On 4/26/06, P. Guethlein <peterg@xxxxxxxxxxxxx> wrote:
>
> Initial index.php file:
>
> <?php
> if(isset($_GET['d'])){setcookie('disp',$_GET['d'],time()+(60*60*24*60));$_COOKIE['disp']=$_GET['d'];}
> include_once('writemenus.php');
>
> if(!isset($_GET['href'])) $include = 'startpage.htm';
> else {
> $include = $_GET['href']; $include = "$include.php";
> if($include=='index.php')$include = 'startpage.htm';
> }
> include_once($include);
> include_once('footer.htm');
> ?>
>
> =============================
> Hackers seem to be able to call a remote script by appending the URL
> to the href= command line . ( $include )
..because you're not checking it, you're just including it.
If you turn off allow_url_fopen then this will stop it, but it's best
to fix it properly.
You could do something like this:
$mydir = dirname(__FILE__);
$include = $_GET['href'].'.php';
if (realpath($mydir.'/'.$include) != $mydir.'/'.$include) {
$include = 'startpage.htm';
} else {
$include = $mydir .'/'.$include;
}
You use realpath to get rid of '../' and './' type references (see
http://www.php.net/realpath), then make sure that's the same file as
in the current directory.
If they don't match, it includes startpage.htm.
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
