Page 1 of 1

secure proxy

Posted: Wed Nov 19, 2008 1:09 am
by alex.barylski

Code: Select all

 
<?php
 
  $file = str_replace('..', '', $_GET['file']); 
  readfile($file);
 
This is probably grossly insecure.

I have this index.php script in a sub-directory and the .htaccess redirects all requests underneath this file to this file. :? Haha.

I just need to prevent files outside of the this docroot from being selected.

So while my web site might have a structure like:

Code: Select all

/var/www/public_html/
/var/www/public_html/index.html
/var/www/public_html/aboutus.html
/var/www/public_html/images/
/var/www/public_html/resources/
/var/www/public_html/resources/.htaccess
/var/www/public_html/resources/index.php
/var/www/public_html/resources/dynamic.gif.php
Basically when dynamic.gif.php is requested it should be channeled through the index.php proxy and returned as the native code and not actually executed. What I don't want is people attempting to read the source of other files like index.php in the root:

Code: Select all

/var/www/public_html/index.php
Is filtering out the double period enough?

Re: secure proxy

Posted: Wed Nov 19, 2008 8:32 am
by Hannes2k
Hi,
why do you use a proxy script?

And are you sure you wanna 'readfile' for '.php' files, because the php code isn't executed?

Maybe you can use rexexp: ([a-zA-Z0-9_-]+[/a-zA-Z0-9_-]+).(html|gif|jpg|css)

So the user can just read .html, .gif, .jpg and .css files which are in the same or in a subfolder.


But: why are you using a proxy script? I do not see any advantages in such a proxy script.

Re: secure proxy

Posted: Wed Nov 19, 2008 9:45 am
by Eran
The way I structure most of my projects is that I have under the document root only images,css and javascript and one index.php file which includes a file outside the document root. For example:

Code: Select all

 
/home/projects/foo
/home/projects/foo/library
/home/projects/foo/html
/home/projects/foo/html/index.php
/home/projects/foo/html/images
/home/projects/foo/html/js
 
Under /home/projects/foo I have a "deny from all" .htaccess
and under /home/projects/foo/html I have an .htaccess like this:

Code: Select all

 
RewriteEngine on
RewriteRule !\.(js|ico|gif|jpg|png|css)$ index.php
order allow,deny
allow from all
 
Files not under the document root (/home/projects/foo/html) are not accessible from a an http request. I sometimes permit certain directories on a case-by-case basis, but this is my general structure.

Re: secure proxy

Posted: Wed Nov 19, 2008 1:56 pm
by Mordred
There are a couple of vulnerabilities I can see:

1. ?file=/var/www/public_html/index.php
2. ?file=http://victim.com/index.php?var=exploit (... and it's Hockey who gets the feds at his door instead of the evil hacker)

Hint: Any such code snippet that doesn't contain realpath() is wrong.

This is maybe the N-th time (or at least K-th :) ) you try doing things with str_replace(), maybe it's time to write a note of not using it for security on your wall or something :)