Re: [PHP] Protecting index.php
On 4/26/06, P. Guethlein [EMAIL PROTECTED] wrote:
Initial index.php file:
?php
if(isset($_GET['d'])){setcookie('disp',$_GET['d'],time()+(60*60*24*60));$_COOKIE['disp']=$_GET['d'];}
include_once('writemenus.php');
if(!isset($_GET['href'])) $include = 'startpage.htm';
else {
$include = $_GET['href']; $include = $include.php;
if($include=='index.php')$include = 'startpage.htm';
}
include_once($include);
include_once('footer.htm');
?
=
Hackers seem to be able to call a remote script by appending the URL
to the href= command line . ( $include )
..because you're not checking it, you're just including it.
If you turn off allow_url_fopen then this will stop it, but it's best
to fix it properly.
You could do something like this:
$mydir = dirname(__FILE__);
$include = $_GET['href'].'.php';
if (realpath($mydir.'/'.$include) != $mydir.'/'.$include) {
$include = 'startpage.htm';
} else {
$include = $mydir .'/'.$include;
}
You use realpath to get rid of '../' and './' type references (see
http://www.php.net/realpath), then make sure that's the same file as
in the current directory.
If they don't match, it includes startpage.htm.
--
Postgresql php tutorials
http://www.designmagick.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Protecting index.php
On Wed, April 26, 2006 12:53 am, P. Guethlein wrote:
?php
if(isset($_GET['d'])){setcookie('disp',$_GET['d'],time()+(60*60*24*60));$_COOKIE['disp']=$_GET['d'];}
I suppose this isn't so terribly awful, since experienced users can
forge their Cookies as easily as GET, but as a matter of principle,
you SHOULD insure that $_GET['d'] has the data you expect.
include_once('writemenus.php');
if(!isset($_GET['href'])) $include = 'startpage.htm';
This is fine.
else {
$include = $_GET['href']; $include = $include.php;
This is SO not fine!!!
You are allowing the Bad Guys to include *ANY* file they want here!
Never ever ever ever use a variable in include() that the user gets to
pick whatever they want.
You need to decide, in advance, which files the user CAN include, like
your 'startpage.htm' and only allow $include to take on those values
you hvae pre-determined to be valid.
Here's one easy way to do this:
switch($_GET['href']){
case 'startpage':
case 'index':
case 'about':
case 'contact':
$include = $_GET['href'] . '.php';
break;
default:
error_log(HACK ATTEMPT $REMOTE_ADDR . date('m/d/Y h:i:s a);
die(No.);
break;
}
if($include=='index.php')$include = 'startpage.htm';
}
include_once($include);
include_once('footer.htm');
?
=
Hackers seem to be able to call a remote script by appending the URL
to the href= command line . ( $include )
What buttons do I need to push to stop this? Does PHP have a setting
to allow only local calls? or do I have to do it in the index.php file
? or ??
Required Reading:
http://phpsec.org/
All of it.
The whole damn site.
Now.
Sorry.
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Protecting index.php
Initial index.php file:
?php
if(isset($_GET['d'])){setcookie('disp',$_GET['d'],time()+(60*60*24*60));$_COOKIE['disp']=$_GET['d'];}
include_once('writemenus.php');
if(!isset($_GET['href'])) $include = 'startpage.htm';
else {
$include = $_GET['href']; $include = $include.php;
if($include=='index.php')$include = 'startpage.htm';
}
include_once($include);
include_once('footer.htm');
?
=
Hackers seem to be able to call a remote script by appending the URL
to the href= command line . ( $include )
What buttons do I need to push to stop this? Does PHP have a setting
to allow only local calls? or do I have to do it in the index.php file ? or ??
Advice welcome!
-Pete
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
