PHP Include and Security - need help

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: PHP Include and Security - need help

Post by Jonah Bron »

But if include is requesting a remote file, won't that request be handled by Apache/[some other server], and won't the file be passed to PHP, and won't PHP execute it, and won't it pass it back without any PHP in it? I realize include() will parse any PHP you give it, but I don't understand how it's getting the PHP in this case.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: PHP Include and Security - need help

Post by John Cartwright »

Jonah Bron wrote:and won't it pass it back without any PHP in it? I realize include() will parse any PHP you give it, but I don't understand how it's getting the PHP in this case.
The point is, you can pass it any text. If this text happens to include PHP code, it will be interpreted. For instance, this hacker script that was being remotely included probably outputs raw php code. This is why they suggest if you only want to display the result of the include is to use readfile() or file_get_contents().
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: PHP Include and Security - need help

Post by Jonah Bron »

I knew that it parsed any text you gave it, I just wasn't sure why it was getting PHP code at all.

Still, why is this file outputting raw PHP?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: PHP Include and Security - need help

Post by John Cartwright »

Jonah Bron wrote:I knew that it parsed any text you gave it, I just wasn't sure why it was getting PHP code at all.

Still, why is this file outputting raw PHP?
.. because it was designed to, to exploit this script. :)

Code: Select all

<?php 

echo "echo 'foobar';";

?>
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: PHP Include and Security - need help

Post by Jonah Bron »

Ooooookay, I had it totally backwards. I thought a malicious remote server was include()ing your script, but it's the other way around. They're making you include theirs. So, under the first context, what I said was true, just not in this situation (obviously, as long as you have your Apache setting right and you're not echoing any PHP :) )

All clear, thanks.
reb00t
Forum Newbie
Posts: 8
Joined: Thu Sep 16, 2010 3:38 pm

Re: PHP Include and Security - need help

Post by reb00t »

Please, how do i combine these two scripts, i just want my script to display an error or just block any attempts to include extenally.

block script

Code: Select all

$allowedReferrers = array('google.com', 'yahoo.com');  
if ($url = parse_url($_SERVER['HTTP_REFERRER']) && in_array($url['host'], $allowedReferrers)) {
   //valid referrer && whitelisted
} else {
   //invalid referrer || blacklisted
   // print error here
}
my current include script

Code: Select all

// add referrer security check here...


if ( isset($_GET['id']) && $_GET['id'] <> '' ) // If id is set, then set include to that value
{
$include = $_GET['id'];
}
elseif ( (!isset($_GET['id']) || $_GET['id'] == '') && isset($_GET['image']) ) // If id not set, but image is, don't include anything
{
$include = FALSE;
}
else // id and image not set, so include a default page
{
$include = 'home.php';
}

if ( $include != FALSE)
{
    if ( is_file($include) ) // If finds file, then include it
    {
    include $include;
    }
    else // File doesn't exist, so show 404 page
    {
    include '404.php';
    }
}

// Show the image if set
if ( isset($_GET['image']) && $_GET['image'] <> '' )
{
$image = $_GET['image'];
}
// end include
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: PHP Include and Security - need help

Post by kaisellgren »

You are allowing arbitrary file inclusions. Not good.
reb00t
Forum Newbie
Posts: 8
Joined: Thu Sep 16, 2010 3:38 pm

Re: PHP Include and Security - need help

Post by reb00t »

kaisellgren wrote:You are allowing arbitrary file inclusions. Not good.
i know but how can i fix this?
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: PHP Include and Security - need help

Post by Jonah Bron »

Switch statement?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: PHP Include and Security - need help

Post by kaisellgren »

Keep a list of allowed includes and check if the requested include is one of those. Or, use something else than include()s to construct your pages. Take a look at frameworks and templating systems.
Post Reply