On Wed, April 26, 2006 12:53 am, P. Guethlein wrote:
> <?php
> if(isset($_GET['d'])){setcookie('disp',$_GET['d'],time()+(60*60*24*60));$_COOKIE['disp']=$_GET['d'];}
I suppose this isn't so terribly awful, since experienced users can
forge their Cookies as easily as GET, but as a matter of principle,
you SHOULD insure that $_GET['d'] has the data you expect.
> include_once('writemenus.php');
>
> if(!isset($_GET['href'])) $include = 'startpage.htm';
This is fine.
> else {
> $include = $_GET['href']; $include = "$include.php";
This is SOOOOOOOOOOOOOOOOOOOOO not fine!!!
You are allowing the Bad Guys to include *ANY* file they want here!
Never ever ever ever use a variable in include() that the user gets to
pick whatever they want.
You need to decide, in advance, which files the user CAN include, like
your 'startpage.htm' and only allow $include to take on those values
you hvae pre-determined to be valid.
Here's one easy way to do this:
switch($_GET['href']){
case 'startpage':
case 'index':
case 'about':
case 'contact':
$include = $_GET['href'] . '.php';
break;
default:
error_log("HACK ATTEMPT $REMOTE_ADDR " . date('m/d/Y h:i:s a);
die("No.");
break;
}
> if($include=='index.php')$include = 'startpage.htm';
> }
> include_once($include);
> include_once('footer.htm');
> ?>
>
> =============================
> Hackers seem to be able to call a remote script by appending the URL
> to the href= command line . ( $include )
>
> What buttons do I need to push to stop this? Does PHP have a setting
> to allow only local calls? or do I have to do it in the index.php file
> ? or ??
Required Reading:
http://phpsec.org/
All of it.
The whole damn site.
Now.
Sorry.
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
