Jump to content

Archived

This topic is now archived and is closed to further replies.

fpc*

Is this code a security issue?

Recommended Posts

I have an advertisor who has requested I use php code to include their ad tag, this is the code they have given me;

[quote]<?php
$SERVER_NAME=$_SERVER['SERVER_NAME'];
$urlx=$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];
$ref=str_replace(" ",null,$HTTP_USER_AGENT);
$URL="http://www.etc.com/etc/etc.php?urlx=".$urlx."&site=".$SERVER_NAME."&ref=".$ref;
$file = @fopen("$URL", "r");
$r = "";
do {
  $data = @fread($file, 8192);
  if (strlen($data) == 0) {
      break;
  }
  $r .= $data;
} while (true);
fclose ($file);
echo $r;


?>
[/quote]

Does this look malicous in any way? Can it be used to run remote commands, upload files or download files? I am a bit paranoid, but only because I am a bit clueless ;>

Any help is appreciated. thanks

Share this post


Link to post
Share on other sites
[code]<?php
// this simple retrieves the name of your server.
$SERVER_NAME=$_SERVER['SERVER_NAME'];
// retrieves the name of the server, with the current page
$urlx=$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];
// This stuff below works with your name to prepare it to recieve hte information coming to it
$ref=str_replace(" ",null,$HTTP_USER_AGENT);
$URL="http://www.etc.com/etc/etc.php?urlx=".$urlx."&site=".$SERVER_NAME."&ref=".$ref;
// opens the website, and prepares it.
$file = @fopen("$URL", "r");
// set's r to blank variable
$r = "";
reading data into a file,
do {
  $data = @fread($file, 8192);
  if (strlen($data) == 0) {
      break;
  }
  $r .= $data;
} while (true);
fclose ($file);
echo $r;


?>[/code]
It looks safe.
I might have missed something but it looks pretty safe to me.

Share this post


Link to post
Share on other sites
what about XSS attacks, or inject html, inject javascript, and any other html compatible markup?

Share this post


Link to post
Share on other sites
It looks to me like the script is analyzing your server information, and including a file that hte guy wants included based on your server information.

There is no user input coming from anywhere, but of course he would be able to do something with it if he wanted on his end obviously.  Never trust a script from someone you don't know.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.