What is a safer way to include an internal webpage to my site?

FalseProphet · March 20, 2011

I was using Include() with an ereg expression to strip all harmful characters out of the $_GET['id'];. However, a few people have stated to me that no matter what I do this function is not safe to use and is easily exploitable even after removing illegal characters from $_GET['id'];

Now I am looking for a way to include a web page that uses html and php. file() does not work as it includes my php code within the output so anyone can read it. File_get_contents() did not display any of the page whatsoever.

kenrbnsn · March 20, 2011

Please post the code you're using.

Ken

FalseProphet · March 20, 2011

Please post the code you're using.

Ken

Hi Ken,

Here is my include() code.

$pageID = $_GET['id'];
	$charIllegal = array();
	$charIllegal[0] = "/\.\.\//";
	$charIllegal[1] = "/\//";
	$charIllegal[2] = "/\%/";

	if ($pageID != "") {
		$fileExt = substr(strrchr($pageID, '.'), 1);
		if ($fileExt == "php") {
			if (file_exists("scripts/" . preg_replace($charIllegal,"",$pageID)) == TRUE) {
				include("scripts/" . preg_replace($charIllegal,"",$pageID));
			}

		} else {
			if (file_exists("pages/" . preg_replace($charIllegal,"",$pageID)) == TRUE) {
				include("pages/". preg_replace($charIllegal,"",$pageID));
			}
		}
	} else {
		// todo
	}

cssfreakie · March 20, 2011

I used basename() a while ago and it seems to do the trick for me, but i am no expert.

define( 'DS', DIRECTORY_SEPARATOR );

if(isset($_GET['page'])){
    echo '<div class="content">';
        include(dirname(__FILE__).DS.'pages'.DS.basename($_GET['page']).'.php');
    echo '</div>';
}

Hope this helps

::)

P.s. the above should check if file exists of course, any ways the basename() seems to be perfect for stripping

kenrbnsn · March 20, 2011

Since you know the files that should be included in your script, the easiest way of doing this would be:

<?php
$allowed = array('list','of','permitted','files');
if (in_array($_GET['id'],$allowed) && file_exists("path/to/{$_GET['id']}") {
    include("path/to/{$_GET['id']}");
} else {
//
//  abort mission...
//
}
?>

Another way of circumventing the problem, is not to use the explicit file name in the parameter, but to use an index into an array that holds the allowed include files. Then you would have to check if the key exists in the file.

Ken

FalseProphet · March 21, 2011

The thing is, I won't know all of the pages. I wrote some functions to create a dynamic page and include it into a content div.

I took cssfreakies' advise and included basename() into my routine.

Is this safe to use and would there be any possible repercussion to using include?

Basically, I want to include into a content div a page that uses PHP, HTML and CSS as if the user navigated to a whole knew page without actually leaving index.php.

Are there any alternatives to Include() that can do this?

BTW, here is the new routine I am using:

<?PHP
$pageID = $_GET['id'];
function ParsePages($pageID) {
	$charIllegal = array();
	$charIllegal[0] = "/\.\.\//";
	$charIllegal[1] = "/\//";
	$charIllegal[2] = "/\%/";

	if ($pageID != "") {
		$pageID = preg_replace($charIllegal,"",$pageID);
		$fileExt = substr(strrchr($pageID, '.'), 1);
		if ($fileExt == "php") {
			if (file_exists("system/scripts/" . basename($pageID)) == TRUE) {
				include("system/scripts/" . basename($pageID));
			} else {
				include("pages/home.txt");
			}
		} else {
			if (file_exists("pages/" . basename($pageID)) == TRUE) {
				include("pages/" . basename($pageID));
			} else {
				include("pages/home.txt");
			}
		}
	} else {
		include("pages/home.txt");
	}
}
?>

How secure is this? What possible attacks could occur on this?

FalseProphet · March 22, 2011

The thing is, I won't know all of the pages. I wrote some functions to create a dynamic page and include it into a content div.

I took cssfreakies' advise and included basename() into my routine.

Is this safe to use and would there be any possible repercussion to using include?

Basically, I want to include into a content div a page that uses PHP, HTML and CSS as if the user navigated to a whole knew page without actually leaving index.php.

Are there any alternatives to Include() that can do this?

BTW, here is the new routine I am using:
<?PHP
$pageID = $_GET['id'];
function ParsePages($pageID) {
	$charIllegal = array();
	$charIllegal[0] = "/\.\.\//";
	$charIllegal[1] = "/\//";
	$charIllegal[2] = "/\%/";

	if ($pageID != "") {
		$pageID = preg_replace($charIllegal,"",$pageID);
		$fileExt = substr(strrchr($pageID, '.'), 1);
		if ($fileExt == "php") {
			if (file_exists("system/scripts/" . basename($pageID)) == TRUE) {
				include("system/scripts/" . basename($pageID));
			} else {
				include("pages/home.txt");
			}
		} else {
			if (file_exists("pages/" . basename($pageID)) == TRUE) {
				include("pages/" . basename($pageID));
			} else {
				include("pages/home.txt");
			}
		}
	} else {
		include("pages/home.txt");
	}
}
?>
How secure is this? What possible attacks could occur on this?

Still searching for a solution. I can't seem to find any information about whether or not my routine is safe or if their is an alternative to include().

FalseProphet · March 25, 2011

The thing is, I won't know all of the pages. I wrote some functions to create a dynamic page and include it into a content div.

I took cssfreakies' advise and included basename() into my routine.

Is this safe to use and would there be any possible repercussion to using include?

Basically, I want to include into a content div a page that uses PHP, HTML and CSS as if the user navigated to a whole knew page without actually leaving index.php.

Are there any alternatives to Include() that can do this?

BTW, here is the new routine I am using:
<?PHP
$pageID = $_GET['id'];
function ParsePages($pageID) {
	$charIllegal = array();
	$charIllegal[0] = "/\.\.\//";
	$charIllegal[1] = "/\//";
	$charIllegal[2] = "/\%/";

	if ($pageID != "") {
		$pageID = preg_replace($charIllegal,"",$pageID);
		$fileExt = substr(strrchr($pageID, '.'), 1);
		if ($fileExt == "php") {
			if (file_exists("system/scripts/" . basename($pageID)) == TRUE) {
				include("system/scripts/" . basename($pageID));
			} else {
				include("pages/home.txt");
			}
		} else {
			if (file_exists("pages/" . basename($pageID)) == TRUE) {
				include("pages/" . basename($pageID));
			} else {
				include("pages/home.txt");
			}
		}
	} else {
		include("pages/home.txt");
	}
}
?>
How secure is this? What possible attacks could occur on this?
Still searching for a solution. I can't seem to find any information about whether or not my routine is safe or if their is an alternative to include().

Bump

kenrbnsn · March 25, 2011

What you could do is what Drupal does... Store the new pages in a database. When they are requested, by referring to the id of the record, you could write the contents out to a temporary file, include that file, and then delete the temporary file. You could use eval() on the stored code instead.

Hopefully, your code makes sure that the submitted code is free of any code that could cause problems.

Ken

Sign In

What is a safer way to include an internal webpage to my site?

Recommended Posts

FalseProphet

Link to comment

Share on other sites

kenrbnsn

Link to comment

Share on other sites

FalseProphet

Link to comment

Share on other sites

cssfreakie

Link to comment

Share on other sites

kenrbnsn

Link to comment

Share on other sites

FalseProphet

Link to comment

Share on other sites

FalseProphet

Link to comment

Share on other sites

FalseProphet

Link to comment

Share on other sites

kenrbnsn

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Important Information