I was wondering what security wholes the code might allow you to do below:
Code: Select all
<?php
$file = $_GET['file'];
include("include/" . $file . ".php");
?>-Thanks
Moderator: General Moderators
Code: Select all
<?php
$file = $_GET['file'];
include("include/" . $file . ".php");
?>Turn off displaying of error messages in php.ini, only log the error messagesWilliam wrote:They could inject some JavaScript into it by making it include it and when it spits an error out it does the javascript. Any other ideas?
Yes there is, with this code:William wrote:So there is no way to exploit it to get access to reading files or executing php scripts?
Code: Select all
include("includes/" . $file . ".php");This allows an attacker to expose any file on your server. It's true that the attacker cannot change the scheme (necessary for including remote code), but passing a NULL can terminate the string on many platforms:William wrote:I was wondering what security wholes the code might allow you to do below:
Code: Select all
<?php $file = $_GET['file']; include("include/" . $file . ".php"); ?>