Re: A Study In Scarlet - Exploiting Common Vulnerabilities in PHP Applications

[Julian Hall <jules () acris co uk>]

Sorry for the delay in responding here, but I've not had a chance to catch up
with the list for a while, but:

Shaun Clowes wrote:

> As an alternate attack assisted by file upload consider the following
> example PHP code:
>
>  <?php
>   if (file_exists($theme)) // Checks the file exists on the local system (no
> remote files)
>    include("$theme");
>  ?>

Is anyone really that naive?  I, and I'm sure most other PHP uses, would
automatically write:

<?php
    $themefile = "themes/$theme.inc";
    include ($themefile);
?>

If I was even remotely thinking about security I would check for the presence
of directory seperator characters in $theme (as it stands obviously the code
would allow the inclusion of any file with the '.inc' suffix).  You never
include code from a filename specified directly by the user.  That's a primary
rule, and applies to server applications written in any language, not just PHP
and other similar systems.