Hello, I have one tagboard in php but it has bug that may be used to exploit injection and I need to solve... Code and problem is that, file name is main.php and allow get urls as this method: http://site.com/ftag.php?mostrar=site in mostrar= can use c99shells and hack it. Code is: if (isset($_GET['mostrar'])) { if ($_GET['mostrar'] == "alerta") $_GET['mostrar'] = "alerta.php"; else $_GET['mostrar'] = $_GET['mostrar'].".php"; } else $_GET['mostrar'] = "tag.php"; PHP: And I need that only can access to exist files in directory and prevent injections with exploits in main.php Thanks...
one way of doing it is listing all legit files into an array, and only including the file if the mostrar variable exists in that array, otherwise exit eg $mostrar = $_GET['mostrar']; $pages = array('file1.php', 'file2.php', 'file3.php'); if(in_array($mostrar, $pages)){ include($mostrar); } else { die("expoit detected!"); } PHP: hope this helps alternative ways you can do it is by stripping/cleaning the string so certain characters are removed..
I don't mean to hijack the thread. Using a variance of the code above would it be possible to limit the files displayed by type of file? As in .jpg?
It's 86 php files, and I cannot set all there chilli_spurce, I need one modified script better, something that work with file_exists() and avoid name every files in $pages = array('file1.php', 'file2.php', 'file3.php'); Thanks.
if (isset($_GET['mostrar'])) { if ($_GET['mostrar'] == "alerta") { $_GET['mostrar'] = "alerta.php"; } else { if (file_exists($_GET['mostrar'].".php") && !ereg("^(http|www)(.*)", $_GET['mostrar'])) { $_GET['mostrar'] = $_GET['mostrar'].".php"; } else { die('po'); } } } else { $_GET['mostrar'] = "tag.php"; } PHP: It's probably safer to have just a list of files, you could load them in using readdir() etc, and check it, but that should stop them including external files (hopefully)
This help don't work for nothing! I need complete script and one method to only view exist files at path directory. Original and bug code is if (isset($_GET['mostrar'])) { if ($_GET['mostrar'] == "alerta") $_GET['mostrar'] = "alerta.php"; else $_GET['mostrar'] = $_GET['mostrar'].".php"; } else $_GET['mostrar'] = "tag.php"; PHP: And I need just avoid bug access by mostrar=anyurl and allow only legit files exists. Another thing, when person stay at file, show tag.php when don't has execute url in get ($_GET['mostrar'] = "tag.php" and when somebody attemp to exploit appear message denying it. I hope good help.