Jump to content

Recommended Posts

Yes awhile back when I was working on my website I asked for some help on php.

 

<?php
if (isset($_GET['page'])) {
include("{$_SERVER['DOCUMENT_ROOT']}/includes/{$_GET['page']}.php");
} else {
include("{$_SERVER['DOCUMENT_ROOT']}/includes/home.php");
}
?>

 

it's what I used to pull my pages and I thought it was a nice script until I post it one day because I was having a issue and it comes to find out it's a security flaw. Need help on taking a different approach or how to fix this. I don't know about how PHP....still learning.

 

EDIT: sorry for not posting it code format. fixed!

Link to comment
https://forums.phpfreaks.com/topic/160728-php-security-issue/
Share on other sites

<?php
        $allowed = array('home','page1','page2','page3'); 
if (in_array($_GET['page'],$allowed)) {
         include("{$_SERVER['DOCUMENT_ROOT']}/includes/{$_GET['page']}.php");
         } else {
         include("{$_SERVER['DOCUMENT_ROOT']}/includes/home.php");
         }
         ?>

Link to comment
https://forums.phpfreaks.com/topic/160728-php-security-issue/#findComment-848241
Share on other sites

That was a fast response, but here's the original thread on another forum. He somewhat explained why it was a flaw, but it doesn't seem like it fixed it.

 

<?php
if (isset($_GET['page']) && file_exists("{$_SERVER['DOCUMENT_ROOT']}/includes/{$_GET['page']}.php")) {
include("{$_SERVER['DOCUMENT_ROOT']}/includes/{$_GET['page']}.php");
} else {
include("{$_SERVER['DOCUMENT_ROOT']}/includes/sorry.php");
}
?>

 

That was the original code.

 

Now he said

 

And it is flawed.

 

For example visit this URL:

 

http://www.mattaproductions.com/includes/../images/banner.jpg

 

Now you didn't put banner.jpg in the includes directory did you? Click on that link then see what the browser does to the URL.

 

But this "trick" isn't really a trick, every developer should know not only why it works but also how it affects the security of their applications and computer systems. This doesn't just happen with URLs, it happens with paths in using files and directories.

 

Can someone better explain?

Link to comment
https://forums.phpfreaks.com/topic/160728-php-security-issue/#findComment-848249
Share on other sites

The security flaw is that your original code is blindly calling include() on whatever was passed through the URL.  The URL comes from the user, which means the user can edit it to any path that they believe might exist on your file system.  Without filtering what you call include() on, I can attempt to ask your script to open known files in known locations.  These files could contain passwords, keys, or all sorts of information.

 

CV's code creates an array of allowed values and only opens the page from the URL if it is one of the allowed values.  Therefore users can't attempt to open any random file on your file system.

Link to comment
https://forums.phpfreaks.com/topic/160728-php-security-issue/#findComment-848251
Share on other sites

Try:

<?php

function clean($text){
$text=trim($text);
$text.=strip_tags($text);
$text.=htmlspecialchars($text,ENT_NOQUOTES);
$text.=filter_var($text,FITER_SANITIZE_STRING);/// PHP 5 only
$text.=mysql_real_escape_string($text);
return $text;
}
$server= clean($_SERVER['DOCUMENT_ROOT']);
$page= clean($_GET['page']);
if (isset($_GET['page']) && file_exists("$server/includes/$page.php")) {
include("$server/includes/$page.php");
} else {
include("$server/includes/sorry.php");
}
?>

Link to comment
https://forums.phpfreaks.com/topic/160728-php-security-issue/#findComment-848297
Share on other sites

That is a little like.. oow ooow I found a function i'll stick that in as well!

 

testing the concat!

Clean '<b>me</b>' 

 

Clean '<b>me</b>'Clean 'me'Clean '<b>me</b>'Clean 'me'Clean \'<b>me</b>\'Clean \'me\'Clean \'<b>me</b>\'Clean \'me\'

Wow..The clean function is as clean as my office!

Link to comment
https://forums.phpfreaks.com/topic/160728-php-security-issue/#findComment-848324
Share on other sites

ok i redid the function now it returns \//\ which is alot better  :P

<?php
function clean($text){
$text=trim($text);
$text.=strip_tags($text,'<p><b></p></b>');
$text.=str_replace('/','',$text);
$text.=stripslashes($text);
while(strchr($text,'\\')) {
        $text = stripslashes($text);
    } 
$string="/\<b><p></p></b>\/";
$string.=clean($string);
echo $string;

?>

Link to comment
https://forums.phpfreaks.com/topic/160728-php-security-issue/#findComment-848361
Share on other sites

try something like this

*untested*

<?php
$path = $_SERVER['DOCUMENT_ROOT'];
$extension = '.php';
$redirectPages = array("NotFound" => "sorry.php","Warning" => "sorry.php");
$hiddenPages = array("private.php","hiddencash.php");

if ( preg_match("#^[a-z0-9_-]+$#i",$_GET['page']) )
{
$page = $_GET['page']
$filename = $path.$page.$extension;
if(file_exists($filename) && !in_array($page,$hiddenPages))
{
	include($filename);
}else{
	include($pages['NotFound']);
}
}else{
//add to security log
include($pages['Warning']);
}
?>

Link to comment
https://forums.phpfreaks.com/topic/160728-php-security-issue/#findComment-848411
Share on other sites

The original post by CV ws the simplest and best solution.

 

<?php
        $allowed = array('home','page1','page2','page3'); 
if (in_array($_GET['page'],$allowed)) {
         include("{$_SERVER['DOCUMENT_ROOT']}/includes/{$_GET['page']}.php");
         } else {
         include("{$_SERVER['DOCUMENT_ROOT']}/includes/home.php");
         }
         ?>

 

You've made an array of the pages that are allowed. If the GET value isn't in the array someone's being naughty so just chuck them to the home page, simple, easy and secure.

Link to comment
https://forums.phpfreaks.com/topic/160728-php-security-issue/#findComment-848441
Share on other sites

It is the simplest, and as secure as you can make it.  It's a whitelist. You're not on the list, you don't get in. The End.  But I wouldn't say its the best.  It does not track people who attempt to get around it. MadTechie's latest post takes the whitelist concept and expands on it and adds on to it error/security logging.

Link to comment
https://forums.phpfreaks.com/topic/160728-php-security-issue/#findComment-848511
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.