($mydir.'/'.$include) != $mydir.'/'.$include) { $include = 'startpage.htm'; } else { $include = $mydir .'/'.$include; } You use realpath to get rid of '../' and './' type references (see http://www.php.net/realpath), then make sure that's the same file as in the current directory. If they don't match, it includes startpage.htm. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Protecting index.php
On Wed, April 26, 2006 12:53 am, P. Guethlein wrote: ?php if(isset($_GET['d'])){setcookie('disp',$_GET['d'],time()+(60*60*24*60));$_COOKIE['disp']=$_GET['d'];} I suppose this isn't so terribly awful, since experienced users can forge their Cookies as easily as GET, but as a matter of principle, you SHOULD insure that $_GET['d'] has the data you expect. include_once('writemenus.php'); if(!isset($_GET['href'])) $include = 'startpage.htm'; This is fine. else { $include = $_GET['href']; $include = $include.php; This is SO not fine!!! You are allowing the Bad Guys to include *ANY* file they want here! Never ever ever ever use a variable in include() that the user gets to pick whatever they want. You need to decide, in advance, which files the user CAN include, like your 'startpage.htm' and only allow $include to take on those values you hvae pre-determined to be valid. Here's one easy way to do this: switch($_GET['href']){ case 'startpage': case 'index': case 'about': case 'contact': $include = $_GET['href'] . '.php'; break; default: error_log(HACK ATTEMPT $REMOTE_ADDR . date('m/d/Y h:i:s a); die(No.); break; } if($include=='index.php')$include = 'startpage.htm'; } include_once($include); include_once('footer.htm'); ? = Hackers seem to be able to call a remote script by appending the URL to the href= command line . ( $include ) What buttons do I need to push to stop this? Does PHP have a setting to allow only local calls? or do I have to do it in the index.php file ? or ?? Required Reading: http://phpsec.org/ All of it. The whole damn site. Now. Sorry. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Protecting index.php
Initial index.php file: ?php if(isset($_GET['d'])){setcookie('disp',$_GET['d'],time()+(60*60*24*60));$_COOKIE['disp']=$_GET['d'];} include_once('writemenus.php'); if(!isset($_GET['href'])) $include = 'startpage.htm'; else { $include = $_GET['href']; $include = $include.php; if($include=='index.php')$include = 'startpage.htm'; } include_once($include); include_once('footer.htm'); ? = Hackers seem to be able to call a remote script by appending the URL to the href= command line . ( $include ) What buttons do I need to push to stop this? Does PHP have a setting to allow only local calls? or do I have to do it in the index.php file ? or ?? Advice welcome! -Pete -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php