[21940] in bugtraq

home help back first fref pref prev next nref lref last post

Re: A Study In Scarlet - Exploiting Common Vulnerabilities in PHP Applications

daemon@ATHENA.MIT.EDU (salo)
Fri Jul 27 14:04:05 2001

Date: Fri, 27 Jul 2001 19:48:08 +0200
From: salo <salo@Xtrmntr.org>
To: Julian Hall <jules@acris.co.uk>
Cc: Shaun Clowes <shaun@securereality.com.au>, bugtraq@securityfocus.com
Message-ID: <20010727194759.A16787@Xtrmntr.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3B619F54.4DAACC0E@acris.co.uk>

On Fri, Jul 27, 2001 at 06:05:25PM +0100, Julian Hall wrote:
> Is anyone really that naive?  I, and I'm sure most other PHP uses, would
> automatically write:
> 
> <?php
>     $themefile = "themes/$theme.inc";
>     include ($themefile);
> ?>
> 
> If I was even remotely thinking about security I would check for the presence
> of directory seperator characters in $theme (as it stands obviously the code
> would allow the inclusion of any file with the '.inc' suffix).  You never
> include code from a filename specified directly by the user.  That's a primary
> rule, and applies to server applications written in any language, not just PHP
> and other similar systems.

what about checking like this?

<?php

  $themefile = "/your/document/root/"
               .EReg_Replace('([^a-zA-Z0-9])*','',$theme)
               .".inc";

  if (Is_Readable($themefile))
    include ($themefile);
  else
    include ("/your/document/root/default.inc");

?>

there is no possibility to browse your directory structure for including
files, because only alphanumeric characters are passed and prefix with suffix
are defined. check if file is readable for http daemon is better than check
only if file exists, because it could not be readable and then error occurs and
message including full path to file is printed out:

Warning: Failed opening '/your/document/root/test.inc' for inclusion
   (include_path='') in /your/document/root/theme.php on line 8

you could define more valid characters to pass security filter, fe. _ or -


regards,

-- 
--   salo <salo@Xtrmntr.org>         ASCII Ribbon campaign against   /"\   --
--   http://Xtrmntr.org/salo.pgp     e-mail in gratuitous HTML and   \ /   --
--                                   Microsoft proprietary formats    X    --
--                                                                   / \   --
home help back first fref pref prev next nref lref last post