Closed Thread Icon

Preserved Topic: Security Issue with Echo Pages that link to <a href="https://ozoneasylum.com/backlink?for=21009" title="Pages that link to Preserved Topic: Security Issue with Echo" rel="nofollow" >Preserved Topic: Security Issue with Echo\

 
Author Thread
WarMage
Maniac (V) Mad Scientist

From: Rochester, New York, USA
Insane since: May 2000

posted posted 08-15-2001 16:34

I have a bit of a security hole in one of the sites I am working with, and seem to be lacking in how to solve this problem.

I have groups of files.

-Pages
-Templates
-Content

The 'Pages' files pull in both the templates and the content as follows

code:
<? $title = "[page title]" ?>

<? include($DOCUMENT_ROOT . "/[header file]"); ?>

<? include($DOCUMENT_ROOT . "/[content file]"); ?>

<? include($DOCUMENT_ROOT . "[footer file]"); ?>



The problem then lies in my header file where I echo the title of the page in both the <title> </title> area and in between <h1> and </h1> tags. Similar to

code:
<html>
<head>
<title><? echo "$title"; ?></title>
</head>
<body>
<h1><? echo "$title"; ?></h1>
</body>
</html>



I am sure you can now see why an security hole would be there.

Someone could call the header file with. http://mydomain.com/templates/header.php?title="[wonderful erase files on server code]"

I am not sure of the best way to make sure this will not happen.

I know that it is only being called within an echo, but the user can still get or work with more information that I would like them to be able to.

Am I worrying too much? Or no? What could I do to help prevent any befuddlment via the query string?

InI
Paranoid (IV) Mad Scientist

From: Somewhere over the rainbow
Insane since: Mar 2001

posted posted 08-15-2001 17:07

The poster has demanded we remove all his contributions, less he takes legal action.
We have done so.
Now Tyberius Prime expects him to start complaining that we removed his 'free speech' since this message will replace all of his posts, past and future.
Don't follow his example - seek real life help first.

mr.maX
Maniac (V) Mad Scientist

From: Belgrade, Serbia
Insane since: Sep 2000

posted posted 08-15-2001 17:16

Use mod_rewrite to block direct access to template files...

.htaccess

RewriteEngine On
RewriteRule ^(main

WarMage
Maniac (V) Mad Scientist

From: Rochester, New York, USA
Insane since: May 2000

posted posted 08-15-2001 18:03

Max that didn't quite work...

I would end up getting an internal server error on all pages. Seeing that it is a PHP page that gets requestion.

index.php for example.

Could you kindly explain the code you gave me?

Ini, that would be pretty tricky to do. Mainly because I don't keep as up to date as I should...

WarMage
Maniac (V) Mad Scientist

From: Rochester, New York, USA
Insane since: May 2000

posted posted 08-15-2001 18:13

http://httpd.apache.org/docs/mod/mod_rewrite.html

Found the link to mod_rewrite...

Will take some time to learn how to use it I am sure.

Thanks for the heads up Max!

mr.maX
Maniac (V) Mad Scientist

From: Belgrade, Serbia
Insane since: Sep 2000

posted posted 08-15-2001 19:13

That code works fine for me. Take a look at your error log to see what's wrong.

BTW Did you modify regex pattern to match your include files correctly?

WarMage
Maniac (V) Mad Scientist

From: Rochester, New York, USA
Insane since: May 2000

posted posted 08-15-2001 19:13

Ok, I think I got it. I have to do the files in the specific directories that I want access restricted to. Works ok then.

It does however throw and Error 500 instead of a 403

mr.maX
Maniac (V) Mad Scientist

From: Belgrade, Serbia
Insane since: Sep 2000

posted posted 08-15-2001 19:27

If it throws error 500, then it still doesn't work correctly. Did you put the code that I've posted in .htaccess file that is located in the same folder as your include files?

bitdamaged
Maniac (V) Mad Scientist

From: 100101010011 <-- right about here
Insane since: Mar 2000

posted posted 08-15-2001 19:40

Since you are pulling in the files via PHP you could also drop the included files outside of your document root directory.

ie.

/var/www/htdocs
/var/www/includedstuff

Then access the files from the file system root

<? include('/var/www/includedstuff/header.php'); ?>

I put all my included and required stuff outside of my htdocs directory for this reason




:[ Computers let you make more mistakes faster than any other invention in human history, with the possible exceptions of handguns and tequila. ]:

[This message has been edited by bitdamaged (edited 08-15-2001).]

WarMage
Maniac (V) Mad Scientist

From: Rochester, New York, USA
Insane since: May 2000

posted posted 08-15-2001 22:11

Yes, I put them in those folders. It throws an error 500 now when I try to access those files.
www.rochesterrenters.com
www.rochesterrenters.com/templates/header.inc

mr.maX
Maniac (V) Mad Scientist

From: Belgrade, Serbia
Insane since: Sep 2000

posted posted 08-15-2001 22:23

Does your web server have mod_rewrite module installed?

Also, it would be good if you can post your .htaccess file...

WarMage
Maniac (V) Mad Scientist

From: Rochester, New York, USA
Insane since: May 2000

posted posted 08-15-2001 22:56

RewriteEngine On
RewriteRule ^(main

jiblet
Paranoid (IV) Inmate

From: Minneapolis, MN, USA
Insane since: May 2000

posted posted 08-15-2001 23:11

Wouldn't bitdamaged's solution solve your problem with less hassle?

-jiblet

mr.maX
Maniac (V) Mad Scientist

From: Belgrade, Serbia
Insane since: Sep 2000

posted posted 08-15-2001 23:36

You have to modify regex pattern to match your include files. I posted my code that matches *my* include files (i.e. main.inc.php, features.inc.php, download.inc.php) as example...

For example, this will block only header.inc:

RewriteEngine On
RewriteRule ^header\.inc$ - [F]

bitdamaged
Maniac (V) Mad Scientist

From: 100101010011 <-- right about here
Insane since: Mar 2000

posted posted 08-21-2001 07:33

ooh I'm playing with PHP-Nuke and found this little bit that seems relevant

if (eregi("header.php",$PHP_SELF)) {
Header("Location: index.php");
die();
}

Looks if header.php is in the URL and then redirects if so. Since header is always included in other pages it shouldn't be in the URL. (I've never used eregi but it's a case insensative regexp simple if you just need a set word)




:[ Computers let you make more mistakes faster than any other invention in human history, with the possible exceptions of handguns and tequila. ]:

[This message has been edited by bitdamaged (edited 08-21-2001).]

mr.maX
Maniac (V) Mad Scientist

From: Belgrade, Serbia
Insane since: Sep 2000

posted posted 08-21-2001 09:29

At first, I've used similar code to block direct acces to my librariers, but since I ended up with a lot of small libraries, I decided to go with mod_rewrite in order to save a few CPU cycles. Anyway, my code was:

// prevents direct access to the library
if (basename($PHP_SELF) == basename(__FILE__)) {
    header("Location: /");
    exit();
}




[This message has been edited by mr.maX (edited 08-21-2001).]

« BackwardsOnwards »

Show Forum Drop Down Menu