PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Thu Jun 29, 2017 3:59 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 60 posts ]  Go to page Previous  1, 2, 3, 4
Author Message
 Post subject:
PostPosted: Sat Jul 07, 2007 9:41 pm 
Offline
Forum Commoner
User avatar

Joined: Thu Jul 10, 2003 11:11 pm
Posts: 81
Location: Orland Park, IL
mabufo wrote:
feyd wrote:
A database supplied list of "valid" files.

This brings up the all important question, how do I do that?


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jul 07, 2007 9:44 pm 
Offline
Neighborhood Spidermoddy
User avatar

Joined: Mon Mar 29, 2004 4:24 pm
Posts: 31559
Location: Bothell, Washington, USA
"that" being?


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jul 07, 2007 9:54 pm 
Offline
Forum Commoner
User avatar

Joined: Thu Jul 10, 2003 11:11 pm
Posts: 81
Location: Orland Park, IL
feyd wrote:
"that" being?


You know what? Forget it. You're enjoying this a little too much, if you ask me.


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jul 07, 2007 9:59 pm 
Offline
Neighborhood Spidermoddy
User avatar

Joined: Mon Mar 29, 2004 4:24 pm
Posts: 31559
Location: Bothell, Washington, USA
mabufo wrote:
You know what? Forget it. You're enjoying this a little too much, if you ask me.
I do not find pleasure in this, but if that's the way you feel. Okay.


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jul 07, 2007 10:13 pm 
Offline
DevNet Resident

Joined: Fri Sep 16, 2005 9:06 pm
Posts: 1375
Feyd can be annoying if you're all ready frustrated mabufo( you get used to him :-D ). Long store short ( from the last couple posts I read) I assume he means create a database and then create a table with a valid list of files. Whenever you go to do an include check the database to see if that file name is one of the allowed file names, if it is, output the file name, if not, don't. Don't forget to use mysql_real_escape_string . (My apologies if I didn't read far enough back to get a full grasp of the situation)


Last edited by Charles256 on Sat Jul 07, 2007 10:23 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject:
PostPosted: Sat Jul 07, 2007 10:21 pm 
Offline
DevNet Master
User avatar

Joined: Sun Jan 21, 2007 12:06 am
Posts: 4135
I felt I'd need to say this long ago before you edited the post directly after feyd's first answer, but it looks like I'll need to say it now.

We don't get paid to help you. In fact, if your question doesn't cause us to learn anything new, we get nothing at all out of it. If you're willing to spend money, someone will do the work for you. However, we're not ones to be taken advantage of, and it is one of the reasons that I love this forum. Other forums pressure you to "work" for the people who ask questions (regardless of how rude they may be).

Also, no, I don't mind if you PM me. However, I do mind if you PM me with questions. Your message has been ignored. That's what the forums are for.


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jul 07, 2007 11:15 pm 
Offline
Forum Commoner
User avatar

Joined: Thu Jul 10, 2003 11:11 pm
Posts: 81
Location: Orland Park, IL
I'm not asking you do design a commercial website for me, I'm not asking you to code me a cms. I was merely asking on how to secure my php include calls. I'm not trying to take advantage of you by asking for code snippets, that's not what I'm here for. If I came off like that, I am sorry. I suppose in the world of web design code snippets go a long way, to tell the truth, I wouldn't know. I suppose I understand where the monetary issue comes into play, but all I want to learn is how to do it for myself, and the way I can do that, personally, is by example, and an example was the only thing I was looking for.

I don't always know what you guys are talking about when you reply to my question. I think the trouble is the assumption that I do. I'm clearly not an experience php coder, so I hardly ever know what to make of some posts - so it would help if you all weren't so vague all the time. Giving me cryptic messages in hope that I'll do some searching on my own really doesn't help me solve my problem. I post here because I don't know what to look for, and the fact that all I get back is you all telling me to search again is really discouraging. I can understand you guys not want to be pressured into having to post code examples or whatever, but I'm not forcing you. But, a shove in the right direction should be a little more than telling me to search for something (functions excluded), because more than half the time, I have no idea what I should be searching for. I'm not familiar with the web-dev lingo.

Also, superdezign, I was just trying to clarify on the post you made in my other recent thread, and I meant no harm. I suppose I didn;t want to run the risk of making a complete ass of myself... but looks like I've done that anyway. I'll make a new topic about my design theory problem, if that would suit everyone.

Regardless, I don't mean to come off as a 'gotta have it now' smurf. I'm willing to learn for myself and all of that, I assure you. However, in contrast with my forum join date, I am really a novice at this stuff, so a little compassion would go a long way. They don't call these forum communities for nothing.


