php inclusion flaw (I could get hacked, please help)

Unknown · 11-14-2004, 05:21 PM

One of my sites includes files depending on the variable definded in the URL address. Someone told me that is a secruity flaw, could anyone tell me what I can do to fix it?
Here is an exmaple:

mysite.com/?page=somehaxsite.com/haxscript.php

It will include haxscript.php, any one know hte fix?

Unknown · 11-14-2004, 06:28 PM

Bump

wcolby · 11-14-2004, 07:30 PM

you need to edit the files so the filename's it looks for are prefixed with a let's say a letter or word..

mysite.com/?page=sale.php would pulldown inc_sale.php

If you need help post the snippet of code that does your includes or email it to me at wcolby@NOSPAMranking.ws (remove the nospam) and I'll edit it and mail it back to you with instructions.

Unknown · 11-14-2004, 09:27 PM

So I just create a prefix for all file names and in the script ask for the $page var and add the prefix to it then include it?

This is simple, but I was wondering if there is an easier way.

DuffMan · 11-21-2004, 03:11 PM

I actually had my site hacked like this. I ended up just creating header and footer files and including them in every page instead of using the index.php?page=bla method. I know it takes a lot of work, but you're almost guaranteed to be safe. Alternatively, you could probably make sure the include statement is like this:

include("http://www.mysite.com/".$_HTTP_GET_VARS["page"]);

I'm not completely sure that's safe, however, so I would just go with the first method.

axilant · 11-21-2004, 07:37 PM

or,

you can have an array of allowed files that can be included, and use a if statement to make sure its allowed to be used. Could be a hassle if ur not fimiliar with arrays.

peaudecastor · 11-21-2004, 08:20 PM

Just be sure that there isnt an http:// tag in the url you get..

Peter · 11-21-2004, 11:12 PM

Quote:

Originally Posted by DuffMan

Alternatively, you could probably make sure the include statement is like this:

include("http://www.mysite.com/".$_HTTP_GET_VARS["page"]);

I'm not completely sure that's safe, however, so I would just go with the first method.

if you do that then the person has access to any file that is on that domain,

what is to stop someone going to a url for say http://www.mysite.com/script.php?pag...des/config.inc

DuffMan · 11-24-2004, 01:58 PM

Quote:

Originally Posted by filth

if you do that then the person has access to any file that is on that domain,

what is to stop someone going to a url for say http://www.mysite.com/script.php?pag...des/config.inc

True, didn't think of that. That's why I said I wasn't sure it was safe.

However, most include files are .inc.php and the values are within <?php and ?> tags, meaning they won't be shown anyway.

I'd just go with the header and footer files methods. It's a minor inconvenience to switch over, but makes you safer in the long run.

Peter · 11-24-2004, 11:31 PM

then why this discussion in the first place, the person wishes to secure a php file. Also even if it is a .php file the possible error message could convey information in itself.

adam_uk · 11-24-2004, 11:39 PM

use a switch statement

<?

switch($_GET['page'])
{
case 'page1':
include("page1.php");
break;
case 'page2':
include("page1.php");
break;
case 'page3':
include("page1.php");
break;
case 'page4':
include("page1.php");
break;
case default:
include("error.php");
}
?>

then change the links to http://yoursite.com/index.php?page=page1

etc

and if they give something like http://yourside.com/index.php?page=hakscript.php

that will send them to the default case and show them an error

NineASpades · 11-25-2004, 04:23 PM

Why not just have your link look like
http://www.yoursite.com?page=blah
not
http://www.yoursite.com?page=blah.php

Then in the index file have
include($_GET[page].php);

I think that would work....

Sergio965 · 11-25-2004, 06:22 PM

Quote:

Originally Posted by NineASpades

Why not just have your link look like
http://www.yoursite.com?page=blah
not
http://www.yoursite.com?page=blah.php

Then in the index file have
include($_GET[page].php);

I think that would work....

Yea, but wouldn't they still be able to access the file?

Using:
http://www.yoursite.com?page=hacksite

NineASpades · 11-25-2004, 06:33 PM

Well along with what I said I usually have an index file which will have something like

if ($_GET[page] == "blah") {
include("blah.php");
}

or like said before use a switch structure.

Also, is there a reason the user should not be allowed to visit
http://www.yoursite.com?page=whatever

I do not understnad how that would lead them to hacking the site...Can you explain please?

Sergio965 · 11-25-2004, 07:12 PM

Quote:

Originally Posted by NineASpades

Well along with what I said I usually have an index file which will have something like

if ($_GET[page] == "blah") {
include("blah.php");
}

or like said before use a switch structure.

Also, is there a reason the user should not be allowed to visit
http://www.yoursite.com?page=whatever

I do not understnad how that would lead them to hacking the site...Can you explain please?

Wouldn't that make an error?

Maybe:

if ($_GET[page] == "blah") {
include("blah.php");
}
else
{
include ("error.php");
}

or

if ($_GET[page] == "blah")
include("blah.php");
else
include ("error.php");

Maybe? That should work..

NineASpades · 11-25-2004, 07:17 PM

Yes, thats what I meant...The code I posted was a quicky, I didnt expand on the else.

Sergio965 · 11-25-2004, 07:22 PM

oh allright,

So yea..the code I posts would work, you just would need tomake the error.php, either make or just not make it and let it go to a dns error. You can also use the switch, it's almost the same thing..

So, yea...

11-14-2004, 05:21 PM	#1 (permalink)
Unknown NamePros Regular Join Date: Oct 2004 Location: IL Posts: 621 519.00 NP$ (Donate)	Dynamic Page Inclusion Fix One of my sites includes files depending on the variable definded in the URL address. Someone told me that is a secruity flaw, could anyone tell me what I can do to fix it? Here is an exmaple: mysite.com/?page=somehaxsite.com/haxscript.php It will include haxscript.php, any one know hte fix? __________________ LogoJive.com - Professional Grade Web Development! My Domain Listing: dnListing.com/unknown Last edited by Unknown; 11-14-2004 at 05:43 PM.

