|
|
Author |
Thread |
redroy
Paranoid (IV) InmateFrom: 1393 Insane since: Dec 2003
|
posted 04-13-2006 22:36
If I include a file for a client via server path is that a security hole?
ie: code:
<?php include("/home/myusername/path/back/to/shared/functions.php"); ?>
|
CPrompt
Maniac (V) InmateFrom: there...no..there..... Insane since: May 2001
|
posted 04-13-2006 23:53
as far as I know, as long as that path is outside of the web root, then that is the way to go.
I have a folder outside of the webroot called "includes", in this folder there are php files that handle connectivity to MySQL servers. Since there is login info in these files, I keep them outside of the web root and then use a php include like you do above to access them.
Or, you might be able to use something like:
code:
<? php include ("../../../../file.php") ?>
Later,
C:\
(Edited by CPrompt on 04-13-2006 23:55)
|
DmS
Maniac (V) InmateFrom: Sthlm, Sweden Insane since: Oct 2000
|
posted 04-14-2006 10:11
quote:
Or, you might be able to use something like:
code:
<? php include ("../../../../file.php") ?>
Please, please, please do not ever allow someone to pass something like that to an include!
One of the worst things you can do with includes is:
code:
<?php include ($page); ?>
Do that in combination with register globals on at the server and all the visitor needs to do is:
http://www.someserver.com/?page=/path/to/system/passwords and the server gladly includes and shows the file...
You can get the same effect if you allow someone to pass ../ in to an include, or if you use eval() on variables you can in worst case allow ppl to run exec() directly in the shell...
To answer you Q then, if you have register_globals Off and use full paths in your includes that example should be safe as far as I know. Very inflexible though if you don't use $_SERVER variables to build the path, then, again, with register globals on ppl can override those values and pass their own into the system...
Get to know your server setup and research exactly what a possible intruder can do on that setup.
You will be scared... I know I was when I saw examples actually performed on a site. There are loopholes practically everywhere and register globals in combination with eval/include is one large enough for a Boeing 747 to fly trough...
{cell 260} {Blog}
-{"Theories without facts are just religions...?}-
|
Steve
Maniac (V) InmateFrom: Boston, MA, USA Insane since: Apr 2000
|
posted 04-14-2006 22:41
So what would the syntax be to use $_SERVER variables to locate an include directory above the web root?
_SERVER["DOCUMENT_ROOT"] and _ENV["DOCUMENT_ROOT"] both point to the public root. How do you navigate up the file system from there in a less inflexible way?
|
bitdamaged
Maniac (V) Mad ScientistFrom: 100101010011 <-- right about here Insane since: Mar 2000
|
posted 04-15-2006 00:50
I think this is a bit confusing.
DMS means using a variable with the ..\ syntax, Steve is talking about a hardcoded string which is fine.
Most hosted environments will have basedir restrictions in effect which means that things like DMS hole will be blocked at a certain level.
That being said if I'm doing something where I think someone may be able to inject something into an include path then you can also set the basedir yourself for safety sake.
ini_set('open_basedir', '/path/to/script');
In response to the orginal question the answer is no this isn't a security risk and is infact the design. However if you are hardcoding server specific paths you may want to look at the implementation a bit because this generally is a bad habit because the code won't port to another machine easily. So instead try to use either
1. Relative paths
2. Setting all hardcoded file paths in a single config file.
.:[ Never resist a perfect moment ]:.
|
redroy
Paranoid (IV) InmateFrom: 1393 Insane since: Dec 2003
|
posted 04-15-2006 02:38
Excellent thanks! I was worried that if someone with "hacker skills" knew the file path they could do some damage. I really appreciate the feedback. Peace.
|
Steve
Maniac (V) InmateFrom: Boston, MA, USA Insane since: Apr 2000
|
posted 04-15-2006 05:12
quote: Steve is talking about a hardcoded string which is fine
I was? I didn't mean to. I though both "../../../../file.php" and "/home/myusername/path/back/to/shared/functions.php" were pretty hard-coded server-specific. My sense of what DmS was referring to was some way of setting a more flexible server-independent path using a $_SERVER variable. I was hoping someone would spell out for me how to address a file in a directory that is "above" the web root directory based around a more flexible $_SERVER variable notation.
