ansaurus

Question

PHP: prevent folder hacking - if path has ../ in it?

Answer 1

+11 A:

Instead of doing that, you could just call realpath() on it and check if the path it's supposed to be in is a prefix of that.

Even better, why not keep a whitelist and reject anything not in it?

Daniel Egeberg 2010-07-27 09:40:22

Answer 2

A:

to answer your question:

if(strpos($path,'../') !== false){
  die("dear hacker,

       plz leave me alone - i don't
       wanna play with you...

       greetings,
       [enter your name here]");
}else{
  // here comes the magic

}

but: you really shouldn't do so. if you wan't an easy solution, use a switch-statement for every possible $path and include the relevant file (or whatever you have to do).

oezi 2010-07-27 09:44:18

Any reason for language ?

RobertPitt 2010-07-27 09:45:56

@RobertPitt: i don't want to offend somebody - i hope it's better now ;)

oezi 2010-07-27 09:50:31

Replace down vote with +, its not offending to myself but others will find it unneeded for that post :), happy days

RobertPitt 2010-07-27 09:52:06

thank you. how could i test if the $path just starts with a slash? like ?path=/anything. actually in this case i wanna call a die(); however if ?path=anything/anything it should work.

2010-07-27 10:39:53

egads.. I am imagining a switch statement for every path on most CMS systems.. how nightmarish... `RewriteMap` is waaaay easier.

Talvi Watia 2010-07-27 10:42:02

i'm doing it like this now: if (substr($path, 0, 1) == "/" || substr($path, 0, 1) == "" || substr($path, 0, 2) == "./" || substr($path, 0, 3) == "../") { ...maybe there is an easier way, but it works.

2010-07-27 10:51:30

talking to "hacker" is the stupidest thing a developer can do, no matter the language

Col. Shrapnel 2010-07-27 11:01:28

Answer 3

A:

I's an alternative solution that allow you to customize the url....

<?php
$arr= array(
  "register" => "register.php",
  "login" => "userlogin.php",
  "admin" => "adminlogin.php",
  "etc" => "otherpage.php",
  );
if ( isset ( $_GET['path'] )    
    if ( array_key_exists( $_GET['path'] , $arr) ){
      //do some stuff... 
      include( $arr[$_GET['path']] );
    }
    else
      echo 'Page Not Found!';          
else
  echo 'Required Field Empty!';       
?>

So calling index.php?path=admin page adminlogin.php will be included....

Marcx 2010-07-27 09:51:12

RobertPitt 2010-07-27 09:54:40

not really.. because (if php configured fine) `index.php?arr[ihack]=....` could be accessible by php only from `$_GET['arr']`... and `$arr` in php script wouldn't be replaced....

Marcx 2010-07-27 10:02:31

but even worse is SQLinjection `index.php?arr=?>DROP TABLE"` !!!

Talvi Watia 2010-07-27 10:45:01

thats going to be a terrible mess to maintain such a list

Col. Shrapnel 2010-07-27 11:00:27

sorry, but tell me how SQL hit the nail on the head... I really don't understand....

Marcx 2010-07-27 11:02:54

relax, it was just an ignorant comment

Col. Shrapnel 2010-07-27 11:05:51

@marcx yes, it is possible to lose your database through `$_GET` see http://unixwiz.net/techtips/sql-injection.html

Talvi Watia 2010-07-27 12:27:23

@Talvi I never said that you can't lose db through $_GET. 1) sql doesn't belong to the arguments of this discussion. 2) if SQL was part of this discussion you simply use `mysql_real_escape_string` to sanitize the input and all the problems disapper :D

Marcx 2010-07-27 17:01:25

@marcx true - I was simply trying to point out other dangers of unsanitized input. my comment can be disregarded.

Talvi Watia 2010-07-27 21:06:52

Answer 4

A:

one of the easier ways is to harden your php.ini config, specifically the open_basedir directive. Keep in mind, some CMS systems do actually use ..\ quite a bit in the code, and when there are includes outside the root folder this can create problems. (i.e. pear modules)

Another method is to use mod_rewrite.

Unless you are using an include file to check each and every URL for injection from $_GET and $_SERVER['request_uri'] variables, you will open doors for this kind of attack. for example, you might protect index.php but not submit.php. This is why hardening php.ini and .htaccess is the preferred method.

Talvi Watia 2010-07-27 10:36:50

mod_rewrite can help nothing

Col. Shrapnel 2010-07-27 11:03:25

@col you cant be serious..

Talvi Watia 2010-07-27 12:38:48

there is no difference between `index.php?arr=?>DROP TABLE` and /item/DROP TABLE/`. go figure

Col. Shrapnel 2010-07-27 16:38:42

ansaurus

tags:

views:

answers:

PHP: prevent folder hacking - if path has ../ in it?

related questions