Preserved Topic: Security Issue with Echo (Page 1 of 1)

I have a bit of a security hole in one of the sites I am working with, and seem to be lacking in how to solve this problem.

I have groups of files.

-Pages
-Templates
-Content

The 'Pages' files pull in both the templates and the content as follows

<? $title = "[page title]" ?>



<? include($DOCUMENT_ROOT . "/[header file]"); ?>



<? include($DOCUMENT_ROOT . "/[content file]"); ?>



<? include($DOCUMENT_ROOT . "[footer file]"); ?>

The problem then lies in my header file where I echo the title of the page in both the <title> </title> area and in between <h1> and </h1> tags. Similar to

<html>

<head>

<title><? echo "$title"; ?></title>

</head>

<body>

<h1><? echo "$title"; ?></h1>

</body>

</html>

I am sure you can now see why an security hole would be there.

Someone could call the header file with. http://mydomain.com/templates/header.php?title="[wonderful erase files on server code]"

I am not sure of the best way to make sure this will not happen.

I know that it is only being called within an echo, but the user can still get or work with more information that I would like them to be able to.

Am I worrying too much? Or no? What could I do to help prevent any befuddlment via the query string?

The poster has demanded we remove all his contributions, less he takes legal action.
We have done so.
Now Tyberius Prime expects him to start complaining that we removed his 'free speech' since this message will replace all of his posts, past and future.
Don't follow his example - seek real life help first.

Use mod_rewrite to block direct access to template files...

.htaccess

RewriteEngine On
RewriteRule ^(main

Max that didn't quite work...

I would end up getting an internal server error on all pages. Seeing that it is a PHP page that gets requestion.

index.php for example.

Could you kindly explain the code you gave me?

Ini, that would be pretty tricky to do. Mainly because I don't keep as up to date as I should...

http://httpd.apache.org/docs/mod/mod_rewrite.html

Found the link to mod_rewrite...

Will take some time to learn how to use it I am sure.

Thanks for the heads up Max!

That code works fine for me. Take a look at your error log to see what's wrong.

BTW Did you modify regex pattern to match your include files correctly?

Ok, I think I got it. I have to do the files in the specific directories that I want access restricted to. Works ok then.

It does however throw and Error 500 instead of a 403

If it throws error 500, then it still doesn't work correctly. Did you put the code that I've posted in .htaccess file that is located in the same folder as your include files?

Since you are pulling in the files via PHP you could also drop the included files outside of your document root directory.

ie.

/var/www/htdocs
/var/www/includedstuff

Then access the files from the file system root

<? include('/var/www/includedstuff/header.php'); ?>

I put all my included and required stuff outside of my htdocs directory for this reason




:[ Computers let you make more mistakes faster than any other invention in human history, with the possible exceptions of handguns and tequila. ]:

[This message has been edited by bitdamaged (edited 08-15-2001).]

Yes, I put them in those folders. It throws an error 500 now when I try to access those files.
www.rochesterrenters.com
www.rochesterrenters.com/templates/header.inc

Does your web server have mod_rewrite module installed?

Also, it would be good if you can post your .htaccess file...

RewriteEngine On
RewriteRule ^(main

Wouldn't bitdamaged's solution solve your problem with less hassle?

-jiblet

You have to modify regex pattern to match your include files. I posted my code that matches *my* include files (i.e. main.inc.php, features.inc.php, download.inc.php) as example...

For example, this will block only header.inc:

RewriteEngine On
RewriteRule ^header\.inc$ - [F]

ooh I'm playing with PHP-Nuke and found this little bit that seems relevant

if (eregi("header.php",$PHP_SELF)) {
Header("Location: index.php");
die();
}

Looks if header.php is in the URL and then redirects if so. Since header is always included in other pages it shouldn't be in the URL. (I've never used eregi but it's a case insensative regexp simple if you just need a set word)




:[ Computers let you make more mistakes faster than any other invention in human history, with the possible exceptions of handguns and tequila. ]:

[This message has been edited by bitdamaged (edited 08-21-2001).]

At first, I've used similar code to block direct acces to my librariers, but since I ended up with a lot of small libraries, I decided to go with mod_rewrite in order to save a few CPU cycles. Anyway, my code was:

// prevents direct access to the library
if (basename($PHP_SELF) == basename(__FILE__)) {
    header("Location: /");
    exit();
}




[This message has been edited by mr.maX (edited 08-21-2001).]