Jump to content

PHP Script security help

hasbehas

By hasbehas
in PHP Coding Help

Recommended Posts

hasbehas Newbie

hasbehas

Posted
Posted

Hi Folks,

 

I have these basic php scripts that I use on my sites. Recently somebody started spamming thru this script, due to this my account is suspended.

 

Would someone please tell me what is the problem with this script.

I need to fix this asap.

 

 

Have one function that as follows. 

//read htm
$htm = ".htm";
$pid = "$page$htm";
function show_page($pid)
{
require($pid);
}
// read htm ends

//read title txt
$txt = ".txt";
$title = "$page$txt";
function show_title($title)
{
require($title);
}
//

 

And with in details.php I have 

show_title("$title");
............................
...........................
show_page("$pid");

 

I call the files as /details.php?content=aboutus

Title file is called aboutus.txt

And content is called aboutus.htm

 

This details.php calls these two files.

Link to comment
https://forums.phpfreaks.com/topic/37288-php-script-security-help/
Share on other sites
trq Prolific Member

trq

Posted
Posted

You need to validate the the file your requiring is a valid local include. At the moment anyone can include any script into your code.

 

The easiest way is to make an array of valide files, then check against that. eg;

 

<?php

  $valid = array('foo.txt','bar.txt');

  $include = $_GET['content'].".txt";
  if (in_array($include,$valide)) {
    require $include;
  }

?>

 

Also... it appears you may have register globals enabled, this is in itself a security risk and should be taken up with your host.

hasbehas Newbie

hasbehas

Posted
  • Author
Posted

Thank you..

 

I have loads of htm files and txt files. There is no way I can type all the names of them. Besides I use this script on a few domains. Would have to modify them too. Damn.. Sounds like a nightmare.

 

How about allowing only htm and txt ?

 

 

 

 

You need to validate the the file your requiring is a valid local include. At the moment anyone can include any script into your code.

 

The easiest way is to make an array of valide files, then check against that. eg;

 

<?php

  $valid = array('foo.txt','bar.txt');

  $include = $_GET['content'].".txt";
  if (in_array($include,$valide)) {
    require $include;
  }

?>

 

Also... it appears you may have register globals enabled, this is in itself a security risk and should be taken up with your host.

trq Prolific Member

trq

Posted
Posted
How about allowing only htm and txt ?

 

That would still mean anyone could insert htm or txt files into your script. You could try checking the file exists, but this may not be effective if url wrappers are enabled. eg;

 

<?php

  $include = $_GET['content'].'.txt';
  if (file_exists($include)) {
    include $include;
  }

?>

hasbehas Newbie

hasbehas

Posted
  • Author
Posted

I heard of a function called basename(). Would this help ? and how to use it ?

 

 

That would still mean anyone could insert htm or txt files into your script. You could try checking the file exists, but this may not be effective if url wrappers are enabled. eg;

 

 

Balmung-San Newbie

Balmung-San

Posted
Posted

Just looked up basename, and it might work for you. If you strip the basename out of what they give you, and include that it might just work as you intend it to. However, to prevent somebody from placing in a remote file (and notifying yourself about it, and telling them it's been noted) I suggest you check their data for http:// ftp:// https:// and any other url wrappers your host has enabled, then send a mail() to yourself, and exit out telling the user that they attempted to use a remote file, and that this has been noted as a hacking attempt. In your mail() make sure to include as much information about them as you can get, as evidence of their attempted "attack".

hasbehas Newbie

hasbehas

Posted
  • Author
Posted

Thank you very much for the suggestion, but I am unable to create such formula as I am not that advanced. :'(

 

Just looked up basename, and it might work for you. If you strip the basename out of what they give you, and include that it might just work as you intend it to. However, to prevent somebody from placing in a remote file (and notifying yourself about it, and telling them it's been noted) I suggest you check their data for http:// ftp:// https:// and any other url wrappers your host has enabled, then send a mail() to yourself, and exit out telling the user that they attempted to use a remote file, and that this has been noted as a hacking attempt. In your mail() make sure to include as much information about them as you can get, as evidence of their attempted "attack".

Balmung-San Newbie

Balmung-San

Posted
Posted

I would say use:

 

if(substr_count(strtolower($page), "http://") > 0)

{

//do mail and error print

}

 

I used strtolower() because substr_count is case sensitive.

 

And make sure you do one for http://, ftp://, https://, and one for all your other url wrappers. If you don't know which ones are enabled make a file with the following code:

<?php
phpinfo();
?>

 

Upload, and run it. That will display your php configuration data. At the bottom of the first big block it will tell you which url wrappers are enabled.

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.