Page 1 of 1

PHP Injection Vulnerability. I need help.

Posted: Tue Jul 17, 2007 5:29 pm
by Codius
I recently scanned my website for vulnerabilities. I came up with two huge ones: Blind SQL/XPath injection for numeric inputs and Directory traversal (Unix).

It's due to the following script.

Code: Select all

<?php
require_once "config.inc.php";
require_once "includes/init.inc.php";
require "includes/filter.inc.php";

// TODO: Remove these completly
include ('modules/functions.php');
include ('skin/header.php');
include ('skin/side.php');

// TODO: Move or improve this
if (isset($_GET['act'])) {
	$page = $_GET['act'];
		if (file_exists('pages/'.$page.'.php')) {
			include ('pages/'.$page.'.php');
			$cc = 'nothing';
		} else {
			include ('pages/index.php');
			$cc = 'home';
		}
} else {
	include ('pages/index.php');
}

// TODO: Remove these completly
include ('skin/right-side.php');
include ('skin/footer.php');	
include ('skin/map.php');
?>
I am new to PHP and am wondering how to fix it. Thanks.

~ Codius

Posted: Tue Jul 17, 2007 7:46 pm
by feyd
Only accept a very specific list of $page values.

Posted: Tue Jul 17, 2007 9:25 pm
by programmingjeff
If you only want to use alpha-numeric filenames, you can use the following code.

If you want to be more permissive, then replace the ctype_alnum call with a preg_match.

Code: Select all

$page = 'index';
$cc = home;
if(isset($_GET['act']) && ctype_alnum($_GET['act']) && file_exists('pages/'.$page.'.php')) {
        $page = $_GET['act'];
        $cc = 'nothing';
}
include('pages/'.$page.'.php');