Maybe I'm not asking the right question because I don't know the right question to ask.
"_SERVER["DOCUMENT_ROOT"]" gets me to my public html directory. If I were to wish to put an "includes" directory a level above that, how do I address a file in that directory in a flexible, portable way? So far something along the lines of "/home/myusername/path/back/..." is the best I've been able to come up with, but that doesn't use a $_SERVER variable and if I read DmS's post right there might be a better way to do this.
I've read bunches of tutorials and such that recommend putting includes with sensitive content out of the web root, but none that explicitly describe how to address a file in that directory in a flexible way! The "../../../../file.php" approach depends on the location in the file hierarchy the script that is calling the include is located. It doesn't seem like "/home/myusername/includes/doc.php" is the best (meaning most flexible) way, because I have one site on a server that uses /home2 instead of /home!
|
H][RO
Bipolar (III) InmateFrom: Australia Insane since: Oct 2002
|
posted 04-16-2006 03:03
I'm pretty sure to get a location to a path that always below your webroot, called 'includes' for example.
You need to do:
code:
require_once($_SERVER['DOCUMENT_ROOT'] . '../includes');
This should work from any directory.
Test it out though, i'm not sure if the php configuration can change this. I normally just check all of the $_SERVER values to see whats going on, do this from a few directories so you can confirm it is what you want:
code:
<?php
foreach($_SERVER as $key => $value)
{
print $key . ' - '. $value .' <br />';
}
?>
From this you will see which one gives you the base directory and make sure it stays the same when you place this file in subdirectories? Remember some of them will give you the relative server path to the current script, meaning it will change with each directory.
|
Steve
Maniac (V) InmateFrom: Boston, MA, USA Insane since: Apr 2000
|
posted 04-16-2006 13:32
Thanks. I'll try that. Could explain why '../includes/'.$_SERVER['DOCUMENT_ROOT'] never worked for me!
|
redroy
Paranoid (IV) InmateFrom: 1393 Insane since: Dec 2003
|
posted 04-16-2006 15:58
Probably should mention the include_path too... this was my first choice but I couldn't really use in my specific situation.
edit: link update
(Edited by redroy on 04-16-2006 15:59)
|
H][RO
Bipolar (III) InmateFrom: Australia Insane since: Oct 2002
|
posted 04-16-2006 18:03
quote:
Steve said:
Thanks. I'll try that. Could explain why '../includes/'.$_SERVER['DOCUMENT_ROOT'] never worked for me!
You are implying that the includes directory is below the document root director if you write it this way. So you are trying to point to
../includes/home/myusername/path/back/to/shared etc
but you need to point to
includes/home/myusername/path/back/to/shared/../includes (which = includes/home/myusername/path/back/to/includes/)
something like that
|
kuckus
Paranoid (IV) Mad LibrarianFrom: Glieberlermany Insane since: Dec 2001
|
posted 04-16-2006 20:20
quote: H][RO said:
but you need to point to
includes/home/myusername/path/back/to/shared/../includes (which = includes/home/myusername/path/back/to/includes/)
something like that
I think this should be
"/home/myusername/path/back/to/shared/../includes"
- without "includes" as the root dir which contains the homes... right?
(Edited by kuckus on 04-16-2006 20:22)
|
H][RO
Bipolar (III) InmateFrom: Australia Insane since: Oct 2002
|
posted 04-17-2006 02:14
oops, yeh right i meant to move that :P
For myself I have always used simply require_once('../includes'), but it depends what your doing and what the context is, i normally have one for includes and one for files, then i use a php script for users to download the file (mainly so i can handle registered downloads etc).
|
Steve
Maniac (V) InmateFrom: Boston, MA, USA Insane since: Apr 2000
|
posted 04-18-2006 01:26
Fooey. This didn't work for me:
code:
require_once($_SERVER['DOCUMENT_ROOT'],'/includes/content.php');
or this
code:
require_once($_SERVER['DOCUMENT_ROOT'],'../includes/content.php');
If the file that is including this is already at the root level, then simply "../includes/content.php" works fine, but what do I use to make it find that directory and file from anywhere in the web root hierarchy?
