Jump to content

What is a safer way to include an internal webpage to my site?


FalseProphet

Recommended Posts

I was using Include() with an ereg expression to strip all harmful characters out of the $_GET['id'];. However, a few people have stated to me that no matter what I do this function is not safe to use and is easily exploitable even after removing illegal characters from $_GET['id'];

 

Now I am looking for a way to include a web page that uses html and php. file() does not work as it includes my php code within the output so anyone can read it. File_get_contents() did not display any of the page whatsoever.

Link to comment
Share on other sites

Please post the code you're using.

 

Ken

 

Hi Ken,

Here is my include() code.

 

$pageID = $_GET['id'];
	$charIllegal = array();
	$charIllegal[0] = "/\.\.\//";
	$charIllegal[1] = "/\//";
	$charIllegal[2] = "/\%/";

	if ($pageID != "") {
		$fileExt = substr(strrchr($pageID, '.'), 1);
		if ($fileExt == "php") {
			if (file_exists("scripts/" . preg_replace($charIllegal,"",$pageID)) == TRUE) {
				include("scripts/" . preg_replace($charIllegal,"",$pageID));
			}

		} else {
			if (file_exists("pages/" . preg_replace($charIllegal,"",$pageID)) == TRUE) {
				include("pages/". preg_replace($charIllegal,"",$pageID));
			}
		}
	} else {
		// todo
	}

 

Link to comment
Share on other sites

I used basename() a while ago and it seems to do the trick for me, but i am no expert.

 

define( 'DS', DIRECTORY_SEPARATOR );

if(isset($_GET['page'])){
    echo '<div class="content">';
        include(dirname(__FILE__).DS.'pages'.DS.basename($_GET['page']).'.php');
    echo '</div>';
}

 

Hope this helps

::)

 

P.s. the above should check if file exists of course, any ways the basename() seems to be perfect for stripping

Link to comment
Share on other sites

Since you know the files that should be included in your script, the easiest way of doing this would be:

<?php
$allowed = array('list','of','permitted','files');
if (in_array($_GET['id'],$allowed) && file_exists("path/to/{$_GET['id']}") {
    include("path/to/{$_GET['id']}");
} else {
//
//  abort mission...
//
}
?>

 

Another way of circumventing the problem, is not to use the explicit file name in the parameter, but to use an index into an array that holds the allowed include files. Then you would have to check if the key exists in the file.

 

Ken

Link to comment
Share on other sites

The thing is, I won't know all of the pages. I wrote some functions to create a dynamic page and include it into a content div.

 

I took cssfreakies' advise and included basename() into my routine.

 

Is this safe to use and would there be any possible repercussion to using include?

Basically, I want to include into a content div a page that uses PHP, HTML and CSS as if the user navigated to a whole knew page without actually leaving index.php.

 

Are there any alternatives to Include() that can do this?

 

BTW, here is the new routine I am using:

<?PHP
$pageID = $_GET['id'];
function ParsePages($pageID) {
	$charIllegal = array();
	$charIllegal[0] = "/\.\.\//";
	$charIllegal[1] = "/\//";
	$charIllegal[2] = "/\%/";

	if ($pageID != "") {
		$pageID = preg_replace($charIllegal,"",$pageID);
		$fileExt = substr(strrchr($pageID, '.'), 1);
		if ($fileExt == "php") {
			if (file_exists("system/scripts/" . basename($pageID)) == TRUE) {
				include("system/scripts/" . basename($pageID));
			} else {
				include("pages/home.txt");
			}
		} else {
			if (file_exists("pages/" . basename($pageID)) == TRUE) {
				include("pages/" . basename($pageID));
			} else {
				include("pages/home.txt");
			}
		}
	} else {
		include("pages/home.txt");
	}
}
?>

 

How secure is this? What possible attacks could occur on this?

Link to comment
Share on other sites

The thing is, I won't know all of the pages. I wrote some functions to create a dynamic page and include it into a content div.

 

I took cssfreakies' advise and included basename() into my routine.

 

Is this safe to use and would there be any possible repercussion to using include?

Basically, I want to include into a content div a page that uses PHP, HTML and CSS as if the user navigated to a whole knew page without actually leaving index.php.

 

Are there any alternatives to Include() that can do this?

 

BTW, here is the new routine I am using:

<?PHP
$pageID = $_GET['id'];
function ParsePages($pageID) {
	$charIllegal = array();
	$charIllegal[0] = "/\.\.\//";
	$charIllegal[1] = "/\//";
	$charIllegal[2] = "/\%/";

	if ($pageID != "") {
		$pageID = preg_replace($charIllegal,"",$pageID);
		$fileExt = substr(strrchr($pageID, '.'), 1);
		if ($fileExt == "php") {
			if (file_exists("system/scripts/" . basename($pageID)) == TRUE) {
				include("system/scripts/" . basename($pageID));
			} else {
				include("pages/home.txt");
			}
		} else {
			if (file_exists("pages/" . basename($pageID)) == TRUE) {
				include("pages/" . basename($pageID));
			} else {
				include("pages/home.txt");
			}
		}
	} else {
		include("pages/home.txt");
	}
}
?>

 

How secure is this? What possible attacks could occur on this?

 

Still searching for a solution. I can't seem to find any information about whether or not my routine is safe or if their is an alternative to include().

Link to comment
Share on other sites

The thing is, I won't know all of the pages. I wrote some functions to create a dynamic page and include it into a content div.

 

I took cssfreakies' advise and included basename() into my routine.

 

Is this safe to use and would there be any possible repercussion to using include?

Basically, I want to include into a content div a page that uses PHP, HTML and CSS as if the user navigated to a whole knew page without actually leaving index.php.

 

Are there any alternatives to Include() that can do this?

 

BTW, here is the new routine I am using:

<?PHP
$pageID = $_GET['id'];
function ParsePages($pageID) {
	$charIllegal = array();
	$charIllegal[0] = "/\.\.\//";
	$charIllegal[1] = "/\//";
	$charIllegal[2] = "/\%/";

	if ($pageID != "") {
		$pageID = preg_replace($charIllegal,"",$pageID);
		$fileExt = substr(strrchr($pageID, '.'), 1);
		if ($fileExt == "php") {
			if (file_exists("system/scripts/" . basename($pageID)) == TRUE) {
				include("system/scripts/" . basename($pageID));
			} else {
				include("pages/home.txt");
			}
		} else {
			if (file_exists("pages/" . basename($pageID)) == TRUE) {
				include("pages/" . basename($pageID));
			} else {
				include("pages/home.txt");
			}
		}
	} else {
		include("pages/home.txt");
	}
}
?>

 

How secure is this? What possible attacks could occur on this?

 

Still searching for a solution. I can't seem to find any information about whether or not my routine is safe or if their is an alternative to include().

Bump

Link to comment
Share on other sites

What you could do is what Drupal does... Store the new pages in a database. When they are requested, by referring to the id of the record, you could write the contents out to a temporary file, include that file, and then delete the temporary file. You could use eval() on the stored code instead.

 

Hopefully, your code makes sure that the submitted code is free of any code that could cause problems.

 

Ken

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.