Page 1 of 1
Include Security
Posted: Tue Sep 13, 2005 9:35 am
by William
Hello all,
I was wondering what security wholes the code might allow you to do below:
Code: Select all
<?php
$file = $_GET['file'];
include("include/" . $file . ".php");
?>
I understand that you shouldn't do that. But thats not my question. My question is how could somone use that to steal information/deface me site?
-Thanks
Posted: Tue Sep 13, 2005 9:48 am
by josh
if i were to set file to
http://mysite.com/file.txt i could put anything in that txt file i wanted your server to parse as PHP
in other words i could run any php code on your server, including filesystem commands (overwriting, deleting file), even if you turned off allowing url fopens, I could read out any file on your entire server, if you had used fopen instead of include I can view the source of any php file instead of causing it to be executed
Posted: Tue Sep 13, 2005 9:50 am
by William
Yes but its include("includes/" . $file . ".php");

, So that way no one could to a direct url. Or would it still be possible?
Posted: Tue Sep 13, 2005 10:22 am
by William
They could inject some JavaScript into it by making it include it and when it spits an error out it does the javascript. Any other ideas?
Posted: Tue Sep 13, 2005 11:41 am
by josh
since you specified a path to prepend to it and prepended a file extention, that restricts them to file of that file extention on your entire filesystem, this may deter less experienced users from straying from that directory but it is very easily exploitable, what you need to do is utilize the
basename() function, this will prevent users from putting "../" and such in their filenames
Posted: Tue Sep 13, 2005 11:43 am
by William
So there is no way to exploit it to get access to reading files or executing php scripts?
Posted: Tue Sep 13, 2005 11:45 am
by josh
William wrote:They could inject some JavaScript into it by making it include it and when it spits an error out it does the javascript. Any other ideas?
Turn off displaying of error messages in php.ini, only log the error messages
William wrote:So there is no way to exploit it to get access to reading files or executing php scripts?
Yes there is, with this code:
Code: Select all
include("includes/" . $file . ".php");
which you said you were using they could very easily run a file outside of the includes/ directory by calling your script with the following GET variables
?file=../../../myfile
if you need to restrict it to the includes/ directory and only .php file types please refer to the function I posted in my previous post.
EDIT: I will also mention the only way they can view the source of your file is if they are able to open the file for reading, with a function like fopen, or file_get_contents, the include/require family of functions all execute the code.
Posted: Tue Sep 13, 2005 12:39 pm
by John Cartwright
viewtopic.php?t=29816 -> Proper use of $_GET with includes
Re: Include Security
Posted: Mon Sep 26, 2005 10:06 am
by shiflett
William wrote:I was wondering what security wholes the code might allow you to do below:
Code: Select all
<?php
$file = $_GET['file'];
include("include/" . $file . ".php");
?>
This allows an attacker to expose any file on your server. It's true that the attacker cannot change the scheme (necessary for including remote code), but passing a NULL can terminate the string on many platforms:
http://example.org/foo.php?file=../../. ... /passwd%00
Hope that helps.