Page 1 of 1
include() security issues
Posted: Sat Jan 25, 2003 7:13 pm
by jiop
are there any include() security issues to worry about if i am using it in the following way?
1. user clicks on a link which has key/value pairs ie
http://blah.com?com=111
2. $com gets value 111
3. then i include in a template page
Posted: Sat Jan 25, 2003 10:50 pm
by mydimension
yep, huge security issue. basiclly opens your entire server to the public. im not the best one to explain the details here nor how to best go about safely using this method. (someone wanna jump in on this?)
Posted: Sun Jan 26, 2003 12:11 am
by volka
the risk is not that big since all the files will be treated as php-files but it can include/process files that should be protected e.g. by .htaccess. So it's still big enough

At least you should limit it to numbers (looks like this is what you want) by
this will also limit includes to the same directory
(think about
http://blah.com?com=..%2Fsomething -> $_GET['com'] == '../something' but (int)$_GET['com'] will be 0

)
Posted: Sun Jan 26, 2003 11:12 am
by jiop
volka wrote:the risk is not that big since all the files will be treated as php-files but it can include/process files that should be protected e.g. by .htaccess. So it's still big enough

At least you should limit it to numbers (looks like this is what you want) by
this will also limit includes to the same directory
(think about
http://blah.com?com=..%2Fsomething -> $_GET['com'] == '../something' but (int)$_GET['com'] will be 0

)
yup was just going to use numbers. used the is_numeric() functino to make sure things were getting passed in as numbers. thanks for everyone's input!!
Posted: Sun Jan 26, 2003 5:40 pm
by evilcoder
Want security try this:
Code: Select all
<?php
$path = "/path/to/include/folder" // Without trailing slash
if ( $com <> "" && file_exists( $path . "/" . $com . ".php" ) )
{
include( "$path/$com" );
}
else
{
include( "$path/_default.php" );
}
?>
Now, make the file _default.php with something like your news page or whatever, so if someone thinks ok i'll put in a bogus variable name to find the folder name they will just get your default page, as you have told PHP to check whether the file exists first, then if it does include it, if not include this default.
This is a much more secure way.
Posted: Sun Jan 26, 2003 5:47 pm
by volka
what about com=../../../UserB/secret.php ?

Posted: Sun Jan 26, 2003 5:51 pm
by evilcoder
I'm pretty sure thats the most secure method. I tried on my webserver and finding files cannot be done unless there is a file with the same name as the variable, and because you have set what $path is, it would be hard to see other files.
Dont know whether i'm right, but i'm pretty sure its quite secure.
Posted: Sun Jan 26, 2003 5:58 pm
by Stoker
any include() that uses a request-variable diretcly IS a big risk, especially if you run your script as a cgi/wrapper as your own user, since any other user on the same server could create a file that would steal your secrets or send email on your behalf and such..
as mentioned a hard path in front is not useful unless you strip all double dots and slashes..
Myself I would consider it the safest to have an indexed/fixed list
$valids = array(
'bob' => 'bobmarley.php',
'superbowl' => 'superbowl.php',
'nfl' => 'nationalfootball.php'
);
if (empty($valids[$_REQUEST['com']])) die ('Invalid request');
include ($valids[$_REQUEST['com']]);
or if you must use a filename directly, make sure it doesnt contain any bad stuff
$com = preg_replace('[^A-z0-9]','',stripslashes($_REQUEST['com']));
include ('/full/path/'.$com.'.php');
Posted: Sun Jan 26, 2003 5:59 pm
by volka
evilcoder: if your webserver run on a linux system call that script with
com=..%2Fetc%2Frc.config
com=..%2F..%2Fetc%2Frc.config
com=..%2F..%2F..%2Fetc%2Frc.config
and so on. How long does it take that something diffrent than default.php is shown?
edit: oops, forgot some
F 
Posted: Sun Jan 26, 2003 6:05 pm
by evilcoder
I've gone down 15 ..%2 now and still nothing, is that good?
Posted: Sun Jan 26, 2003 6:11 pm
by Stoker
evilcoder wrote:I've gone down 15 ..%2 now and still nothing, is that good?
not good, you missunderstand the concept, without limiting path anyone could go anywhere on that server..
Posted: Sun Jan 26, 2003 6:31 pm
by evilcoder
hmmnn, even under web visual folders?
Posted: Sun Jan 26, 2003 7:03 pm
by Stoker
I assume that by 'web visual folders' you mean the web root? include() does not care about the webservers folder configuration, all paths are relative (or absolute) to filesystem. So unless apache is running in a chroot jail that include could process any file on the system (as a php/html file)..
Bottom line, don't assume that your security is "good enough", always make it as safe as possible, especially when it is simple to do so..