TalkPHP
 
 
Account Login
Latest Articles
» The basic usage of PHPTAL, a XML/XHTML template library for PHP
» Vulnerable methods and the areas they are commonly trusted in.
» Simple way to protect a form from bot
» The Basics On: How Session Stealing Works
» How to keep your forms from double posting data
IRC Channel
IRC Speech Bubble Join the friendly bunch on IRC...
(#TalkPHP on Freenode)

...Also available via a web interface.

See this thread for information on the TalkPHP Free Hugs Initiative™. Subject to availability.
Associates
Associates
CSS Tutorials
Reply
 
LinkBack Thread Tools Search this Thread Display Modes
Old 07-02-2008, 09:14 AM   #1 (permalink)
Orc
The Prestige
 
Orc's Avatar
 
Join Date: Dec 2007
Posts: 1,044
Thanks: 193
Orc is on a distinguished road
Default PHP Injection - Remote/Local File Inclusion.

How do I fix any file inclusion?


An example of a file inclusion would be like so:
PHP Code:

@include($_GET['file']); 
Since the '@' makes it where it won't return any errors so it's like a spy, umm, how do I prevent it where people can remote/local file include it and screw my sites up?
__________________
VillageIdiot can have my babbies ;d
Orc is offline  
Reply With Quote
Old 07-02-2008, 09:31 AM   #2 (permalink)
Super Moderator
Inquisitive 
 
codefreek's Avatar
 
Join Date: Sep 2007
Location: Near you.
Posts: 791
Thanks: 241
codefreek is on a distinguished road
Default

u can fix it like this..

PHP Code:
<?php
if (!empty($_GET['file'])) {
    
$q substr($_GET['file'], strrpos($_GET['file'], '/')+1);
    if (
is_readable($q)) {
        include 
$_GET['file'].'.php';
    }
}
?>
codefreek is offline  
Reply With Quote
Old 07-02-2008, 02:33 PM   #3 (permalink)
Wizard
Top Contributor 
 
Village Idiot's Avatar
 
Join Date: Sep 2007
Posts: 1,299
Thanks: 17
Village Idiot is on a distinguished road
Default

Why on earth would you want to dynamically include a file that is specified in GET?
__________________

Village Idiot is offline  
Reply With Quote
The Following User Says Thank You to Village Idiot For This Useful Post:
codefreek (07-02-2008)
Old 07-02-2008, 07:19 PM   #4 (permalink)
The Frequenter
Newcomer 
 
xenon's Avatar
 
Join Date: Dec 2007
Location: Bucharest, Romania
Posts: 438
Thanks: 3
xenon is on a distinguished road
Default

As Village Idiot already asked, why would you want to do that? It's an extremely big security hole. And the solution to your 'problem' is: you don't do that anymore.
__________________
I have optimistic thoughts, even though sometimes (if not always) life's a bitch.
xenon is offline  
Reply With Quote
The Following User Says Thank You to xenon For This Useful Post:
codefreek (07-02-2008)
Old 07-02-2008, 07:34 PM   #5 (permalink)
The Acquainted
 
drewbee's Avatar
 
Join Date: May 2008
Posts: 175
Thanks: 9
drewbee is on a distinguished road
Default

and If you must dynamically include files, dont use variables to do it. Use some type of switch, of which you hard code the file names.

IE

PHP Code:
$file '';
switch (
$_GET['page'])
{
    case 
'login':
    
$file 'login.php';
    break;
 
    case 
'register':
    
$file 'register.php';
    break;
 
    case 
'contact':
    
$file 'contact.php';
    break;
 
    default:
    
$file 'index.php';
}
 
if (
file_exists($file))
{
    include(
$file);

__________________
There are No Stupid Questions. But there a LOT of Inquisitive Idiots.
Send a message via AIM to drewbee
drewbee is offline  
Reply With Quote
Old 07-02-2008, 07:53 PM   #6 (permalink)
is cute and cuddly
 
delayedinsanity's Avatar
 
Join Date: Mar 2008
Location: Vegas, Baby
Posts: 963
Thanks: 31
delayedinsanity is on a distinguished road
Default

