Dynamic Includes - Page 2

**SmartGuy** · July 15th, 2004, 8:51 PM

I just quickly browsed through the posts and I didn't know you posted that link, otherwise I wouldn't have made my post. Sorry!

**Ancyru** · July 16th, 2004, 3:45 AM

I've thought about using the switch/case method, but sometimes I don't want to edit my script.php file to accomodate a newly created file.

Is there another way around this where I could use my original script? I also want the:

?x=folder/file

Is there a safe way to not allow ?x=../file

**Ancyru** · July 31st, 2004, 8:23 PM

Oh guys, I've seen another way to do this. Could you check it out:

Code:

<?php
$x = $_GET['x'];
if(eregi("[a-z0-9\-_\.]+", $x, $regs)) {
  $dir = "includes/";
  $ext = ".php";
  if(file_exists($dir . $x . $ext)) {
    include($dir . $x . $ext);
  } else {
    include($dir . "notfound" . $ext);
  }
} else {
  include($dir . "illegal" . $ext);
}
?>

**TJ09** · July 31st, 2004, 10:02 PM

Quote:

Originally Posted by Wolfy

A few words about security (yes; I know I'm a nag).

Doing dynamic includes of this nature is very risky - particularly if you are also allowing your users to upload files elsewhere on the page. Consider you have a forum that allows users to upload an avatar or attach files to their posts and this script fails to adequately check the file type of the upload.

Then a malicious user might create a file "exploit.jpg" that was actually a php file containing some malicious code. e.g.

Code:

<?php
echo "<strong>H4H D00D UR 73H L4M3R!!!11!!<strong>";
?>

This code would normally not be able to be run due to the extension being linked to the image/jpeg MIME-type but PHP does not check these things when using include or require - so the code could be run by calling http://yourdomain.com/yourscript.php...rs/exploit.jpg

The example I have given would just embarass you (and good grammar) by calling you 73H L4M3R; a real exploit might deliberately trash your site or overload the server disrupting your own service and others.

It should be assumed that any user input into forms is unsafe. Your script could either check that the include in $x points to a directory with the appropriate permissions.

Code:

<?php
if($x) {
  if (strpos($x,"/mysafedir/")!=1) {
    include("stophackingme.php");
  }
  else if(file_exists("$x.php") {
    include("$x.php");
  } else {
    include("error.php");
} elseif(!$x) {
    include("main.php");
}
?>

The additional lines check to make sure that $x starts with the path to a directory with read-only permissions set on it. Please note this is also insufficient (though better) as $x could contain a string such as "/mysafedir/../avatars/exploit.jpg". If you must insist on passing the filename of the include the proper way to go about it would be to explode the entire string and check the path resolves to a secure directory.

The most secure way to implement this is to know the pages you need before hand and use a method similar to that shown in this helpdesk howto:
http://desk.surpasshosting.com/index...e1e564639e2e44

-wolf

You should always preset the extention, ex: include "$x.php" instead of just $x...

EDIT: In fact, that's what the code she had does anyway...so it prevents use of files other than PHP...

As for this:

Quote:

Originally Posted by Ancyru

I've thought about using the switch/case method, but sometimes I don't want to edit my script.php file to accomodate a newly created file.

Is there another way around this where I could use my original script? I also want the:

?x=folder/file

Is there a safe way to not allow ?x=../file

Code:

if(preg_match("#^../(.+?)#", $x)) {include "illegal.php";} else {include "$x.php";}

**Ancyru** · July 31st, 2004, 10:07 PM

Have you guys taken a look at my new code? It's two posts above this.

**TJ09** · July 31st, 2004, 10:09 PM

I don't think that code would prevent ../, just non-alphanumeric characters.

**Ancyru** · July 31st, 2004, 10:11 PM

But isn't ../ a non-alphanumeric character?

**TJ09** · July 31st, 2004, 10:24 PM

I guess, but your script allows . to be in the $x variable.

Now that I look at it, it prevents use of all directories, since / isn't allowed.

