[How-To] PHP Security

Inquisitor · 22 Feb 2005 at 00:59

Doesn't matter now anyway

I've built a password reset script so that users can get their passwords reset to a random combination of letters and numbers then emailed to them

robmiller · 22 Feb 2005 at 13:31

kiwi said:
could they not write their own encyption? for example a simple ROT-13 would leave the password unreadable if database access was gained. obviously, they would use a cyper that's a little harder to break

If they used base64 it'd be even more unreadable, but just as easy to "crack".

Craig321 · 26 Feb 2005 at 22:25

Hi

I use a script for my pages on my site
Basically if a user was to click a link for e.g. page 3 then he/she would be taken to index.php?page=3
Now, I read the guide and it said that this is unsafe.
But thats not the case with mine... unless i'm wrong.
At the end I tried putting index.php?page=http://www.xoopiter.com/forums/index
I didn't put the extension on because the script adds it automatically.
Now when I run that it just gives a PHP error and doesn't do anything.

So this script is safe if you are a person that wants to use this nice little script.
Here's the code:

Code:

<? if($page) { include("pages/$page.php"); } else { include("pages/pagenumber.php"); } ?>

So here's how you use it:

You put the code in your index file ON ITS OWN.
Then when you load the page then it will look in the file pages/pagenumber.php and display it on the index page, so you set the bit pages/pagenumber.php to point to where your index file is.

e.g.

files/index.php

Now that you have done that your index page will display on the page with that coding in it.
Now you see the directory/$page.php bit - that tells it where to be looking for the file you specify.
So this would basically read from /directory and then display the page:

e.g.
index.php?page=news

That URL would then display the file news.php from /directory.

Okay, now to change the 'page' bit you have to change these:

Code:

<? if($file) { include("directory/$file.php"); } else { include("pages/pagenumber.php"); } ?>

See how I have changed the $page at the start and the $page.php in the middle.

Now the code just above would allow you to access the file directory/filefile.php by typing in index.php?file=filefile

_________________________________________________________

So basically, based on the first code i provided, you would just need to change the $page bit and the $page.php bit to have something else other than index.php?page=
The { include("pages/$page.php"); } bit just tells the php code where to look for the file you type in after the equals
for example:
index.php?page=file1
That would load file1.php from the 'pages' directory.

I hope you can understand what to do for this script.
If you need any further help then please contact me through one of these:

MSN: [email protected] (signed in 24/7 unless im in game)
Yahoo: nykampcw (signed in most of the time)
Email: [email protected] (checked daily)

Cheers

Craig.

Ben · 26 Feb 2005 at 23:02

Craig,

try ?page=../index

should keep the server busy for a while

also using register_globals... tut tut!

robmiller · 27 Feb 2005 at 00:07

If people insist on using the oh-so inferior ?page=* method, then here's a script that isn't like a colander.

Code:

<?php

// Name your content files with this extension,
// and pass the page without the extension
// Example: content in page1.inc.php, url will be
// thisfile.php?page=page1
$extension = '.inc.php';

// Strip HTML
$page = strip_tags($_GET['page']);
// Strip double full stops to stop people navigating outside the current directory
$page = str_replace('..', '', $page);
// Strip any characters that aren't word characters, -, _ or . for a number of reasons
$page = preg_replace('|[^\w-_\.]|', '', $page);

if(file_exists(dirname(__FILE__).'/'.$page.$extension)) {
	
	include $page.$extension;
	
} else {
	
	include 'default'.$extension;
	
}

?>

zetec452 · 27 Feb 2005 at 00:29

Some superb info on this baby. Cheers guys and thanks to Mr Miller for kicking it all off.

Ben · 27 Feb 2005 at 01:18

robmiller said:
If people insist on using the oh-so inferior ?page=* method, then here's a script that isn't like a colander.

Code:

snip

I quite agree, I'd stretch as far as using ForceType, to make neat search engine friendly URLs (plus slightly disguising PHP being the force behind the pages). But for anything else seperate php files which keep to a specific function.

Craig321 · 27 Feb 2005 at 01:26

Ben said:
Craig,

try ?page=../index

should keep the server busy for a while

also using register_globals... tut tut!

What's that ment to do

?
Does nothing

Craig321 · 27 Feb 2005 at 01:27

robmiller:
That doesn't do a includes thing to show a page on the index file itself does it?
Anyways, that script I gave doesn't allow people to navigate outside the directory

Ben · 27 Feb 2005 at 02:18

Craig321 said:
What's that ment to do ?
Does nothing

Recursively includes itself. The script you posted is vunerable to it. Maybe not on your server but it will most likely be anywhere else.