(Edited by Steve on 04-18-2006 01:28)
|
kuckus
Paranoid (IV) Mad LibrarianFrom: Glieberlermany Insane since: Dec 2001
|
posted 04-18-2006 01:57
Not sure where the comma came into play there... tried sticking them together using a dot yet?
code:
require_once($_SERVER['DOCUMENT_ROOT'] . '../includes/content.php');
|
Steve
Maniac (V) InmateFrom: Boston, MA, USA Insane since: Apr 2000
|
posted 04-18-2006 02:42
The comma was fatigue.
But the period didn't fix it.
One of the sites I have access to is miltonfame.org
I placed a directory named "includes" above the public www directory, with a file "content.php"
in the public www directory I placed a test document that uses the syntax stated above. I get the following:
code:
Warning: main(/home/webpco/miltonfame.org../includes/content.php): failed to open stream:
No such file or directory in /home/.oakieoven/webpco/miltonfame.org/include_test.php
(Edited by Steve on 04-18-2006 02:46)
|
redroy
Paranoid (IV) InmateFrom: 1393 Insane since: Dec 2003
|
posted 04-18-2006 03:04
When you use "../" it's actually trying to back up a directory take out the ".." and try again.
|
H][RO
Bipolar (III) InmateFrom: Australia Insane since: Oct 2002
|
posted 04-18-2006 03:15
You might also need a '/' before the ../ if you actually do want to go back a directory.
Tell us the directory to your webroot, i am assuming its miltonfame.org/www or miltonfame.org/publichtml
if this is the case you want the includes directory at miltonfame.org/includes which is still below the webroot, if so do as redroy said, leave out the ../ BUT make sure you leave the '/' in before includes otherwise you are trying to get to miltonfame.orgincludes/ instead of miltonfame.org/includes/
The errors should be enough to tell you whats going wrong, but if not set up a variable and put the whole thing you are including in the variable and print it out so you can see exactly what you are trying to include. Let us know what that is if you are still having problems.
|
Steve
Maniac (V) InmateFrom: Boston, MA, USA Insane since: Apr 2000
|
posted 04-18-2006 03:16
Sadly, no success. The warning message continues to indicate that the path to the include directory is *in* the publuc html directory, not *above* it.
I feel dumb...
Not that that feeling is at all unfamiliar...
|
hyperbole
Paranoid (IV) InmateFrom: Madison, Indiana, USA Insane since: Aug 2000
|
posted 04-18-2006 16:52
Most servers are set up so that you can't use a relative path to get to a file above your root directory.
Try using an absolute path to get to files above the web root. Your absolute path should look something like /home/steve/... YMMV.
.
-- not necessarily stoned... just beautiful.
|
Steve
Maniac (V) InmateFrom: Boston, MA, USA Insane since: Apr 2000
|
posted 04-18-2006 23:26
Thanks. That makes sense. I can get to it with an absolute path. I guess I went off on a wild goose chase following a tidbit I picked up from DmS's post near the beginning of this thread that seemed to suggest using some path based around a $_SERVER variable would be more flexible than an absolute path.
Well - thanks for putting that mystery to rest!
|
Steve
Maniac (V) InmateFrom: Boston, MA, USA Insane since: Apr 2000
|
posted 04-19-2006 03:10
Sweet. Actually the /home/account/includes/file.php seems plenty flexible enough for anything I'm likely to need.
Thanks again!
|
kuckus
Paranoid (IV) Mad LibrarianFrom: Glieberlermany Insane since: Dec 2001
|
posted 04-19-2006 07:45
Hmm, something along the lines of this
code:
include ( str_replace('htdocs', 'includes', $_SERVER['DOCUMENT_ROOT']) . '/file.php' );
could also work if what you need is an absolute path.
If your DOCUMENT_ROOT was "/home/account/htdocs" this would change it to "/home/account/includes" and append "/file.php" to build the path to the include file.
Don't know if this really helps to simplify anything more than a bit, but at least you won't have to have the "home/account../" path right in the code this way.
|