All geek questions in one place

Security flaws?

What are the implications of using this code?

<?php if(file_exists("pages/" . $_GET["page"] . ".php")){ include("pages/" . $_GET["page"] . ".php"); } else{ include("pages/home.php"); } ?>

I made it so that you could not download anything without the .php extension, so I think it's pretty safe to use. If you use:

 website.com/index.php?page=../index

In the url, it will create an infinite loop. As far as I know, you cannot load an external URL.

Example:

 website.com/index.php?page=anothersite.com/virus

But I'm not sure any suggestions? Or is it normal to use?

+4
source share
5 answers

As zerkms has already pointed out , depending on the version of PHP, file_exists and include may be unsafe when handling NULL bytes . Only with PHP version 5.4.3, file system functions are considered NULL bytes .

So, you should check the value before using it, for example, using a white list of valid values:

 $allowedPages = array(/* โ€ฆ */); if (in_array($_GET["page"], $allowedPages)) { // allowed }

You can also expand this whitelist to any existing file under the root directory of the document:

 if (strpos($_GET["page"], "\0") !== false) { // NULL byte detected } $path = realpath("pages/" . $_GET["page"] . ".php"); $base = realpath($_SERVER['DOCUMENT_ROOT']) . "/"; if ($path !== false && substr($path, 0, strlen($base)) === $base) { // allowed }

However, this can still be used to circumvent other access control measures, such as location-based HTTP authentication.

+2
source

Using the ../../ template in combination with a null byte can cause the path to "exit" from its shell.

 "../../../etc/passwd\0.php"

There are two things you can do about this:

  • Use a whitelist of possible values โ€‹โ€‹that you are ready to accept.

  • Sanitize the path first, e.g.

     $path = preg_replace('/[^az]/', ''); // now use $path as you would
+2
source

First of all, itโ€™s not safe to include the page according to the parameters of URLs that can be easily confused by users, you better avoid this.

Secondly, if you want to avoid including an external URL, you may need to configure php.ini according to http://www.php.net/manual/en/filesystem.configuration.php#ini.allow-url- include

If you have not configured php.ini yet, you can first trim the lines "http: //", "https: //" to $ _GET ['page'], which is good behavior, and create a .htaccess file to redirect the request to an unused page on home.php, you must also make sure that mod_rewrite is on your server.

 RewriteEngine On RewriteCond %{REQUEST_FILENAME} -s [OR] RewriteCond %{REQUEST_FILENAME} -l [OR] RewriteCond %{REQUEST_FILENAME} -d RewriteRule ^.*$ - [NC,L] RewriteRule ^.*$ home.php [NC,L]
0
source

Doing this, as you pointed out, could cause the endless loop hat to cause php to crash.

Php crashes can lead to many bad things. For example, you can upload temporary files that will not be deleted. This can ultimately lead to huge leaks and attacks.

0
source

I will lead to a serious vulnerability known as the inclusion of a local file, the GET parameters are not filtered, it is better to filter it as indicated in the socket, or just use php realpath () , which is a little simple.

0
source

Source: https://habr.com/ru/post/1482875/

More articles:


All Articles