But shall we have some fun with your PHP on planet uploads?

So here we go:

http://www.planetuploads.com/index.php?page=blah

Nice errors, so we know where "pages" are kept.
Lets go directly to one of the pages

http://www.planetuploads.com/pages/1.php

I could use the errors on the page to see what other information I can find from the other included files... But wait I don't need to, the script is stuck in a loop saying:

Warning: feof(): supplied argument is not a valid stream resource in /home/nykampm/public_html/cnupload/pages/1.php on line 44

Warning: fgets(): supplied argument is not a valid stream resource in /home/nykampm/public_html/cnupload/pages/1.php on line 45

over and over.

Kinda underlines why using a ?page=x thing is a bad idea.

robmiller · 27 Feb 2005 at 02:30

Craig321 said:
robmiller:
That doesn't do a includes thing to show a page on the index file itself does it?
Anyways, that script I gave doesn't allow people to navigate outside the directory

Yes, yes it does.

Your script doesn't have any error checking, relies on register_globals being on and does allow people to go out of the directory. Accessing "/etc/../usr/bin" is just the same as accessing "/usr/bin".

Inquisitor · 27 Feb 2005 at 02:32

Seeing as I'm not exactly an expert, how's this for security?

Code:

<?php
/************************* INCLUDE PAGE ***********************/

	$pages = array (
		"home" => "home.php",
		"news" => "news.php",
		"news_archive" => "news_archive.php",
		"gallery" => "gallery.php",
		"movie" => "movie.php",
		"downloads" => "downloads.php",
		"team" => "team.php",
		"stats" => "stats.php",
		"contact" => "contact.php",
		"movie" => "movie.php",
		"admin" => "admin_login.php",
		"mail_confirm" => "mail_confirm.php",
		"mail_result" => "mail_result.php",
	);
	
	$path = strip_tags ($_GET['path']);
	$page = strip_tags ($_GET['page']);
	$include = "pages/";
				
	if (!$page) {
		$include .= "news.php";
		$self = $_SERVER['PHP_SELF']."?page=news";
	}
	elseif (array_key_exists ($page, $pages) AND !file_exists ($include.$pages[$page])) {
		$include .= "construction.php";
		$self = $_SERVER['PHP_SELF']."?page=".$page;
	}
	elseif (!array_key_exists ($page, $pages)) {
		$include .= "not_found.php";
		$self = $_SERVER['PHP_SELF']."?page=".$page;
	}
	else {
		$include .= $pages[$page];
		$self = $_SERVER['PHP_SELF']."?page=".$page;
	}
	
	if (file_exists ($include)) {
		include ($include);
	}

?>

robmiller · 27 Feb 2005 at 02:34

Looks ok, but you don't need to define $self, seen as what you're defining it to will just be the same as $_SERVER['REQUEST_URI'] anyway

Inquisitor · 27 Feb 2005 at 02:40

Oops, didn't know that

Craig321 · 27 Feb 2005 at 02:41

robmiller said:
Looks ok, but you don't need to define $self, seen as what you're defining it to will just be the same as $_SERVER['REQUEST_URI'] anyway

So is it unsafe????
Or weren't you on abut the script I have?

robmiller · 27 Feb 2005 at 02:46

I was on about Inquisitor's. I was on about yours in the message in which I quoted you.

Craig321 · 27 Feb 2005 at 03:10

Rob, please can you email me an example of how they could get out of the directory
Not here cause someone might wanna use it

Thanks.
(Email in trust)

Shoseki · 27 Feb 2005 at 03:11

Is phpInfo(); dangerous?

robmiller · 27 Feb 2005 at 03:15

clogiccraigm said:
Is phpInfo(); dangerous?

It's not dangerous per se, but it's a good idea to keep info pages hidden, just in case they reveal server versions and whatnot which could be clues as to what the server is vulnerable to etc

robmiller · 27 Feb 2005 at 03:18

Craig321 said:
Rob, please can you email me an example of how they could get out of the directory
Not here cause someone might wanna use it
Thanks.
(Email in trust)

index.php?page=../../../../etc/passwd

Would display all your server's usernames and information, for example (if you're on Linux, that is). If you're on Windows, I'm sure you could do some other crazy things.

You're also vulnerable to, like Ben said, the infinite including of itself by passing it a relative path of itself - if "pages" is a subdirectory of the directory index.php is in, then you just need to go to index.php?page=../index.