Are you serious?Originally Posted by Jewish Bear
Results 11 to 20 of 27
Thread: phpInclude Help
-
we're smiling but we're close to tears, even after all these years
-
You call this secure ? Originally Posted by Jewish Bear
PHP Code:
include("pages/{$_GET['page']}/{$_GET['subpage']}.php");
-
05-05-2010, 04:14 PM #13
should work.PHP Code:
<?php
// File include by Blob off of HabboxForum
$config = array("default" => "home", // Default Page
"directory" => "pages/", // Directory where files are held (with trailing slash)
"restricted" => array( "index" ), // Restricted pages
"404" => "404.php" // Error Page (with trailing .php)
);
$page = ( ( $_GET["page"] ) === null ) ? $config["default"] : ( str_replace("/", "", ( ( ( in_array( $_GET["page"], $config["restricted"] ) ) !== false ) ? $config["default"] : $_GET["page"] ) ) );
( file_exists( $config["directory"] . $page . ".php" ) !== false ) ? include( $config["directory"] . $page . ".php" ) : include( $config["directory"] . $config["404"] );
?>
default = default page you want to load up
directory = directory where pages are, so if you have pages/home/index.php and pages/about/index.php you would do pages/
restricted = pages that arent allowed to be loaded
404 = 404 page
if you set it to pages/
page.php?page=pageHere
will include pages/pageHere.php
or if you have pages/home/index.php
page.php?page=home/index should work, haven't tried it
-
Yes. How is it not secure? Originally Posted by Apolva
visit my internet web site on the internet
http://dong.engineer/
it is just videos by bill wurtz videos you have been warned
-
Lmao. Do you know anything? You could easily include anything, including restricted content with that. Originally Posted by Jewish Bear
we're smiling but we're close to tears, even after all these years
-
Update:
Go hog wild. Testing duration: about 20 seconds. Should work just fine and dandy.PHP Code:<?php
define( 'CHECK_FOR_FORBIDDEN_FILES', true );
define( 'CHECK_FOR_FORBIDDEN_FOLDERS', true );
define( 'FORBIDDEN_FILE_LIST', 'index,secret,tuesday' );
define( 'FORBIDDEN_FOLDER_LIST', 'config' );
define( 'ERROR_FOLDER', './' );
define( 'ERROR_PAGE', 'error' );
define( 'CHECK_FOR_CONFIG_FILES', true );
$folder = ( isset( $_GET[ 'folder' ] ) === true ) ? $_GET[ 'folder' ] : ERROR_FOLDER;
$page = ( isset( $_GET[ 'page' ] ) === true ) ? $_GET[ 'page' ] : ERROR_PAGE;
$file = new handleLink( $folder, $page );
if( $file->theLink !== false ) {
include( $file->theLink );
} else {
include( ERROR_FOLDER . ERROR_PAGE . '.php' );
}
class handleLink
{
public $theLink;
public function __construct( $folder, $page )
{
$page = ( $this->_isValidPage( $page ) === true ) ? $page : $this->_filterPage( $page );
$folder = ( $this->_isValidFolder( $folder ) === true ) ? $folder : $this->_filterFolder( $folder );
if( $this->_checkForValidPage( $folder, $page ) === true ) {
$this->theLink = $this->_buildUrl( $folder, $page );
} else {
$this->theLink = false;
}
}
private function _checkForValidPage( $folder, $page )
{
if( file_exists( $folder . '/' . $page . '.php' ) === true ) {
return true;
} else {
return false;
}
}
private function _buildUrl( $folder, $page )
{
return $folder . '/' . $page . '.php';
}
private function _filterFolder( $incoming )
{
if( CHECK_FOR_FORBIDDEN_FOLDERS === true ) {
if( is_string( FORBIDDEN_FOLDER_LIST ) === true ) {
$str = explode( ',', FORBIDDEN_FOLDER_LIST );
} elseif( is_array( FORBIDDEN_FOLDER_LIST ) === true ) {
$str = FORBIDDEN_FOLDER_LIST;
} else {
exit( 'Oh no invalid forbidden folder list.' );
}
foreach( $str as $forbidden ) {
if( stripos( $incoming, $forbidden ) !== false ) {
$incoming = str_ireplace( $forbidden, '', $incoming );
}
}
}
if( strpos( $incoming, '..' ) !== false ) {
$incoming = preg_replace( '#\.{1,}#', '.', $incoming );
}
return $incoming;
}
private function _filterPage( $incoming )
{
// File traversary (Only use pcre if we absolutely have to.)
