Unknown

One of my sites includes files depending on the variable definded in the URL address. Someone told me that is a secruity flaw, could anyone tell me what I can do to fix it?
Here is an exmaple:

mysite.com/?page=somehaxsite.com/haxscript.php

It will include haxscript.php, any one know hte fix?

Unknown

Bump

wcolby

you need to edit the files so the filename's it looks for are prefixed with a let's say a letter or word..

mysite.com/?page=sale.php would pulldown inc_sale.php

If you need help post the snippet of code that does your includes or email it to me at wcolby@NOSPAMranking.ws (remove the nospam) and I'll edit it and mail it back to you with instructions.

__________________
SEO News | Free Link Popularity Checker

Unknown

So I just create a prefix for all file names and in the script ask for the $page var and add the prefix to it then include it?

This is simple, but I was wondering if there is an easier way.

DuffMan

I actually had my site hacked like this. I ended up just creating header and footer files and including them in every page instead of using the index.php?page=bla method. I know it takes a lot of work, but you're almost guaranteed to be safe. Alternatively, you could probably make sure the include statement is like this:

include("http://www.mysite.com/".$_HTTP_GET_VARS["page"]);

I'm not completely sure that's safe, however, so I would just go with the first method.

__________________
Eric AKA DuffMan
[HG Interactive]
[ ShoutPro]

axilant

or,

you can have an array of allowed files that can be included, and use a if statement to make sure its allowed to be used. Could be a hassle if ur not fimiliar with arrays.

peaudecastor

Just be sure that there isnt an http:// tag in the url you get..

__________________
French / Quebec domain name portfolio

Le Blogue du Québec

Peter

if you do that then the person has access to any file that is on that domain,

what is to stop someone going to a url for say http://www.mysite.com/script.php?pag...des/config.inc

__________________
Manage your portfolio using my new Domain Portfolio Management script.
Securing Your Domain Name From Theft

DuffMan

True, didn't think of that. That's why I said I wasn't sure it was safe.
????: NamePros.com http://www.namepros.com/showthread.php?t=55553

However, most include files are .inc.php and the values are within <?php and ?> tags, meaning they won't be shown anyway.

I'd just go with the header and footer files methods. It's a minor inconvenience to switch over, but makes you safer in the long run.

__________________
Eric AKA DuffMan
[HG Interactive]
[ ShoutPro]

Peter

then why this discussion in the first place, the person wishes to secure a php file. Also even if it is a .php file the possible error message could convey information in itself.

__________________
Manage your portfolio using my new Domain Portfolio Management script.
Securing Your Domain Name From Theft

adam_uk

use a switch statement

<?

switch($_GET['page'])
{
case 'page1':
include("page1.php");
break;
case 'page2':
include("page1.php");
????: NamePros.com http://www.namepros.com/showthread.php?t=55553
break;
case 'page3':
include("page1.php");
break;
case 'page4':
include("page1.php");
break;
case default:
include("error.php");
}
?>

then change the links to http://yoursite.com/index.php?page=page1

etc

and if they give something like http://yourside.com/index.php?page=hakscript.php

that will send them to the default case and show them an error

NineASpades

Why not just have your link look like
http://www.yoursite.com?page=blah
not
http://www.yoursite.com?page=blah.php

Then in the index file have
include($_GET[page].php);

I think that would work....

__________________
CoverageArea.com & CoverageAreas.com - TAKING OFFERS
Discuss Business | PC Gaming Talk | Travel Safety Tips

Sergio965

Yea, but wouldn't they still be able to access the file?

Using:
http://www.yoursite.com?page=hacksite

NineASpades

Well along with what I said I usually have an index file which will have something like

if ($_GET[page] == "blah") {
include("blah.php");
}

or like said before use a switch structure.

Also, is there a reason the user should not be allowed to visit
http://www.yoursite.com?page=whatever

I do not understnad how that would lead them to hacking the site...Can you explain please?

__________________
CoverageArea.com & CoverageAreas.com - TAKING OFFERS
Discuss Business | PC Gaming Talk | Travel Safety Tips

Sergio965

Wouldn't that make an error?

Maybe:

if ($_GET[page] == "blah") {
include("blah.php");
}
else
{
include ("error.php");
}

or

if ($_GET[page] == "blah")
include("blah.php");
else
include ("error.php");

Maybe? That should work..

NineASpades

Yes, thats what I meant...The code I posted was a quicky, I didnt expand on the else.

__________________
CoverageArea.com & CoverageAreas.com - TAKING OFFERS
Discuss Business | PC Gaming Talk | Travel Safety Tips

Sergio965

oh allright,

So yea..the code I posts would work, you just would need tomake the error.php, either make or just not make it and let it go to a dns error. You can also use the switch, it's almost the same thing..

So, yea...