Re: A Study In Scarlet - Exploiting Common Vulnerabilities in PHP Applications

[salo <salo () Xtrmntr org>]

On Fri, Jul 27, 2001 at 06:05:25PM +0100, Julian Hall wrote:
> Is anyone really that naive?  I, and I'm sure most other PHP uses, would
> automatically write:
>
> <?php
>     $themefile = "themes/$theme.inc";
>     include ($themefile);
> ?>
>
> If I was even remotely thinking about security I would check for the presence
> of directory seperator characters in $theme (as it stands obviously the code
> would allow the inclusion of any file with the '.inc' suffix).  You never
> include code from a filename specified directly by the user.  That's a primary
> rule, and applies to server applications written in any language, not just PHP
> and other similar systems.

what about checking like this?

<?php

  $themefile = "/your/document/root/"
               .EReg_Replace('([^a-zA-Z0-9])*','',$theme)
               .".inc";

  if (Is_Readable($themefile))
    include ($themefile);
  else
    include ("/your/document/root/default.inc");

?>

there is no possibility to browse your directory structure for including
files, because only alphanumeric characters are passed and prefix with suffix
are defined. check if file is readable for http daemon is better than check
only if file exists, because it could not be readable and then error occurs and
message including full path to file is printed out:

Warning: Failed opening '/your/document/root/test.inc' for inclusion
   (include_path='') in /your/document/root/theme.php on line 8

you could define more valid characters to pass security filter, fe. _ or -


regards,

-- 
--   salo <salo () Xtrmntr org>         ASCII Ribbon campaign against   /"\   --
--   http://Xtrmntr.org/salo.pgp     e-mail in gratuitous HTML and   \ /   --
--                                   Microsoft proprietary formats    X    --
--                                                                   / \   --