I have my page set up so that all the URLs are like http://kafene.org/index.php?url=http:// ... g/main.php. Google won't index these, so it's a major pain. Mod_rewrite helps some but the blog archives are stuck like this (blogger's fault).
Is there a way to make it so that scripts can't be embedded and all URLs automatically are executed for kafene.org?
What I'm saying is if I tried to go to http://kafene.org/index.php?url=http:// ... _script.pl it would attempt to go to that file ("http://badsite.net/malicious_script.pl") on my own domain rather than bring in a remote one?
And also so that if someone put in index.php?url=<? it would attempt to go to then file <?.
This way I can get google-compatible PHP URLs (it doesnt mind index.php?url=42, it's the including domains that throws it off)...
Thanks!
security without inconvenience
Moderator: General Moderators
-
Daisy Cutter
- Forum Commoner
- Posts: 75
- Joined: Sun Aug 01, 2004 9:51 am
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
use [php_man]pathinfo[/php_man] or a regular expression to dig the domain name out of the url specified. compare it against your domain.. kill the page if mismatched.
you could also convert the passed location to a local path.. then just make sure to make the include doesn't handle non-local urls..
third option: modify the blogging script to fix this error in judgment.
you could also convert the passed location to a local path.. then just make sure to make the include doesn't handle non-local urls..
third option: modify the blogging script to fix this error in judgment.
-
Daisy Cutter
- Forum Commoner
- Posts: 75
- Joined: Sun Aug 01, 2004 9:51 am
I am the worlds largest fool.
<?php include("http://kafene.org/$url") ?>
DOH!
I had had:
<?php include("http://kafene.org/$url") ?>
DOH!
I had had:
Code: Select all
<?php
if(!empty($_GET['url'])){
$var = parse_url($_GET['url']);
if($var['host'] == 'kafene.org' || $var['host'] == 'www.kafene.org'){
require "$url";
} else {
echo 'you can only include URLs on kafene.org';
}
}
?>