Top
 Profile  
 
 Post subject:
PostPosted: Sun Jul 08, 2007 6:34 am 
Offline
Forum Regular
User avatar

Joined: Wed Jul 30, 2003 3:29 am
Posts: 875
Location: Sweden
If you're new to using databases, I suggest checking out one or more of the many 'beginner MySQL' tutorials on the net. I'm afraid I don't have any specific links lying around but there should be many listed on google ;)
When you've got the basics it's not much harder than populating a table in the database with different pages (id, page name, php script responsible, etc.) and then doing a SQL SELECT-query with PHP to retrieve the page whose id has the one $_GET['page'] contains (after cleaning the input up or validating it).


Top
 Profile  
 
PostPosted: Sat Jul 26, 2008 2:33 am 
Offline
Forum Newbie

Joined: Sat Jul 26, 2008 2:17 am
Posts: 2
Location: Austria
List of needs:
Syntax: [ Download ] [ Hide ]
<?
include($_GET['foo']);
?>

php.ini:
Syntax: [ Download ] [ Hide ]
allow_url_includes=Off

And something where you can upload images.

Exploit:
Upload an image (like this one) that contains php code. This image work like any other image. You can try getimagesize(). Just don't resize it or modify in any other way.
If you know the path (like images/uploads/x.gif) to the image you can include it with the php code. This also works if you check around for "http://". You will see the image's source and the included php code will be executed.

Best for security -> NEVER give the user the real adress of his upload and always check every file (this method is NOT limited to images) for <? ?> and maybe some code.

This works on PHP..Ki.t 1.. 6. 1 with hackblock addon installed (ignore the potins. just to get google away). Haven't tried other software yet, but it's damn deadly.


Top
 Profile  
 
PostPosted: Sat Jul 26, 2008 3:45 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
Quote:
Best for security -> NEVER give the user the real adress of his upload and always check every file (this method is NOT limited to images) for <? ?> and maybe some code.


Amen to the first part, but the second part is simply unfeasible.
I have made a POC system for safe handling of image uploads that is easy to set up, but haven't got around to polish it for publication. It does not verify the files in any way (it is impossible to do without false positives) but instead "hides" their real FS location, while still having them accessed as jpg files.


Top
 Profile  
 
PostPosted: Sat Jul 26, 2008 4:30 am 
Offline
Forum Newbie

Joined: Sat Jul 26, 2008 2:17 am
Posts: 2
Location: Austria
Mordred wrote:
"hides" their real FS location, while still having them accessed as jpg files.

As long as this script can't be executed with includes (use constants to block) it should be fine.


Top
 Profile  
 
PostPosted: Sun Jul 27, 2008 1:05 pm 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
Which script? I'm not sure you're understanding the method. The attacker-provided backdoored jpg is stored in a secret location. It accessible through a proxy script only, but still visible from the web as backdoor.jpg. In htdocs/backdoor.jpg on the server there's nothing though, so it can't be LFI-ed.


Top
 Profile  
 
PostPosted: Fri Aug 01, 2008 10:40 am 
Offline
Neighborhood Spidermoddy
User avatar

Joined: Mon Mar 29, 2004 4:24 pm
Posts: 31559
Location: Bothell, Washington, USA
This thread was dead a year before resurrection…


Top
 Profile  
 
PostPosted: Fri Aug 01, 2008 11:22 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
Huh, yeah.

Welcome back btw :)


Top
 Profile  
 
 Post subject: Re:
PostPosted: Mon Nov 16, 2015 11:10 am 
Offline
Forum Newbie

Joined: Sun Nov 15, 2015 12:57 pm
Posts: 1
theda wrote:
Onion, a much simpler way would be to use an array wouldn't it?

Syntax: [ Download ] [ Hide ]
$arra = array('file1.php','file2.php','file3.php','file4'.php);
if (in_array($_GET['id'],$arra)) {
   include $_GET['id'];
} else {
   exit;
}


Edit: Deprecate your life -_-; <- For Roja. :P


This is a good solution with a small change. Instead of white listing files, you blacklist files. If you have a large growing app, you could be white listing forever. The restricted files list will be much smaller than the allowed files list.


Syntax: [ Download ] [ Hide ]
$page = basename($_GET['p']);
$restricted_files = array(
    'header',
    'footer',
    'navbar',
    'menu',
);


    if (!in_array($page, $restricted_files) && file_exists("./includes/$page.php"))
        {
        $include = "./includes/$page.php";
        }
 


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 60 posts ]  Go to page Previous  1, 2, 3, 4

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group