PHP Injection Vulnerability. I need help.

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Codius
Forum Newbie
Posts: 1
Joined: Tue Jul 17, 2007 5:25 pm

PHP Injection Vulnerability. I need help.

Post by Codius »

I recently scanned my website for vulnerabilities. I came up with two huge ones: Blind SQL/XPath injection for numeric inputs and Directory traversal (Unix).

It's due to the following script.

Code: Select all

<?php
require_once "config.inc.php";
require_once "includes/init.inc.php";
require "includes/filter.inc.php";

// TODO: Remove these completly
include ('modules/functions.php');
include ('skin/header.php');
include ('skin/side.php');

// TODO: Move or improve this
if (isset($_GET['act'])) {
	$page = $_GET['act'];
		if (file_exists('pages/'.$page.'.php')) {
			include ('pages/'.$page.'.php');
			$cc = 'nothing';
		} else {
			include ('pages/index.php');
			$cc = 'home';
		}
} else {
	include ('pages/index.php');
}

// TODO: Remove these completly
include ('skin/right-side.php');
include ('skin/footer.php');	
include ('skin/map.php');
?>
I am new to PHP and am wondering how to fix it. Thanks.

~ Codius
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Only accept a very specific list of $page values.
programmingjeff
Forum Commoner
Posts: 26
Joined: Fri Jan 05, 2007 10:56 am

Post by programmingjeff »

If you only want to use alpha-numeric filenames, you can use the following code.

If you want to be more permissive, then replace the ctype_alnum call with a preg_match.

Code: Select all

$page = 'index';
$cc = home;
if(isset($_GET['act']) && ctype_alnum($_GET['act']) && file_exists('pages/'.$page.'.php')) {
        $page = $_GET['act'];
        $cc = 'nothing';
}
include('pages/'.$page.'.php');
Post Reply