PHP & Security: 3 Example Exploits
(Page 2 out of 3)This is one of the sneakiest exploits around, but it is also very simple (and easy to forget about it as a developer!). The View Source exploit was the one that caused PHPit to be "hacked" recently.
It only works when you use a script to highlight or show the source of other PHP files, using the highlight_file() function or the fopen() function. These functions allow your visitors to view the source of other files, which is the whole point of this script. But you must also implement some security measures to prevent users from viewing files that they shouldn't see (such as database files, password files, etc). The best way of doing this is using a white-list array of filenames, and only allowing these files to be opened. This method is bullet-proof and will never fail.
But perhaps you want to restrict the script to only allow files from a certain directory, e.g. the 'demos' directory. To enforce this restriction, you'd probably use code like this:
echo 'Security alert. Not a demo!';
} else {
highlight_file ($file);
}
This checks whether the filename contains 'demos', and if so, displays the source. Seems fairly fail-proof, but that's where the exploit strikes. An attacker could include '..' in the filename, which means "go a directory up". So C:\program files\demos\..\ means the same as C:\program files\. This basically means that an attacker has unlimited access to everything on the server. Big whoops!
Just test it yourself, with the interactive demo:
Case 1: when trying an invalid filename, error is displayed
Case 2: when trying a demo filename, it shows the correct filename
Case 3: when using the exploit, no error is displayed, and it shows a forbidden filename
How do you protect against this exploit?
The easiest way is to check if the filename contains the two dots and display an error. So the above code becomes:
echo 'Security alert. Not a demo!';
} else {
highlight_file ($file);
}
UPDATE:
The above way isn't completely secury, and any file that contains 'demos' in the filename can still be viewed. If you really want to secure your view source script, don't allow a full path, and instead only allow a name. For example, instead of using '/home/phpit/public_html/demo/demo.php' simply use 'demo.php', and in your script add the full path. The only thing you have to worry about then is to filter out the two dots, and that's easy.
if (strpos($file, '..') !== false) {
echo 'Security alert. Not a demo!';
} else {
highlight_file ($file);
}
This would probably be enough to protect your view source script, and stop this exploit from working. You can also use dedicated source-viewing scripts, like phpViewSource.
November 3rd, 2005 at 2:51 am
I think you’re better off with http://www.php.net/realpath to find out if the base path is really what you want it to be..
Anyway, a lot of articles on php and security can be found at http://www.phpsec.org :)