11-14-2004, 06:28 PM	#2 (permalink)
Unknown NamePros Regular Join Date: Oct 2004 Location: IL Posts: 621 519.00 NP$ (Donate)	Bump __________________ LogoJive.com - Professional Grade Web Development! My Domain Listing: dnListing.com/unknown

11-14-2004, 07:30 PM	#3 (permalink)
wcolby New Member Join Date: Nov 2004 Posts: 13 18.50 NP$ (Donate)	you need to edit the files so the filename's it looks for are prefixed with a let's say a letter or word.. mysite.com/?page=sale.php would pulldown inc_sale.php If you need help post the snippet of code that does your includes or email it to me at wcolby@NOSPAMranking.ws (remove the nospam) and I'll edit it and mail it back to you with instructions. __________________ SEO News \| Free Link Popularity Checker

11-14-2004, 09:27 PM	#4 (permalink)
Unknown NamePros Regular Join Date: Oct 2004 Location: IL Posts: 621 519.00 NP$ (Donate)	So I just create a prefix for all file names and in the script ask for the $page var and add the prefix to it then include it? This is simple, but I was wondering if there is an easier way. __________________ LogoJive.com - Professional Grade Web Development! My Domain Listing: dnListing.com/unknown

11-21-2004, 03:11 PM	#5 (permalink)
DuffMan NamePros Regular Join Date: Jul 2003 Location: Maryland, USA Posts: 603 77.00 NP$ (Donate)	I actually had my site hacked like this. I ended up just creating header and footer files and including them in every page instead of using the index.php?page=bla method. I know it takes a lot of work, but you're almost guaranteed to be safe. Alternatively, you could probably make sure the include statement is like this: include("http://www.mysite.com/".$_HTTP_GET_VARS["page"]); I'm not completely sure that's safe, however, so I would just go with the first method. __________________ Eric AKA DuffMan [HG Interactive] [ ShoutPro]

11-21-2004, 07:37 PM	#6 (permalink)
axilant Account Closed Join Date: May 2004 Location: /etc/passwd Posts: 2,194 0.00 NP$ (Donate)	or, you can have an array of allowed files that can be included, and use a if statement to make sure its allowed to be used. Could be a hassle if ur not fimiliar with arrays.

11-21-2004, 08:20 PM	#7 (permalink)
peaudecastor québécois libre Join Date: Oct 2003 Location: Trois-Rivieres, Québec Posts: 563 353.91 NP$ (Donate)	Just be sure that there isnt an http:// tag in the url you get.. __________________ French / Quebec domain name portfolio Le Blogue du Québec

11-24-2004, 11:31 PM	#10 (permalink)
Peter Senior Member Join Date: Nov 2003 Location: Scotland Posts: 4,900 0.60 NP$ (Donate)	then why this discussion in the first place, the person wishes to secure a php file. Also even if it is a .php file the possible error message could convey information in itself. __________________ Manage your portfolio using my new Domain Portfolio Management script. Securing Your Domain Name From Theft

11-24-2004, 11:39 PM	#11 (permalink)
adam_uk Senior Member Join Date: May 2003 Posts: 2,211 6,170.25 NP$ (Donate)	use a switch statement <? switch($_GET['page']) { case 'page1': include("page1.php"); break; case 'page2': include("page1.php"); break; case 'page3': include("page1.php"); break; case 'page4': include("page1.php"); break; case default: include("error.php"); } ?> then change the links to http://yoursite.com/index.php?page=page1 etc and if they give something like http://yourside.com/index.php?page=hakscript.php that will send them to the default case and show them an error

11-25-2004, 04:23 PM	#12 (permalink)
NineASpades NamePros Regular Join Date: Apr 2004 Location: Near Albany NY Posts: 261 3.00 NP$ (Donate)	Why not just have your link look like http://www.yoursite.com?page=blah not http://www.yoursite.com?page=blah.php Then in the index file have include($_GET[page].php); I think that would work.... __________________ CoverageArea.com & CoverageAreas.com - TAKING OFFERS Discuss Business \| PC Gaming Talk \| Travel Safety Tips

11-25-2004, 06:33 PM	#14 (permalink)
NineASpades NamePros Regular Join Date: Apr 2004 Location: Near Albany NY Posts: 261 3.00 NP$ (Donate)	Well along with what I said I usually have an index file which will have something like if ($_GET[page] == "blah") { include("blah.php"); } or like said before use a switch structure. Also, is there a reason the user should not be allowed to visit http://www.yoursite.com?page=whatever I do not understnad how that would lead them to hacking the site...Can you explain please? __________________ CoverageArea.com & CoverageAreas.com - TAKING OFFERS Discuss Business \| PC Gaming Talk \| Travel Safety Tips

11-25-2004, 07:17 PM	#16 (permalink)
NineASpades NamePros Regular Join Date: Apr 2004 Location: Near Albany NY Posts: 261 3.00 NP$ (Donate)	Yes, thats what I meant...The code I posted was a quicky, I didnt expand on the else. __________________ CoverageArea.com & CoverageAreas.com - TAKING OFFERS Discuss Business \| PC Gaming Talk \| Travel Safety Tips

11-25-2004, 07:22 PM	#17 (permalink)
Sergio965 Account Closed Join Date: Apr 2004 Location: ~root Posts: 1,095 1,505.80 NP$ (Donate)	oh allright, So yea..the code I posts would work, you just would need tomake the error.php, either make or just not make it and let it go to a dns error. You can also use the switch, it's almost the same thing.. So, yea...

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)