**Ancyru** · July 31st, 2004, 10:29 PM

Cool so do you think it is okay to use? I guess I just have to give up on using ?x=folder/file

?x=file should be sufficient.

July 16th, 2004, 3:45 AM	#11 (permalink)
Ancyru L'Awesome Advocate Super #1 Joined in May 2004 Lives in .au Hosted on Mango 2,423 posts Gave thanks: 1 Thanked 5 times	I've thought about using the switch/case method, but sometimes I don't want to edit my script.php file to accomodate a newly created file. Is there another way around this where I could use my original script? I also want the: ?x=folder/file Is there a safe way to not allow ?x=../file __________________ When I get sad, I stop being sad, and be AWESOME instead. True story.

July 31st, 2004, 8:23 PM	#12 (permalink)
Ancyru L'Awesome Advocate Super #1 Joined in May 2004 Lives in .au Hosted on Mango 2,423 posts Gave thanks: 1 Thanked 5 times	Oh guys, I've seen another way to do this. Could you check it out: Code: <?php $x = $_GET['x']; if(eregi("[a-z0-9\-_\.]+", $x, $regs)) { $dir = "includes/"; $ext = ".php"; if(file_exists($dir . $x . $ext)) { include($dir . $x . $ext); } else { include($dir . "notfound" . $ext); } } else { include($dir . "illegal" . $ext); } ?> __________________ When I get sad, I stop being sad, and be AWESOME instead. True story.

July 31st, 2004, 10:07 PM	#14 (permalink)
Ancyru L'Awesome Advocate Super #1 Joined in May 2004 Lives in .au Hosted on Mango 2,423 posts Gave thanks: 1 Thanked 5 times	Have you guys taken a look at my new code? It's two posts above this. __________________ When I get sad, I stop being sad, and be AWESOME instead. True story.

July 31st, 2004, 10:09 PM	#15 (permalink)
TJ09 SurPerson On a golden path... Joined in Jul 2004 Lives in front of my laptop Hosted on Sync 437 posts Gave thanks: 0 Thanked 1 Time in 1 Post	I don't think that code would prevent ../, just non-alphanumeric characters. __________________ Me: TeeJay Server: Sync (Statistics) Site: technoized.com (Statistics) chown -R us ./base

July 31st, 2004, 10:11 PM	#16 (permalink)
Ancyru L'Awesome Advocate Super #1 Joined in May 2004 Lives in .au Hosted on Mango 2,423 posts Gave thanks: 1 Thanked 5 times	But isn't ../ a non-alphanumeric character? __________________ When I get sad, I stop being sad, and be AWESOME instead. True story.

July 15th, 2004, 8:51 PM	#10 (permalink)
SmartGuy Surpass Fan Excelling Contributor Joined in Jan 2004 Lives in Clinton, Massachusetts Hosted on Serenity x.x.40.51 994 posts Gave thanks: 0 Thanked 0 times	I just quickly browsed through the posts and I didn't know you posted that link, otherwise I wouldn't have made my post. Sorry!

July 31st, 2004, 10:24 PM	#17 (permalink)
TJ09 SurPerson On a golden path... Joined in Jul 2004 Lives in front of my laptop Hosted on Sync 437 posts Gave thanks: 0 Thanked 1 Time in 1 Post	I guess, but your script allows . to be in the $x variable. Now that I look at it, it prevents use of all directories, since / isn't allowed. __________________ Me: TeeJay Server: Sync (Statistics) Site: technoized.com (Statistics) chown -R us ./base

July 31st, 2004, 10:29 PM	#18 (permalink)
Ancyru L'Awesome Advocate Super #1 Joined in May 2004 Lives in .au Hosted on Mango 2,423 posts Gave thanks: 1 Thanked 5 times	Cool so do you think it is okay to use? I guess I just have to give up on using ?x=folder/file ?x=file should be sufficient. __________________ When I get sad, I stop being sad, and be AWESOME instead. True story.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Rate This Thread
Rate This Thread: