Bugtraq mailing list archives
Re: A Study In Scarlet - Exploiting Common Vulnerabilities in PHP Applications
From: salo <salo () Xtrmntr org>
Date: Fri, 27 Jul 2001 19:48:08 +0200
On Fri, Jul 27, 2001 at 06:05:25PM +0100, Julian Hall wrote:
Is anyone really that naive? I, and I'm sure most other PHP uses, would automatically write: <?php $themefile = "themes/$theme.inc"; include ($themefile); ?> If I was even remotely thinking about security I would check for the presence of directory seperator characters in $theme (as it stands obviously the code would allow the inclusion of any file with the '.inc' suffix). You never include code from a filename specified directly by the user. That's a primary rule, and applies to server applications written in any language, not just PHP and other similar systems.
what about checking like this? <?php $themefile = "/your/document/root/" .EReg_Replace('([^a-zA-Z0-9])*','',$theme) .".inc"; if (Is_Readable($themefile)) include ($themefile); else include ("/your/document/root/default.inc"); ?> there is no possibility to browse your directory structure for including files, because only alphanumeric characters are passed and prefix with suffix are defined. check if file is readable for http daemon is better than check only if file exists, because it could not be readable and then error occurs and message including full path to file is printed out: Warning: Failed opening '/your/document/root/test.inc' for inclusion (include_path='') in /your/document/root/theme.php on line 8 you could define more valid characters to pass security filter, fe. _ or - regards, -- -- salo <salo () Xtrmntr org> ASCII Ribbon campaign against /"\ -- -- http://Xtrmntr.org/salo.pgp e-mail in gratuitous HTML and \ / -- -- Microsoft proprietary formats X -- -- / \ --
Current thread:
- A Study In Scarlet - Exploiting Common Vulnerabilities in PHP Applications Shaun Clowes (Jul 02)
- Re: A Study In Scarlet - Exploiting Common Vulnerabilities in PHP Applications Chris Adams (Jul 03)
- Re: A Study In Scarlet - Exploiting Common Vulnerabilities in PHP Applications Julian Hall (Jul 27)
- Re: A Study In Scarlet - Exploiting Common Vulnerabilities in PHP Applications salo (Jul 27)
- <Possible follow-ups>
- Re: A Study In Scarlet - Exploiting Common Vulnerabilities in PHP Applications Stephen Cope (Jul 04)