Proper Includes via $_GET

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
mabufo
Forum Commoner
Posts: 81
Joined: Thu Jul 10, 2003 11:11 pm
Location: Orland Park, IL
Contact:

Post by mabufo »

mabufo wrote:
feyd wrote:A database supplied list of "valid" files.
This brings up the all important question, how do I do that?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

"that" being?
User avatar
mabufo
Forum Commoner
Posts: 81
Joined: Thu Jul 10, 2003 11:11 pm
Location: Orland Park, IL
Contact:

Post by mabufo »

feyd wrote:"that" being?
You know what? Forget it. You're enjoying this a little too much, if you ask me.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

mabufo wrote:You know what? Forget it. You're enjoying this a little too much, if you ask me.
I do not find pleasure in this, but if that's the way you feel. Okay.
Charles256
DevNet Resident
Posts: 1375
Joined: Fri Sep 16, 2005 9:06 pm

Post by Charles256 »

Feyd can be annoying if you're all ready frustrated mabufo( you get used to him :-D ). Long store short ( from the last couple posts I read) I assume he means create a database and then create a table with a valid list of files. Whenever you go to do an include check the database to see if that file name is one of the allowed file names, if it is, output the file name, if not, don't. Don't forget to use mysql_real_escape_string . (My apologies if I didn't read far enough back to get a full grasp of the situation)
Last edited by Charles256 on Sat Jul 07, 2007 10:23 pm, edited 1 time in total.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

I felt I'd need to say this long ago before you edited the post directly after feyd's first answer, but it looks like I'll need to say it now.

We don't get paid to help you. In fact, if your question doesn't cause us to learn anything new, we get nothing at all out of it. If you're willing to spend money, someone will do the work for you. However, we're not ones to be taken advantage of, and it is one of the reasons that I love this forum. Other forums pressure you to "work" for the people who ask questions (regardless of how rude they may be).

Also, no, I don't mind if you PM me. However, I do mind if you PM me with questions. Your message has been ignored. That's what the forums are for.
User avatar
mabufo
Forum Commoner
Posts: 81
Joined: Thu Jul 10, 2003 11:11 pm
Location: Orland Park, IL
Contact:

Post by mabufo »

I'm not asking you do design a commercial website for me, I'm not asking you to code me a cms. I was merely asking on how to secure my php include calls. I'm not trying to take advantage of you by asking for code snippets, that's not what I'm here for. If I came off like that, I am sorry. I suppose in the world of web design code snippets go a long way, to tell the truth, I wouldn't know. I suppose I understand where the monetary issue comes into play, but all I want to learn is how to do it for myself, and the way I can do that, personally, is by example, and an example was the only thing I was looking for.

I don't always know what you guys are talking about when you reply to my question. I think the trouble is the assumption that I do. I'm clearly not an experience php coder, so I hardly ever know what to make of some posts - so it would help if you all weren't so vague all the time. Giving me cryptic messages in hope that I'll do some searching on my own really doesn't help me solve my problem. I post here because I don't know what to look for, and the fact that all I get back is you all telling me to search again is really discouraging. I can understand you guys not want to be pressured into having to post code examples or whatever, but I'm not forcing you. But, a shove in the right direction should be a little more than telling me to search for something (functions excluded), because more than half the time, I have no idea what I should be searching for. I'm not familiar with the web-dev lingo.

Also, superdezign, I was just trying to clarify on the post you made in my other recent thread, and I meant no harm. I suppose I didn;t want to run the risk of making a complete ass of myself... but looks like I've done that anyway. I'll make a new topic about my design theory problem, if that would suit everyone.

Regardless, I don't mean to come off as a 'gotta have it now' <span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span>. I'm willing to learn for myself and all of that, I assure you. However, in contrast with my forum join date, I am really a novice at this stuff, so a little compassion would go a long way. They don't call these forum communities for nothing.
User avatar
vigge89
Forum Regular
Posts: 875
Joined: Wed Jul 30, 2003 3:29 am
Location: Sweden

Post by vigge89 »

If you're new to using databases, I suggest checking out one or more of the many 'beginner MySQL' tutorials on the net. I'm afraid I don't have any specific links lying around but there should be many listed on google ;)
When you've got the basics it's not much harder than populating a table in the database with different pages (id, page name, php script responsible, etc.) and then doing a SQL SELECT-query with PHP to retrieve the page whose id has the one $_GET['page'] contains (after cleaning the input up or validating it).
Bluewind
Forum Newbie
Posts: 2
Joined: Sat Jul 26, 2008 2:17 am
Location: Austria

Re: Proper Includes via $_GET

Post by Bluewind »

List of needs:

Code: Select all

<?
include($_GET['foo']);
?>
php.ini:

Code: Select all

allow_url_includes=Off
And something where you can upload images.

Exploit:
Upload an image (like this one) that contains php code. This image work like any other image. You can try getimagesize(). Just don't resize it or modify in any other way.
If you know the path (like images/uploads/x.gif) to the image you can include it with the php code. This also works if you check around for "http://". You will see the image's source and the included php code will be executed.

Best for security -> NEVER give the user the real adress of his upload and always check every file (this method is NOT limited to images) for <? ?> and maybe some code.

This works on PHP..Ki.t 1.. 6. 1 with hackblock addon installed (ignore the potins. just to get google away). Haven't tried other software yet, but it's damn deadly.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Proper Includes via $_GET

Post by Mordred »

Best for security -> NEVER give the user the real adress of his upload and always check every file (this method is NOT limited to images) for <? ?> and maybe some code.
Amen to the first part, but the second part is simply unfeasible.
I have made a POC system for safe handling of image uploads that is easy to set up, but haven't got around to polish it for publication. It does not verify the files in any way (it is impossible to do without false positives) but instead "hides" their real FS location, while still having them accessed as jpg files.
Bluewind
Forum Newbie
Posts: 2
Joined: Sat Jul 26, 2008 2:17 am
Location: Austria

Re: Proper Includes via $_GET

Post by Bluewind »

Mordred wrote:"hides" their real FS location, while still having them accessed as jpg files.
As long as this script can't be executed with includes (use constants to block) it should be fine.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Proper Includes via $_GET

Post by Mordred »

Which script? I'm not sure you're understanding the method. The attacker-provided backdoored jpg is stored in a secret location. It accessible through a proxy script only, but still visible from the web as backdoor.jpg. In htdocs/backdoor.jpg on the server there's nothing though, so it can't be LFI-ed.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Re: Proper Includes via $_GET

Post by feyd »

This thread was dead a year before resurrection…
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Proper Includes via $_GET

Post by Mordred »

Huh, yeah.

Welcome back btw :)
benanamen
Forum Newbie
Posts: 18
Joined: Sun Nov 15, 2015 11:57 am

Re:

Post by benanamen »

theda wrote:Onion, a much simpler way would be to use an array wouldn't it?

Code: Select all

$arra = array('file1.php','file2.php','file3.php','file4'.php);
if (in_array($_GET['id'],$arra)) {
   include $_GET['id']; 
} else {
   exit;
}
Edit: Deprecate your life -_-; <- For Roja. :P
This is a good solution with a small change. Instead of white listing files, you blacklist files. If you have a large growing app, you could be white listing forever. The restricted files list will be much smaller than the allowed files list.

Code: Select all

$page = basename($_GET['p']); 
$restricted_files = array(
    'header',
    'footer',
    'navbar',
    'menu',
);


    if (!in_array($page, $restricted_files) && file_exists("./includes/$page.php"))
        {
        $include = "./includes/$page.php";
        }
Post Reply