There are some situations where using a dynamic include is the only feasible route. When it comes to anything using user inputted data (get, post, etc) always ALWAYS remember to verify your data first though, otherwise you almost certainly will run into a problem, if not simply open yourself to an attack.
-m
delayedinsanity is offline  
Reply With Quote
The Following User Says Thank You to delayedinsanity For This Useful Post:
codefreek (07-03-2008)
Old 07-02-2008, 08:08 PM   #7 (permalink)
Wizard
Top Contributor 
 
Village Idiot's Avatar
 
Join Date: Sep 2007
Posts: 1,299
Thanks: 17
Village Idiot is on a distinguished road
Default

Quote:
Originally Posted by delayedinsanity View Post
There are some situations where using a dynamic include is the only feasible route. When it comes to anything using user inputted data (get, post, etc) always ALWAYS remember to verify your data first though, otherwise you almost certainly will run into a problem, if not simply open yourself to an attack.
-m
Almost three years of PHP and I have never seen a feasible reason to even want to let users include like that. Perhaps it would be a possible route, but unless it is controlled by you (like drewbee suggested) it is a bad idea.
__________________

Village Idiot is offline  
Reply With Quote
The Following User Says Thank You to Village Idiot For This Useful Post:
codefreek (07-03-2008)
Old 07-02-2008, 08:10 PM   #8 (permalink)
The Acquainted
 
drewbee's Avatar
 
Join Date: May 2008
Posts: 175
Thanks: 9
drewbee is on a distinguished road
Default

Same Here VI. 6 years in myself, and I still have no idea why he would want to do that.

Orc,

Basically what we are seeing that this is a very very bad idea. Even if you think you need to do it; dont. And if you absolutely must... make sure it is controlled.
__________________
There are No Stupid Questions. But there a LOT of Inquisitive Idiots.
Send a message via AIM to drewbee
drewbee is offline  
Reply With Quote
Old 07-02-2008, 08:26 PM   #9 (permalink)
is cute and cuddly
 
delayedinsanity's Avatar
 
Join Date: Mar 2008
Location: Vegas, Baby
Posts: 963
Thanks: 31
delayedinsanity is on a distinguished road
Default

Let me clarify my usage of the word dynamic.

Some functions I use require that they may need to include/require a file before they work (my registry, for instance). I cannot use a switch statement for this, as there are too many possibilities, as well as everytime I added a class to the library I would also have to update the switch.

So what I was referring to by dynamic, was the use of an "include $somevar;" statement as opposed to a static "include this/file.tpl". NOT dynamically letting a remote user have any control whatsoever over a file include.

Despite this 'dynamic' method being programmer controlled, I still recommend the use of checks even then for use in debugging. For instance, the following is part of my static load method:

PHP Code:
if ( ! class_exists($szClass))
{
    try {
        if ( ! 
file_exists($szFilename))
            throw new 
tException("Library file cannot be found: {$szModule}.{$szClass}");
    }
    catch (
tException $e) { die($e->tMessage()); }

    require 
$szFilename;

-m
delayedinsanity is offline  
Reply With Quote
The Following User Says Thank You to delayedinsanity For This Useful Post:
codefreek (07-03-2008)
Old 07-03-2008, 01:18 AM   #10 (permalink)
Orc
The Prestige
 
Orc's Avatar
 
Join Date: Dec 2007
Posts: 1,044
Thanks: 193
Orc is on a distinguished road
Default

I never use $_GET in include() or require or the _once(). :P I was just seeing if there was any other potential way of them including foreign ( not from my server ) files or just local files.
__________________
VillageIdiot can have my babbies ;d
Orc is offline  
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT. The time now is 06:28 PM.

 
     

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0
Inactive Reminders By Icora Web Design