is my code subject to Remote File Inclusion RFI ?

[vin_akleh]

 

if (isset($_REQUEST["page"]))
	{
		include $_REQUEST["page"].".php";
	}
	if (isset($_REQUEST["logout"]))
	{
		include "logout.php";
	}

well is it? if so what is the solution?

thanks

[teamatomic]

Yes, you can be abused. How you go about it depends on what the requested file is. If they are store in a folder like "contents" of something that is part of a CMS it could be as simple as:

$page=$_REQUEST['page'];

if(file_exists("$path/to/content/folder/$page.php"))

include the page

else

redirect to index page with no notification as to what or why

 

or you may want to take the request and do a basename on it and then add the proper path and check if its alive.  You could scan all of the pages allowed into an array and if the request is in array_search then include it. There are numerous ways to do it but your present way is not one of them.

 

 

HTH

Teamatomic

[vin_akleh]

what is CMS???

what your saying is that if i check it's  path that will be the solution and nothing else will be needed??

or is there something else that needs to be checked??

[teamatomic]

CMS= Content Management System

For what you are doing all you need to do is make sure the file exists on your site and its one you want to display. Just make sure the url/path you use is your own. For example, if you allow remote file opening. Say you have a page named about.php. If you just check that the page requested "about.php" exists on your site and you allow it to be display it does not good if you go ahead and then use _$REQUEST['page']. Instead use your own path/url. Cause if you do a basename and get "about.php" from the request then go ahead and use the request to include the page you might get something equal to:

include("http://www.mySite/about.php"). And the about.php from mySite might just be a file manager written in PHP.

 

 

HTH

Teamatomic

[vin_akleh]

is this the solution??

of course the $path should be preseted

		if (isset($_REQUEST["page"]))
	{
		$page=$_REQUEST['page'];
		if(file_exists("$path/$page.php"))
		include "*/".$_REQUEST["page"].".php";
	}
	if (isset($_REQUEST["logout"]))
	{
		$logout=$_REQUEST['logout'];
		if(file_exists("$path/$logout.php"))
		include "logout.php";
	}

[teamatomic]

No!

dont use the request in the include

You suspect the request of always being malicious, you trust your own $path.

 

$page=$_REQUEST['page]';
$fn=basename($page);
if(file_exists("$path/$fn.php"))
include("$path/$fn.php");

 

 

HTH

Teamatomic

[vin_akleh]

just to make sure, this is it

		if (isset($_REQUEST["page"]))
	{
		$page=$_REQUEST['page'];
		fn=basename($page)
		if(file_exists("$path/$fn.php"))
		include"$path/$fn.php";
	}
	if (isset($_REQUEST["logout"]))
	{
		$logout=$_REQUEST['logout'];
		fn=basename($page)
		if(file_exists("$path/$fn.php"))
		include"$path/$fn.php";
	}

?????????????????????

[teamatomic]

For the page, I have no idea what the login stuff is that you pass. But you also need a $ to make fn a var in fn=basename($page) and then you need to terminate the statement(

 

 

HTH

Teamatomic

[vin_akleh]

ow ya i forgot about the

if (isset($_REQUEST["page"]))
	{
		$page=$_REQUEST['page'];
		$fn=basename($page);
		if(file_exists("$path/$fn.php"))
		include"$path/$fn.php";
	}
	if (isset($_REQUEST["logout"]))
	{
		$logout=$_REQUEST['logout'];
		$fn=basename($page);
		if(file_exists("$path/$fn.php"))
		include"$path/$fn.php";
	}