goodfortune Posted June 14, 2012 Share Posted June 14, 2012 Hi, I inherited a site in which the php include script is vulnerable and needs to be rewritten. I am having difficulty with this, because the site has an unusual amount of subdirectories. The site is a magazine which has many different issues and sections. For example. In the Fall 2011 issue, there is a directory www.domain.com/fall2011. Inside this directory, there are directories for all the categories of literary work published. For example: www.domain.com/fall2011/poetry; www.domain.com/fall2011/articles; www.domain.com/fall2011/reviews, etc. And in each of those sub-subdirectories, there are individual pages which must be included in the main template. For example www.domain.com/fall2011/poetry/poet.php. The main template, with the script, is located in the root folder. The (very) vulnerable script that is now disabled is this: <?php $inc = $_REQUEST['inc']; if (isset($inc)){ $page = $inc. '.php'; include ($page); } ?> The script I tried to change it to was this: if(!$page){ include('../fall2011/*/*.php'); } else { if(file_exists('/'.$page.'.php')){ include('/'.$page.'.php'); } else { echo('This page does not exist!'); } } ?> This is obviously incorrect, but I'm confused as to what to do to allow includes only from any of the subdirectories of the site, and any of the pages in any of the subdirectories depending on the link. I considered doing an array, but again am unsure how to properly proceed due to the many subdirectories. Sorry if this explanation is unclear. I am very new to this and hope that I'm explaining my difficulty accurately. Thanks in advance for any help you can offer. Goody This is not working, especially because the same template has to be used for all the years, which go back to spring 2008 at least, and all the subdirectories within each of those years. I was wondering if you could offer me any scripting advice to accomplish this. I have spent days researching and have come up empty. I am very concerned that we will need to recode all these issues and not have the site dynamic anymore, which would obviously take a lion's share of time to rewrite every page. Any help you can give me would be greatly, greatly appreciated! Quote Link to comment Share on other sites More sharing options...
scootstah Posted June 14, 2012 Share Posted June 14, 2012 Are you sure those are actual directories and not dynamically rewritten URL's? That seems a little silly if they are actually directories. Also, your "fixed" code is still vulnerable to Local File Inclusion (LFI). Just because the file exists doesn't make you safe; someone could be requesting any file that the system has access to. You need to remove slashes and dots from the input. Quote Link to comment Share on other sites More sharing options...
goodfortune Posted June 14, 2012 Author Share Posted June 14, 2012 Hi, They are actually file folders on the server, unfortunately - not dynamic. Thanks for your comment on the script still not being secure. Not sure how to remove the slashes and dots with all the subdirectoires though. There are literally hundreds of pages in various subdirectories. Would I need to create several index template pages in this case, or is there a better way I'm not understanding? I would hate to have to rewrite code on years of issues if it's not necessary. Thanks, Goody Quote Link to comment Share on other sites More sharing options...
antmeeks Posted June 14, 2012 Share Posted June 14, 2012 You just need to write a recursive file finder/includer to traverse the subdirectories. There's a ton of them out there already written... just google it. Quote Link to comment Share on other sites More sharing options...
scootstah Posted June 14, 2012 Share Posted June 14, 2012 Would I need to create several index template pages in this case, or is there a better way I'm not understanding? No, just don't do this (assuming $page is unsanitized input): include('/'.$page.'.php'); Quote Link to comment Share on other sites More sharing options...
goodfortune Posted June 14, 2012 Author Share Posted June 14, 2012 Thanks both of you! I'm going to get to Googling - appreciate your advice! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.