if( strpos( $incoming, '..' ) !== false ) {
$incoming = preg_replace( '#\.{1,}#', '.', $incoming );
}
// Only valid file names (Who really uses the name ~*hello*~.php (yes it's valid))
$incoming = preg_replace( '#([^a-zA-Z0-9\-_]+)#', '', $incoming );
return $incoming;
}
private function _isValidFolder( $incoming )
{
if( strpos( $incoming, '..' ) === false ) {
return true;
} else {
return false;
}
}
private function _isValidPage( $incoming )
{
// First make sure we have something there.
if( strlen( $incoming ) === 0 ) {
exit( 'No url detected' );
}
// First check for forbidden characters and extensions yadda yadda.
$incomingCheck = preg_replace( '#([^a-zA-Z0-9\-_]+)#', '', $incoming );
if( strlen( $incomingCheck ) === 0 ) {
exit( 'No valid url detected.' );
}
// Anything with config in it.
if( CHECK_FOR_CONFIG_FILES === true ) {
if( stripos( $incoming, 'config' ) !== false ) {
$incoming = str_ireplace( 'config' , '', $incoming );
}
// Quick check to make sure we're all good
$incomingCheck = preg_replace( '#([^a-zA-Z0-9\-_]+)#', '', $incoming );
if( strlen( $incomingCheck ) === 0 ) {
exit( 'You are trying to access a config file. Stop that.' );
}
}
// Now we'll check for standard forbidden phrases!
if( CHECK_FOR_FORBIDDEN_FILES === true ) {
if( is_string( FORBIDDEN_FILE_LIST ) === true ) {
$str = explode( ',', FORBIDDEN_FILE_LIST );
} elseif( is_array( FORBIDDEN_FILE_LIST ) === true ) {
$str = FORBIDDEN_FILE_LIST;
} else {
exit( 'Oh no invalid forbidden file list.' );
}
foreach( $str as $forbidden ) {
if( stripos( $incoming, $forbidden ) !== false ) {
$incomingCheck = str_ireplace( $forbidden, '', $incoming );
$incomingCheck = preg_replace( '#([^a-zA-Z0-9\-_]+)#', '', $incomingCheck );
if( strlen( $incomingCheck ) === 0 ) {
exit( 'You are trying to access a forbidden file. Stop that.' );
}
}
}
// OK! We have no forbidden files.
// As far as we can tell it's not a forbidden file and it's a valid url!
}
if( strpos( $incoming, '..' ) === false ) {
return true;
} else {
return false;
}
}
}
?>
Yes it's a joke (but it works!)
That's a host problem, not a coding problem (well it sort of is, but it's not insecurity on the php end) Originally Posted by MattFr
A good host should have open_basedir enabled so you can't wander off.
Any other files in your directory are your problem, not a problem of insecurity.Last edited by Jewish Bear; 05-05-2010 at 06:40 PM.
visit my internet web site on the internet
http://dong.engineer/
it is just videos by bill wurtz videos you have been warned
-
Yes, I'm a noob at PHP, but how does it allow to include anything? Such as? Originally Posted by MattFr
-
You can read/execute any file on the server...
?page=..&subpage=file - would simply run: file.php
Or with null-byte poisoning:
?page=../../../secretfile.txt[null character here]
Would print the contents of any file (regardless of extension)
More info: http://php.net/manual/en/security.fi....nullbytes.phpLast edited by Apolva; 05-05-2010 at 06:46 PM.
-
As said previously, hosts should enable open_basedir to keep people inside their own directories and out of the rest of the server. This is still a trivial host problem, mod_security should handle that issue too. Originally Posted by Apolva
visit my internet web site on the internet
http://dong.engineer/
it is just videos by bill wurtz videos you have been warned
-
Originally Posted by Jewish Bear
While it may stop you leaving your /www/ dir, you can still read "secret" files used by other scripts, plus files which usually need .htaccess authentication.
Reply With Quote
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts