Newbie include issue re: subdirectories

[goodfortune]

Hi,

 

I inherited a site in which the php include script is vulnerable and needs to be rewritten.  I am having difficulty with this, because the site has an unusual amount of subdirectories.

 

The site is a magazine which has many different issues and sections. For example. In the Fall 2011 issue, there is a directory www.domain.com/fall2011. Inside this directory, there are directories for all the categories of literary work published. For example: www.domain.com/fall2011/poetry; www.domain.com/fall2011/articles; www.domain.com/fall2011/reviews, etc. And in each of those sub-subdirectories, there are individual pages which must be included in the main template. For example www.domain.com/fall2011/poetry/poet.php.

 

The main template, with the script, is located in the root folder.  The (very) vulnerable script that is now disabled is this:

<?php

$inc = $_REQUEST['inc'];

if (isset($inc)){

$page = $inc. '.php';

include ($page);

}

?>

 

The script I tried to change it to was this:

 

if(!$page){

include('../fall2011/*/*.php');

} else {

if(file_exists('/'.$page.'.php')){

      include('/'.$page.'.php');

} else {

      echo('This page does not exist!');

}

}

 

?>

 

This is obviously incorrect, but I'm confused as to what to do to allow includes only from any of the subdirectories of the site, and any of the pages in any of the subdirectories depending on the link.

 

I considered doing an array, but again am unsure how to properly proceed due to the many subdirectories.

 

Sorry if this explanation is unclear.  I am very new to this and hope that I'm explaining my difficulty accurately.

 

Thanks in advance for any help you can offer.

 

Goody

 

This is not working, especially because the same template has to be used for all the years, which go back to spring 2008 at least, and all the subdirectories within each of those years.  I was wondering if you could offer me any scripting advice to accomplish this. I have spent days researching and have come up empty.  I am very concerned that we will need to recode all these issues and not have the site dynamic anymore, which would obviously take a lion's share of time to rewrite every page.  Any help you can give me would be greatly, greatly appreciated!

[scootstah]

Are you sure those are actual directories and not dynamically rewritten URL's? That seems a little silly if they are actually directories.

 

Also, your "fixed" code is still vulnerable to Local File Inclusion (LFI). Just because the file exists doesn't make you safe; someone could be requesting any file that the system has access to. You need to remove slashes and dots from the input.

[goodfortune]

Hi,

 

They are actually file folders on the server, unfortunately - not dynamic.

 

Thanks for your comment on the script still not being secure.  Not sure how to remove the slashes and dots with all the subdirectoires though.  There are literally hundreds of pages in various subdirectories. Would I need to create several index template pages in this case, or is there a better way I'm not understanding?  I would hate to have to rewrite code on years of issues if it's not necessary.

 

Thanks, Goody

[antmeeks]

You just need to write a recursive file finder/includer to traverse the subdirectories.

 

There's a ton of them out there already written... just google it.

[scootstah]

Would I need to create several index template pages in this case, or is there a better way I'm not understanding?

 

No, just don't do this (assuming $page is unsanitized input): include('/'.$page.'.php');

[goodfortune]

Thanks both of you! I'm going to get to Googling - appreciate your advice!