PHP Include and Security - need help
Moderator: General Moderators
- Jonah Bron
- DevNet Master
- Posts: 2764
- Joined: Thu Mar 15, 2007 6:28 pm
- Location: Redding, California
Re: PHP Include and Security - need help
But if include is requesting a remote file, won't that request be handled by Apache/[some other server], and won't the file be passed to PHP, and won't PHP execute it, and won't it pass it back without any PHP in it? I realize include() will parse any PHP you give it, but I don't understand how it's getting the PHP in this case.
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Re: PHP Include and Security - need help
The point is, you can pass it any text. If this text happens to include PHP code, it will be interpreted. For instance, this hacker script that was being remotely included probably outputs raw php code. This is why they suggest if you only want to display the result of the include is to use readfile() or file_get_contents().Jonah Bron wrote:and won't it pass it back without any PHP in it? I realize include() will parse any PHP you give it, but I don't understand how it's getting the PHP in this case.
- Jonah Bron
- DevNet Master
- Posts: 2764
- Joined: Thu Mar 15, 2007 6:28 pm
- Location: Redding, California
Re: PHP Include and Security - need help
I knew that it parsed any text you gave it, I just wasn't sure why it was getting PHP code at all.
Still, why is this file outputting raw PHP?
Still, why is this file outputting raw PHP?
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Re: PHP Include and Security - need help
.. because it was designed to, to exploit this script.Jonah Bron wrote:I knew that it parsed any text you gave it, I just wasn't sure why it was getting PHP code at all.
Still, why is this file outputting raw PHP?
Code: Select all
<?php
echo "echo 'foobar';";
?>- Jonah Bron
- DevNet Master
- Posts: 2764
- Joined: Thu Mar 15, 2007 6:28 pm
- Location: Redding, California
Re: PHP Include and Security - need help
Ooooookay, I had it totally backwards. I thought a malicious remote server was include()ing your script, but it's the other way around. They're making you include theirs. So, under the first context, what I said was true, just not in this situation (obviously, as long as you have your Apache setting right and you're not echoing any PHP
)
All clear, thanks.
All clear, thanks.
Re: PHP Include and Security - need help
Please, how do i combine these two scripts, i just want my script to display an error or just block any attempts to include extenally.
block script
my current include script
block script
Code: Select all
$allowedReferrers = array('google.com', 'yahoo.com');
if ($url = parse_url($_SERVER['HTTP_REFERRER']) && in_array($url['host'], $allowedReferrers)) {
//valid referrer && whitelisted
} else {
//invalid referrer || blacklisted
// print error here
}
Code: Select all
// add referrer security check here...
if ( isset($_GET['id']) && $_GET['id'] <> '' ) // If id is set, then set include to that value
{
$include = $_GET['id'];
}
elseif ( (!isset($_GET['id']) || $_GET['id'] == '') && isset($_GET['image']) ) // If id not set, but image is, don't include anything
{
$include = FALSE;
}
else // id and image not set, so include a default page
{
$include = 'home.php';
}
if ( $include != FALSE)
{
if ( is_file($include) ) // If finds file, then include it
{
include $include;
}
else // File doesn't exist, so show 404 page
{
include '404.php';
}
}
// Show the image if set
if ( isset($_GET['image']) && $_GET['image'] <> '' )
{
$image = $_GET['image'];
}
// end include- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: PHP Include and Security - need help
You are allowing arbitrary file inclusions. Not good.
Re: PHP Include and Security - need help
i know but how can i fix this?kaisellgren wrote:You are allowing arbitrary file inclusions. Not good.
- Jonah Bron
- DevNet Master
- Posts: 2764
- Joined: Thu Mar 15, 2007 6:28 pm
- Location: Redding, California
Re: PHP Include and Security - need help
Switch statement?
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: PHP Include and Security - need help
Keep a list of allowed includes and check if the requested include is one of those. Or, use something else than include()s to construct your pages. Take a look at frameworks and templating systems.