Php inclusion flaw (I could get hacked, please help)

U

Unknown

Established Member

★ 20 ★

Impact

3

• Nov 15, 2004

• #2

Bump

 

wcolby

Established Member

★ 20 ★

Impact

1

• Nov 15, 2004

• #3

you need to edit the files so the filename's it looks for are prefixed with a let's say a letter or word..

mysite.com/?page=sale.php would pulldown inc_sale.php

If you need help post the snippet of code that does your includes or email it to me at [email protected] (remove the nospam) and I'll edit it and mail it back to you with instructions.

 

U

Unknown

Established Member

★ 20 ★

Impact

3

• Nov 15, 2004

• #4

So I just create a prefix for all file names and in the script ask for the $page var and add the prefix to it then include it?

This is simple, but I was wondering if there is an easier way.

 

DuffMan

Established Member

★ 20 ★

Impact

0

• Nov 21, 2004

• #5

I actually had my site hacked like this. I ended up just creating header and footer files and including them in every page instead of using the index.php?page=bla method. I know it takes a lot of work, but you're almost guaranteed to be safe. Alternatively, you could probably make sure the include statement is like this:

include("http://www.mysite.com/".$_HTTP_GET_VARS["page"]);

I'm not completely sure that's safe, however, so I would just go with the first method.

 

axilant

Account Closed

Impact

28

• Nov 22, 2004

• #6

or,

you can have an array of allowed files that can be included, and use a if statement to make sure its allowed to be used. Could be a hassle if ur not fimiliar with arrays.

 

peaudecastor

québécois libreEstablished Member

★ 20 ★

Impact

3

• Nov 22, 2004

• #7

Just be sure that there isnt an http:// tag in the url you get..

 

Peter

VIP Member

VIP

★ 20 ★

Impact

209

• Nov 22, 2004

• #8

DuffMan said:

Alternatively, you could probably make sure the include statement is like this:

include("http://www.mysite.com/".$_HTTP_GET_VARS["page"]);

I'm not completely sure that's safe, however, so I would just go with the first method.

Click to expand...

if you do that then the person has access to any file that is on that domain,

what is to stop someone going to a url for say http://www.mysite.com/script.php?page=includes/config.inc

 

DuffMan

Established Member

★ 20 ★

Impact

0

• Nov 24, 2004

• #9

filth said:

if you do that then the person has access to any file that is on that domain,

what is to stop someone going to a url for say http://www.mysite.com/script.php?page=includes/config.inc

Click to expand...

True, didn't think of that. That's why I said I wasn't sure it was safe. :bah:

However, most include files are .inc.php and the values are within <?php and ?> tags, meaning they won't be shown anyway.

I'd just go with the header and footer files methods. It's a minor inconvenience to switch over, but makes you safer in the long run.

 

Peter

VIP Member

VIP

★ 20 ★

Impact

209

• Nov 25, 2004

• #10

then why this discussion in the first place, the person wishes to secure a php file. Also even if it is a .php file the possible error message could convey information in itself.

 

A

adam_uk

Established Member

★ 20 ★

Impact

20

• Nov 25, 2004

• #11

use a switch statement

<?

switch($_GET['page'])
{
case 'page1':
include("page1.php");
break;
case 'page2':
include("page1.php");
break;
case 'page3':
include("page1.php");
break;
case 'page4':
include("page1.php");
break;
case default:
include("error.php");
}
?>

then change the links to http://yoursite.com/index.php?page=page1

etc

and if they give something like http://yourside.com/index.php?page=hakscript.php

that will send them to the default case and show them an error

 

N

NineASpades

Established Member

★ 20 ★

Impact

1

• Nov 26, 2004

• #12

Why not just have your link look like
http://www.yoursite.com?page=blah
not
http://www.yoursite.com?page=blah.php

Then in the index file have
include($_GET[page].php);

I think that would work....

 

Sergio965

Account Closed

Impact

17

• Nov 26, 2004

• #13

NineASpades said:

Why not just have your link look like
http://www.yoursite.com?page=blah
not
http://www.yoursite.com?page=blah.php

Then in the index file have
include($_GET[page].php);

I think that would work....

Click to expand...

Yea, but wouldn't they still be able to access the file?

Using:
http://www.yoursite.com?page=hacksite

 

N

NineASpades

Established Member

★ 20 ★

Impact

1

• Nov 26, 2004

• #14

Well along with what I said I usually have an index file which will have something like

if ($_GET[page] == "blah") {
include("blah.php");
}

or like said before use a switch structure.

Also, is there a reason the user should not be allowed to visit
http://www.yoursite.com?page=whatever

I do not understnad how that would lead them to hacking the site...Can you explain please?

 

Sergio965

Account Closed

Impact

17

• Nov 26, 2004

• #15

NineASpades said:

Well along with what I said I usually have an index file which will have something like

if ($_GET[page] == "blah") {
include("blah.php");
}

or like said before use a switch structure.

Also, is there a reason the user should not be allowed to visit
http://www.yoursite.com?page=whatever

I do not understnad how that would lead them to hacking the site...Can you explain please?

Click to expand...

Wouldn't that make an error?

Maybe:

if ($_GET[page] == "blah") {
include("blah.php");
}
else
{
include ("error.php");
}

or

if ($_GET[page] == "blah")
include("blah.php");
else
include ("error.php");

Maybe? That should work..

 

N

NineASpades

Established Member

★ 20 ★

Impact

1

• Nov 26, 2004

• #16

Yes, thats what I meant...The code I posted was a quicky, I didnt expand on the else.

 

Sergio965

Account Closed

Impact

17

• Nov 26, 2004

• #17

oh allright,

So yea..the code I posts would work, you just would need tomake the error.php, either make or just not make it and let it go to a dns error. You can also use the switch, it's almost the same thing..

So, yea...