Include Security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
William
Forum Contributor
Posts: 332
Joined: Sat Oct 25, 2003 4:03 am
Location: New York City

Include Security

Post by William »

Hello all,

I was wondering what security wholes the code might allow you to do below:

Code: Select all

<?php

$file = $_GET['file'];

include("include/" . $file . ".php");

?>
I understand that you shouldn't do that. But thats not my question. My question is how could somone use that to steal information/deface me site?

-Thanks
Last edited by William on Tue Sep 13, 2005 9:55 am, edited 2 times in total.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

if i were to set file to http://mysite.com/file.txt i could put anything in that txt file i wanted your server to parse as PHP

in other words i could run any php code on your server, including filesystem commands (overwriting, deleting file), even if you turned off allowing url fopens, I could read out any file on your entire server, if you had used fopen instead of include I can view the source of any php file instead of causing it to be executed
User avatar
William
Forum Contributor
Posts: 332
Joined: Sat Oct 25, 2003 4:03 am
Location: New York City

Post by William »

Yes but its include("includes/" . $file . ".php"); :), So that way no one could to a direct url. Or would it still be possible?
User avatar
William
Forum Contributor
Posts: 332
Joined: Sat Oct 25, 2003 4:03 am
Location: New York City

Post by William »

They could inject some JavaScript into it by making it include it and when it spits an error out it does the javascript. Any other ideas?
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

since you specified a path to prepend to it and prepended a file extention, that restricts them to file of that file extention on your entire filesystem, this may deter less experienced users from straying from that directory but it is very easily exploitable, what you need to do is utilize the
basename() function, this will prevent users from putting "../" and such in their filenames
User avatar
William
Forum Contributor
Posts: 332
Joined: Sat Oct 25, 2003 4:03 am
Location: New York City

Post by William »

So there is no way to exploit it to get access to reading files or executing php scripts?
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

William wrote:They could inject some JavaScript into it by making it include it and when it spits an error out it does the javascript. Any other ideas?
Turn off displaying of error messages in php.ini, only log the error messages

William wrote:So there is no way to exploit it to get access to reading files or executing php scripts?
Yes there is, with this code:

Code: Select all

include("includes/" . $file . ".php");
which you said you were using they could very easily run a file outside of the includes/ directory by calling your script with the following GET variables

?file=../../../myfile

if you need to restrict it to the includes/ directory and only .php file types please refer to the function I posted in my previous post.



EDIT: I will also mention the only way they can view the source of your file is if they are able to open the file for reading, with a function like fopen, or file_get_contents, the include/require family of functions all execute the code.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

viewtopic.php?t=29816 -> Proper use of $_GET with includes
User avatar
shiflett
Forum Contributor
Posts: 124
Joined: Sun Feb 06, 2005 11:22 am

Re: Include Security

Post by shiflett »

William wrote:I was wondering what security wholes the code might allow you to do below:

Code: Select all

<?php

$file = $_GET['file'];

include("include/" . $file . ".php");

?>
This allows an attacker to expose any file on your server. It's true that the attacker cannot change the scheme (necessary for including remote code), but passing a NULL can terminate the string on many platforms:

http://example.org/foo.php?file=../../. ... /passwd%00

Hope that helps.
Post Reply