Fixing a security problem

@DasherNov 07.2007

I have a web page that can has a standard include, but a different include can be introduced with a simple GET from the url. I need to improve that so malicious code can’t be introduced. What is a good way to do this?

Here is the current code;

[code=php] foreach ( $HTTP_GET_VARS as $key=>$value) { //print “$key == $value<BR />n”; $my_file = $value; unset ($value); }

if ($my_file != “”) { include (“$my_file”); } else { include(“news/news.htm”); } [/code]

I am thinking about doing a test on $my_file to make sure it is not an external file. It could be as simple as a length check or maybe something else would be better. The way it works now is a url might look like this ~~[url]~~www.mydomain.com/?file=somefile.txt[/url] When the program sees the new variable value, it will include that file instead of the default one.

My website has been hacked by phishing software purveyors and I think this may be the hole they are using.

Recommendations on a fix?

to post a comment

PHP

5 Comments(s) _↴

@DasherauthorNov 07.2007 — #I am thinking of maybe using an array of good file names and using www.mydomain.com?file=1 nomenclature. where the value 1 would be file 1 (the second item) in the array of good file names. Any number not represented in the array would return a the default file.

i.e.

[code=php]
 foreach ( $HTTP_GET_VARS as $key=>$value)
 {
 //print "$key == $value<BR />n";
 $my_file = $value;
 unset ($value);
 }
 
 $myfilenamearray = array("goodfile.txt","anotherfile.txt","etc.txt");
 
 if ($my_file != "")
 {
 include ("$myfilenamearray[$my_file]");
 }
 else
 {
 include("news/news.htm");
 } 
 [/code]

Does this appear to be a more secure method?

@DasherauthorNov 08.2007 — #Answering my own question.. the new code seems to work pretty good. I just have to add some error trapping to snag out of bounds array values.

Some times it just helps to outline the problem in writing.

@NogDogNov 08.2007 — #If you put all the valid include files into their own directory, you can then do something like the following:

[code=php]
 $includePath = $_SERVER['DOCUMENT_ROOT'] . '/../includes/';
 $includeFile = basename(trim($_GET['file_name'])); // only the file name, no path
 if(is_readable($includePath . $includeFile))
 {
 include $includePath . $includeFile;
 }
 else
 {
 // error message or whatever for invalid file name
 }
 [/code]

@DasherauthorNov 08.2007 — #NogDog - Your code is interesting indeed. I will have to consider that.

Meanwhile I implemented the array method and tweaked it a little.

with this ;

[code=php]
 //if ($my_file != "")   // removed this condition
 if (array_key_exists($my_file,$myfileamearray)) // added this condition
 {
 include ("$myfilearray[$my_file]");
 }
 else 
 {
 include("news/news.htm");
 }
 [/code]

A typical url to select the include file would look like this now...

www.mydomain.com/?file=15 any key not within the range of available array keys would default to 'news/news.htm' this seems to work but requires editing of the array to add new entries. So that could be a long term problem.

So far I only have an array of 19 values so it is not too bad to manage. What I really wanted to do is plug a security hole, and I think I have done that.

@DasherauthorNov 12.2007 — #nogdog:

I had some issues with the following statement.

[code=php]$includePath = $_SERVER['DOCUMENT_ROOT'] . '/../includes/';[/code]
$_SERVER['DOCUMENT_ROOT'] goes too deep in the path. i.e. it reports something like home/public_html/ so appending /../includes/ would result in home/public_html/../includes/ where in actuality one only wants the path to be ../includes.

the next lines in your code snippet worked fine so I am using them.

[code=php]$includePath = 'image5/';
 $includeFile = basename(trim($_GET['pict'])); // only the file name, no path
 if(is_readable($includePath . $includeFile))
 {
 $includePath .= $includeFile;
 }
 else {echo "No Such File";  }[/code]

All this is helping make my site a little more bullet proof. After being hacked a few times I finally got religion on php security measures.

Also in #PHP _↴

[RESOLVED] dumb newbee question: how do i make a table?unordered list replace bullet by image according to level, if last level text as link sending HTML mails with PHP

Success!

Help @Dasher spread the word by sharing this article on Twitter...

Tweet This

about: ({
version: 0.1.9 — BETA 6.17,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});

changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...

recent_tips: (
tipper: @nearjob,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,
)...

Fixing a security problem

5 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

Fixing a security problem

5 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

5 Comments(s) _↴

Also in #PHP _↴