vin_akleh Posted March 11, 2010 Share Posted March 11, 2010 if (isset($_REQUEST["page"])) { include $_REQUEST["page"].".php"; } if (isset($_REQUEST["logout"])) { include "logout.php"; } well is it? if so what is the solution? thanks Link to comment https://forums.phpfreaks.com/topic/194958-is-my-code-subject-to-remote-file-inclusion-rfi/ Share on other sites More sharing options...
teamatomic Posted March 11, 2010 Share Posted March 11, 2010 Yes, you can be abused. How you go about it depends on what the requested file is. If they are store in a folder like "contents" of something that is part of a CMS it could be as simple as: $page=$_REQUEST['page']; if(file_exists("$path/to/content/folder/$page.php")) include the page else redirect to index page with no notification as to what or why or you may want to take the request and do a basename on it and then add the proper path and check if its alive. You could scan all of the pages allowed into an array and if the request is in array_search then include it. There are numerous ways to do it but your present way is not one of them. HTH Teamatomic Link to comment https://forums.phpfreaks.com/topic/194958-is-my-code-subject-to-remote-file-inclusion-rfi/#findComment-1024969 Share on other sites More sharing options...
vin_akleh Posted March 11, 2010 Author Share Posted March 11, 2010 what is CMS??? what your saying is that if i check it's path that will be the solution and nothing else will be needed?? or is there something else that needs to be checked?? Link to comment https://forums.phpfreaks.com/topic/194958-is-my-code-subject-to-remote-file-inclusion-rfi/#findComment-1024974 Share on other sites More sharing options...
teamatomic Posted March 11, 2010 Share Posted March 11, 2010 CMS= Content Management System For what you are doing all you need to do is make sure the file exists on your site and its one you want to display. Just make sure the url/path you use is your own. For example, if you allow remote file opening. Say you have a page named about.php. If you just check that the page requested "about.php" exists on your site and you allow it to be display it does not good if you go ahead and then use _$REQUEST['page']. Instead use your own path/url. Cause if you do a basename and get "about.php" from the request then go ahead and use the request to include the page you might get something equal to: include("http://www.mySite/about.php"). And the about.php from mySite might just be a file manager written in PHP. HTH Teamatomic Link to comment https://forums.phpfreaks.com/topic/194958-is-my-code-subject-to-remote-file-inclusion-rfi/#findComment-1024988 Share on other sites More sharing options...
vin_akleh Posted March 12, 2010 Author Share Posted March 12, 2010 is this the solution?? of course the $path should be preseted if (isset($_REQUEST["page"])) { $page=$_REQUEST['page']; if(file_exists("$path/$page.php")) include "*/".$_REQUEST["page"].".php"; } if (isset($_REQUEST["logout"])) { $logout=$_REQUEST['logout']; if(file_exists("$path/$logout.php")) include "logout.php"; } Link to comment https://forums.phpfreaks.com/topic/194958-is-my-code-subject-to-remote-file-inclusion-rfi/#findComment-1024996 Share on other sites More sharing options...
teamatomic Posted March 12, 2010 Share Posted March 12, 2010 No! dont use the request in the include You suspect the request of always being malicious, you trust your own $path. $page=$_REQUEST['page]'; $fn=basename($page); if(file_exists("$path/$fn.php")) include("$path/$fn.php"); HTH Teamatomic Link to comment https://forums.phpfreaks.com/topic/194958-is-my-code-subject-to-remote-file-inclusion-rfi/#findComment-1025000 Share on other sites More sharing options...
vin_akleh Posted March 12, 2010 Author Share Posted March 12, 2010 just to make sure, this is it if (isset($_REQUEST["page"])) { $page=$_REQUEST['page']; fn=basename($page) if(file_exists("$path/$fn.php")) include"$path/$fn.php"; } if (isset($_REQUEST["logout"])) { $logout=$_REQUEST['logout']; fn=basename($page) if(file_exists("$path/$fn.php")) include"$path/$fn.php"; } ????????????????????? Link to comment https://forums.phpfreaks.com/topic/194958-is-my-code-subject-to-remote-file-inclusion-rfi/#findComment-1025005 Share on other sites More sharing options...
teamatomic Posted March 12, 2010 Share Posted March 12, 2010 For the page, I have no idea what the login stuff is that you pass. But you also need a $ to make fn a var in fn=basename($page) and then you need to terminate the statement( HTH Teamatomic Link to comment https://forums.phpfreaks.com/topic/194958-is-my-code-subject-to-remote-file-inclusion-rfi/#findComment-1025009 Share on other sites More sharing options...
vin_akleh Posted March 12, 2010 Author Share Posted March 12, 2010 ow ya i forgot about the if (isset($_REQUEST["page"])) { $page=$_REQUEST['page']; $fn=basename($page); if(file_exists("$path/$fn.php")) include"$path/$fn.php"; } if (isset($_REQUEST["logout"])) { $logout=$_REQUEST['logout']; $fn=basename($page); if(file_exists("$path/$fn.php")) include"$path/$fn.php"; } Link to comment https://forums.phpfreaks.com/topic/194958-is-my-code-subject-to-remote-file-inclusion-rfi/#findComment-1025012 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.