Page 2 of 2
Re: PHP Include and Security - need help
Posted: Thu Sep 16, 2010 5:28 pm
by Jonah Bron
But if include is requesting a remote file, won't that request be handled by Apache/[some other server], and won't the file be passed to PHP, and won't PHP execute it, and won't it pass it back without any PHP in it? I realize include() will parse any PHP you give it, but I don't understand how it's getting the PHP in this case.
Re: PHP Include and Security - need help
Posted: Thu Sep 16, 2010 6:32 pm
by John Cartwright
Jonah Bron wrote:and won't it pass it back without any PHP in it? I realize include() will parse any PHP you give it, but I don't understand how it's getting the PHP in this case.
The point is, you can pass it any text. If this text happens to include PHP code, it will be interpreted. For instance, this hacker script that was being remotely included probably outputs raw php code. This is why they suggest if you only want to display the result of the include is to use readfile() or file_get_contents().
Re: PHP Include and Security - need help
Posted: Thu Sep 16, 2010 6:44 pm
by Jonah Bron
I knew that it parsed any text you gave it, I just wasn't sure why it was getting PHP code at all.
Still, why is this file outputting raw PHP?
Re: PHP Include and Security - need help
Posted: Thu Sep 16, 2010 7:08 pm
by John Cartwright
Jonah Bron wrote:I knew that it parsed any text you gave it, I just wasn't sure why it was getting PHP code at all.
Still, why is this file outputting raw PHP?
.. because it was designed to, to exploit this script.
Re: PHP Include and Security - need help
Posted: Thu Sep 16, 2010 7:23 pm
by Jonah Bron
Ooooookay, I had it totally backwards. I thought a malicious remote server was include()ing your script, but it's the other way around. They're making you include theirs. So, under the first context, what I said was true, just not in this situation (obviously, as long as you have your Apache setting right and you're not echoing any PHP

)
All clear, thanks.
Re: PHP Include and Security - need help
Posted: Fri Sep 17, 2010 3:09 am
by reb00t
Please, how do i combine these two scripts, i just want my script to display an error or just block any attempts to include extenally.
block script
Code: Select all
$allowedReferrers = array('google.com', 'yahoo.com');
if ($url = parse_url($_SERVER['HTTP_REFERRER']) && in_array($url['host'], $allowedReferrers)) {
//valid referrer && whitelisted
} else {
//invalid referrer || blacklisted
// print error here
}
my current include script
Code: Select all
// add referrer security check here...
if ( isset($_GET['id']) && $_GET['id'] <> '' ) // If id is set, then set include to that value
{
$include = $_GET['id'];
}
elseif ( (!isset($_GET['id']) || $_GET['id'] == '') && isset($_GET['image']) ) // If id not set, but image is, don't include anything
{
$include = FALSE;
}
else // id and image not set, so include a default page
{
$include = 'home.php';
}
if ( $include != FALSE)
{
if ( is_file($include) ) // If finds file, then include it
{
include $include;
}
else // File doesn't exist, so show 404 page
{
include '404.php';
}
}
// Show the image if set
if ( isset($_GET['image']) && $_GET['image'] <> '' )
{
$image = $_GET['image'];
}
// end include
Re: PHP Include and Security - need help
Posted: Sat Sep 18, 2010 2:53 am
by kaisellgren
You are allowing arbitrary file inclusions. Not good.
Re: PHP Include and Security - need help
Posted: Sat Sep 18, 2010 10:56 am
by reb00t
kaisellgren wrote:You are allowing arbitrary file inclusions. Not good.
i know but how can i fix this?
Re: PHP Include and Security - need help
Posted: Sun Sep 19, 2010 12:09 pm
by Jonah Bron
Switch statement?
Re: PHP Include and Security - need help
Posted: Tue Sep 21, 2010 12:07 pm
by kaisellgren
Keep a list of allowed includes and check if the requested include is one of those. Or, use something else than include()s to construct your pages. Take a look at frameworks and templating systems.