PHP Injection - Remote/Local File Inclusion.

Orc · 07-02-2008, 10:14 AM

How do I fix any file inclusion?

An example of a file inclusion would be like so:

PHP Code:


			


@include($_GET['file']);

Since the '@' makes it where it won't return any errors so it's like a spy, umm, how do I prevent it where people can remote/local file include it and screw my sites up?

codefreek · 07-02-2008, 10:31 AM

u can fix it like this..

PHP Code:


			
<?php
if (!empty($_GET['file'])) {
    $q = substr($_GET['file'], strrpos($_GET['file'], '/')+1);
    if (is_readable($q)) {
        include $_GET['file'].'.php';
    }
}
?>

Village Idiot · 07-02-2008, 03:33 PM

Why on earth would you want to dynamically include a file that is specified in GET?

xenon · 07-02-2008, 08:19 PM

As Village Idiot already asked, why would you want to do that? It's an extremely big security hole. And the solution to your 'problem' is: you don't do that anymore.

drewbee · 07-02-2008, 08:34 PM

and If you must dynamically include files, dont use variables to do it. Use some type of switch, of which you hard code the file names.

IE

PHP Code:


			
$file = '';
switch ($_GET['page'])
{
    case 'login':
    $file = 'login.php';
    break;
 
    case 'register':
    $file = 'register.php';
    break;
 
    case 'contact':
    $file = 'contact.php';
    break;
 
    default:
    $file = 'index.php';
}
 
if (file_exists($file))
{
    include($file);
}

delayedinsanity · 07-02-2008, 08:53 PM

There are some situations where using a dynamic include is the only feasible route. When it comes to anything using user inputted data (get, post, etc) always ALWAYS remember to verify your data first though, otherwise you almost certainly will run into a problem, if not simply open yourself to an attack.
-m

Village Idiot · 07-02-2008, 09:08 PM

Quote:

Originally Posted by delayedinsanity

There are some situations where using a dynamic include is the only feasible route. When it comes to anything using user inputted data (get, post, etc) always ALWAYS remember to verify your data first though, otherwise you almost certainly will run into a problem, if not simply open yourself to an attack.
-m

Almost three years of PHP and I have never seen a feasible reason to even want to let users include like that. Perhaps it would be a possible route, but unless it is controlled by you (like drewbee suggested) it is a bad idea.

drewbee · 07-02-2008, 09:10 PM

Same Here VI. 6 years in myself, and I still have no idea why he would want to do that.

Orc,

Basically what we are seeing that this is a very very bad idea. Even if you think you need to do it; dont. And if you absolutely must... make sure it is controlled.

delayedinsanity · 07-02-2008, 09:26 PM

Let me clarify my usage of the word dynamic.

Some functions I use require that they may need to include/require a file before they work (my registry, for instance). I cannot use a switch statement for this, as there are too many possibilities, as well as everytime I added a class to the library I would also have to update the switch.

So what I was referring to by dynamic, was the use of an "include $somevar;" statement as opposed to a static "include this/file.tpl". NOT dynamically letting a remote user have any control whatsoever over a file include.

Despite this 'dynamic' method being programmer controlled, I still recommend the use of checks even then for use in debugging. For instance, the following is part of my static load method:

PHP Code:


			
if ( ! class_exists($szClass))
{
    try {
        if ( ! file_exists($szFilename))
            throw new tException("Library file cannot be found: {$szModule}.{$szClass}");
    }
    catch (tException $e) { die($e->tMessage()); }

    require $szFilename;
}

-m

Orc · 07-03-2008, 02:18 AM

I never use $_GET in include() or require or the _once(). :P I was just seeing if there was any other potential way of them including foreign ( not from my server ) files or just local files.