secure proxy

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

secure proxy

Post by alex.barylski »

Code: Select all

 
<?php
 
  $file = str_replace('..', '', $_GET['file']); 
  readfile($file);
 
This is probably grossly insecure.

I have this index.php script in a sub-directory and the .htaccess redirects all requests underneath this file to this file. :? Haha.

I just need to prevent files outside of the this docroot from being selected.

So while my web site might have a structure like:

Code: Select all

/var/www/public_html/
/var/www/public_html/index.html
/var/www/public_html/aboutus.html
/var/www/public_html/images/
/var/www/public_html/resources/
/var/www/public_html/resources/.htaccess
/var/www/public_html/resources/index.php
/var/www/public_html/resources/dynamic.gif.php
Basically when dynamic.gif.php is requested it should be channeled through the index.php proxy and returned as the native code and not actually executed. What I don't want is people attempting to read the source of other files like index.php in the root:

Code: Select all

/var/www/public_html/index.php
Is filtering out the double period enough?
Hannes2k
Forum Contributor
Posts: 102
Joined: Fri Oct 24, 2008 12:22 pm

Re: secure proxy

Post by Hannes2k »

Hi,
why do you use a proxy script?

And are you sure you wanna 'readfile' for '.php' files, because the php code isn't executed?

Maybe you can use rexexp: ([a-zA-Z0-9_-]+[/a-zA-Z0-9_-]+).(html|gif|jpg|css)

So the user can just read .html, .gif, .jpg and .css files which are in the same or in a subfolder.


But: why are you using a proxy script? I do not see any advantages in such a proxy script.
Last edited by Hannes2k on Wed Nov 19, 2008 2:50 pm, edited 1 time in total.
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: secure proxy

Post by Eran »

The way I structure most of my projects is that I have under the document root only images,css and javascript and one index.php file which includes a file outside the document root. For example:

Code: Select all

 
/home/projects/foo
/home/projects/foo/library
/home/projects/foo/html
/home/projects/foo/html/index.php
/home/projects/foo/html/images
/home/projects/foo/html/js
 
Under /home/projects/foo I have a "deny from all" .htaccess
and under /home/projects/foo/html I have an .htaccess like this:

Code: Select all

 
RewriteEngine on
RewriteRule !\.(js|ico|gif|jpg|png|css)$ index.php
order allow,deny
allow from all
 
Files not under the document root (/home/projects/foo/html) are not accessible from a an http request. I sometimes permit certain directories on a case-by-case basis, but this is my general structure.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: secure proxy

Post by Mordred »

There are a couple of vulnerabilities I can see:

1. ?file=/var/www/public_html/index.php
2. ?file=http://victim.com/index.php?var=exploit (... and it's Hockey who gets the feds at his door instead of the evil hacker)

Hint: Any such code snippet that doesn't contain realpath() is wrong.

This is maybe the N-th time (or at least K-th :) ) you try doing things with str_replace(), maybe it's time to write a note of not using it for security on your wall or something :)
Post Reply