Re: Remote File Variable Injection Safety?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



2009/1/7 Daniel Kolbo <kolb0057@xxxxxxx>:
> suppose there is a file at http://otherhost.com/remote.php that looks like
> this:
>
> <?php
> if (!isset($safe_flag))
> {
>   die("hacking attempt");
> }
> echo "You are in";
> ?>
>
> Suppose i executed the following php file at http://myhost.com/local.php
>
> <?php
> require_once("http://otherhost.com/remote.php";);
> ?>
>
> Is there any way to get local.php to display "You are in", by only modifying
> local.php?  That is, is there a way to set $safe_flag on the remote host as
> one requests a file from the remote host from within local.php?
>
> I have genuine, academic, non-belligerent intentions when asking this
> question.

Doing this is evil and should be avoided if at all possible. However,
assuming you really need to do it this way...

The best way to validate inclusion is to check the value of
$_SERVER['REMOTE_ADDR'] in the remote script and only allow known IPs.
This is not foolproof but will kill off casual attempts to get the
code.

Alternatively if you change the test for $safe_flag to
$_GET['safe_flag'] and add ?safe_flag=1 to the end of the URL in the
require call that should also work, but is easily copied. You could
randomise "safe_flag" and the value to make it more difficult, but
checking the IP is far better IMHO.

-Stuart

-- 
http://stut.net/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux