include() security issues

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
jiop
Forum Newbie
Posts: 11
Joined: Wed Dec 18, 2002 4:00 am
Location: newport beach

include() security issues

Post by jiop »

are there any include() security issues to worry about if i am using it in the following way?

1. user clicks on a link which has key/value pairs ie http://blah.com?com=111

2. $com gets value 111

3. then i include in a template page

Code: Select all

include("$com.php");
User avatar
mydimension
Moderator
Posts: 531
Joined: Tue Apr 23, 2002 6:00 pm
Location: Lowell, MA USA
Contact:

Post by mydimension »

yep, huge security issue. basiclly opens your entire server to the public. im not the best one to explain the details here nor how to best go about safely using this method. (someone wanna jump in on this?)
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

the risk is not that big since all the files will be treated as php-files but it can include/process files that should be protected e.g. by .htaccess. So it's still big enough ;)
At least you should limit it to numbers (looks like this is what you want) by

Code: Select all

$com = (int)$_GET['$com'];
this will also limit includes to the same directory
(think about http://blah.com?com=..%2Fsomething -> $_GET['com'] == '../something' but (int)$_GET['com'] will be 0 :twisted: )
jiop
Forum Newbie
Posts: 11
Joined: Wed Dec 18, 2002 4:00 am
Location: newport beach

Post by jiop »

volka wrote:the risk is not that big since all the files will be treated as php-files but it can include/process files that should be protected e.g. by .htaccess. So it's still big enough ;)
At least you should limit it to numbers (looks like this is what you want) by

Code: Select all

$com = (int)$_GET['$com'];
this will also limit includes to the same directory
(think about http://blah.com?com=..%2Fsomething -> $_GET['com'] == '../something' but (int)$_GET['com'] will be 0 :twisted: )
yup was just going to use numbers. used the is_numeric() functino to make sure things were getting passed in as numbers. thanks for everyone's input!!
evilcoder
Forum Contributor
Posts: 345
Joined: Tue Dec 17, 2002 5:37 am
Location: Sydney, Australia

Post by evilcoder »

Want security try this:

Code: Select all

<?php
$path = "/path/to/include/folder" // Without trailing slash

if ( $com <> "" && file_exists( $path . "/" . $com . ".php" ) )
{
  include( "$path/$com" );
}
else
{
  include( "$path/_default.php" );
}
?>
Now, make the file _default.php with something like your news page or whatever, so if someone thinks ok i'll put in a bogus variable name to find the folder name they will just get your default page, as you have told PHP to check whether the file exists first, then if it does include it, if not include this default.

This is a much more secure way.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

what about com=../../../UserB/secret.php ? ;)
evilcoder
Forum Contributor
Posts: 345
Joined: Tue Dec 17, 2002 5:37 am
Location: Sydney, Australia

Post by evilcoder »

I'm pretty sure thats the most secure method. I tried on my webserver and finding files cannot be done unless there is a file with the same name as the variable, and because you have set what $path is, it would be hard to see other files.

Dont know whether i'm right, but i'm pretty sure its quite secure.
User avatar
Stoker
Forum Regular
Posts: 782
Joined: Thu Jan 23, 2003 9:45 pm
Location: SWNY
Contact:

Post by Stoker »

any include() that uses a request-variable diretcly IS a big risk, especially if you run your script as a cgi/wrapper as your own user, since any other user on the same server could create a file that would steal your secrets or send email on your behalf and such..

as mentioned a hard path in front is not useful unless you strip all double dots and slashes..

Myself I would consider it the safest to have an indexed/fixed list

$valids = array(
'bob' => 'bobmarley.php',
'superbowl' => 'superbowl.php',
'nfl' => 'nationalfootball.php'
);

if (empty($valids[$_REQUEST['com']])) die ('Invalid request');
include ($valids[$_REQUEST['com']]);

or if you must use a filename directly, make sure it doesnt contain any bad stuff

$com = preg_replace('[^A-z0-9]','',stripslashes($_REQUEST['com']));
include ('/full/path/'.$com.'.php');
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

evilcoder: if your webserver run on a linux system call that script with
com=..%2Fetc%2Frc.config
com=..%2F..%2Fetc%2Frc.config
com=..%2F..%2F..%2Fetc%2Frc.config
and so on. How long does it take that something diffrent than default.php is shown?

edit: oops, forgot some F :oops:
evilcoder
Forum Contributor
Posts: 345
Joined: Tue Dec 17, 2002 5:37 am
Location: Sydney, Australia

Post by evilcoder »

I've gone down 15 ..%2 now and still nothing, is that good?
User avatar
Stoker
Forum Regular
Posts: 782
Joined: Thu Jan 23, 2003 9:45 pm
Location: SWNY
Contact:

Post by Stoker »

evilcoder wrote:I've gone down 15 ..%2 now and still nothing, is that good?
not good, you missunderstand the concept, without limiting path anyone could go anywhere on that server..
evilcoder
Forum Contributor
Posts: 345
Joined: Tue Dec 17, 2002 5:37 am
Location: Sydney, Australia

Post by evilcoder »

hmmnn, even under web visual folders?
User avatar
Stoker
Forum Regular
Posts: 782
Joined: Thu Jan 23, 2003 9:45 pm
Location: SWNY
Contact:

Post by Stoker »

I assume that by 'web visual folders' you mean the web root? include() does not care about the webservers folder configuration, all paths are relative (or absolute) to filesystem. So unless apache is running in a chroot jail that include could process any file on the system (as a php/html file)..

Bottom line, don't assume that your security is "good enough", always make it as safe as possible, especially when it is simple to do so..
Post Reply