Page 1 of 1

security without inconvenience

Posted: Wed Sep 01, 2004 7:22 pm
by Daisy Cutter
I have my page set up so that all the URLs are like http://kafene.org/index.php?url=http:// ... g/main.php. Google won't index these, so it's a major pain. Mod_rewrite helps some but the blog archives are stuck like this (blogger's fault).

Is there a way to make it so that scripts can't be embedded and all URLs automatically are executed for kafene.org?

What I'm saying is if I tried to go to http://kafene.org/index.php?url=http:// ... _script.pl it would attempt to go to that file ("http://badsite.net/malicious_script.pl") on my own domain rather than bring in a remote one?

And also so that if someone put in index.php?url=<? it would attempt to go to then file <?.

This way I can get google-compatible PHP URLs (it doesnt mind index.php?url=42, it's the including domains that throws it off)...

Thanks!

Posted: Wed Sep 01, 2004 7:25 pm
by feyd
use [php_man]pathinfo[/php_man] or a regular expression to dig the domain name out of the url specified. compare it against your domain.. kill the page if mismatched.

you could also convert the passed location to a local path.. then just make sure to make the include doesn't handle non-local urls..

third option: modify the blogging script to fix this error in judgment.

Posted: Wed Sep 01, 2004 7:42 pm
by Daisy Cutter
I am the worlds largest fool.

<?php include("http://kafene.org/$url") ?>

DOH!

I had had:

Code: Select all

<?php
if(!empty($_GET['url'])){
  $var = parse_url($_GET['url']);
  if($var['host'] == 'kafene.org' || $var['host'] == 'www.kafene.org'){
    require "$url";
  } else {
    echo 'you can only include URLs on kafene.org';
  }
}
?>