tags:

views:

40

answers:

2

I've found out the hard way that my website can be hacked by passing a query string parameter that has many ../s to access files outside of the website directory, and then hack the website.

Is there a way, perhaps through the php.ini, to not allow file includes outside of a certain root directory?

To make things worse, most of what is running on the server is not my code. The website runs on the CMS Joomla! and the exploit was done through a purchased plugin.

I cannot change the scripts, if it has to come to that, I'll just uninstall the affected plugins.

A: 

I think chmod("yourfilelocation",0700) will deny access to the files you dont want to be accesed

Starx
A: 

Yes, PHP has a configuration parameter called open_basedir exactly for that purpose.
(don't forget to add to it at least session_save_path directory)

But! You have to check every passed parameter anyway!

if it's supposed to be just a filename, truncate it using basename() function. if it's supposed to be a directory, you can check it with such a code

$basedir = "/your/app/path/";
$realdir = realpath($basedir.$filename); //$filename is the parameter we checking

if (substr($realdir,0,strlen($basedir)) !== $basedir) {
  header ("HTTP/1.0 403 Forbidden"); 
  exit; 
}
Col. Shrapnel