include security -what works, what dont?

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • juglesh
    #1

    include security -what works, what dont?

    please comment on the following methods of preventing cross site
    scripting and/or other nastiness:

    1:
    $pages = array('home','c ontact','about' ,'links' );
    // could also build this array with readdir('MySafe Dir') ??
    if( in_array($_GET['page'], $pages) )
    { include $_GET['page'].".php";}
    else {die("Nice Try."); }

    2:
    include "my_prefix_".$_ GET['page'].".php";

    3:
    include "my_safe_di r/".$_GET['page'].".php";

    4:
    include_path=". :/myIncludes";
    include $_GET['page'].".php";

    --
    thanks for your time
    juglesh

    Tags: None
    • J.O. Aho
      #2
      Re: include security -what works, what dont?

      juglesh wrote:[color=blue]
      > please comment on the following methods of preventing cross site
      > scripting and/or other nastiness:
      >
      > 1:
      > $pages = array('home','c ontact','about' ,'links' );
      > // could also build this array with readdir('MySafe Dir') ??
      > if( in_array($_GET['page'], $pages) )
      > { include $_GET['page'].".php";}
      > else {die("Nice Try."); }
      >
      > 2:
      > include "my_prefix_".$_ GET['page'].".php";
      >
      > 3:
      > include "my_safe_di r/".$_GET['page'].".php";
      >
      > 4:
      > include_path=". :/myIncludes";
      > include $_GET['page'].".php";
      >[/color]

      You should see to remove all '..' from the paths, otherwise people could
      navigate outside your secure directory.

      The best IMHO is to use aliases for pages, and you hard code what the alias
      mean, this way it will difficult to get the php script to display something
      else than those pages you want.


      //Aho

        Comment

        • juglesh
          #3
          Re: include security -what works, what dont?

          J.O. Aho wrote:[color=blue]
          > juglesh wrote:[color=green]
          > > please comment on the following methods of preventing cross site
          > > scripting and/or other nastiness:
          > >
          > > 1:
          > > $pages = array('home','c ontact','about' ,'links' );
          > > // could also build this array with readdir('MySafe Dir') ??
          > > if( in_array($_GET['page'], $pages) )
          > > { include $_GET['page'].".php";}
          > > else {die("Nice Try."); }
          > >
          > > 2:
          > > include "my_prefix_".$_ GET['page'].".php";
          > >
          > > 3:
          > > include "my_safe_di r/".$_GET['page'].".php";
          > >
          > > 4:
          > > include_path=". :/myIncludes";
          > > include $_GET['page'].".php";
          > >[/color]
          >
          > You should see to remove all '..' from the paths, otherwise people could
          > navigate outside your secure directory.[/color]

          so, just replace .. with nothing? and that would apply to #3? so, if
          they go '../passwords.txt or whatever, that would make my include be
          equivalent to "my_safe_di r/up a directory to
          root/".$_GET['page'].".php" and they can include something on the
          root, or however many ../ they use?[color=blue]
          >
          > The best IMHO is to use aliases for pages, and you hard code what the alias
          > mean, this way it will difficult to get the php script to display something
          > else than those pages you want.[/color]

          I see, so,
          if($_GET['page']=home){include myhomepage.php; }
          if($_GET['page']=contact){inclu de mycontactpage.p hp;} ??

            Comment

            • Gordon Burditt
              #4
              Re: include security -what works, what dont?

              >> > 4:[color=blue][color=green][color=darkred]
              >> > include_path=". :/myIncludes";
              >> > include $_GET['page'].".php";
              >> >[/color]
              >>
              >> You should see to remove all '..' from the paths, otherwise people could
              >> navigate outside your secure directory.[/color]
              >
              >so, just replace .. with nothing? and that would apply to #3? so, if[/color]

              My preference would be to return an error message to the user
              (something similar to the FBI warning on video tapes) and
              nothing else.
              [color=blue]
              >they go '../passwords.txt or whatever, that would make my include be
              >equivalent to "my_safe_di r/up a directory to
              >root/".$_GET['page'].".php" and they can include something on the
              >root, or however many ../ they use?[/color]

              Yes.

              I don't think I would want to let the user specify a file name, but
              if they can, there's a few checks I would want to do:

              - The file name (component) contains only acceptable characters,
              which might be alpha, numeric, and maybe period, underscore, and
              minus. NO slash, meaning all the files need to be in the same
              directory.

              - Check the component against a complete list of acceptable values
              (no pattern-matching, a COMPLETE LIST of possible values, possibly
              translating the value in the process).

              For example, I occasionally have a page where you can select a sort
              order with $_GET['order'], using a small set of named orders. The
              names are supposed to make sense to the page maintainer and maybe
              to a user reading the URL, but the user is really just supposed to
              click a link with a longer description in the text, and not pay any
              attention to the guts of the URL at all. I use a switch on
              $_GET['order'] which sets a variable with the SQL order clause in
              it. The name of the order has no necessary relationship to the SQL
              fields involved (e.g. you might have order=date, order=datedesc and
              order=name. The SQL fields involved might be signupdate, lastname,
              and firstname).

              [color=blue][color=green]
              >> The best IMHO is to use aliases for pages, and you hard code what the alias
              >> mean, this way it will difficult to get the php script to display something
              >> else than those pages you want.[/color]
              >
              >I see, so,
              > if($_GET['page']=home){include myhomepage.php; }
              > if($_GET['page']=contact){inclu de mycontactpage.p hp;} ??
              >[/color]

              That's the idea, but I think you are missing some quotes.

              Gordon L. Burditt

                Comment

                • juglesh
                  #5
                  Re: include security -what works, what dont?


                  Gordon Burditt wrote:[color=blue][color=green][color=darkred]
                  > >> > 4:
                  > >> > include_path=". :/myIncludes";
                  > >> > include $_GET['page'].".php";
                  > >> >
                  > >>
                  > >> You should see to remove all '..' from the paths, otherwise people could
                  > >> navigate outside your secure directory.[/color]
                  > >
                  > >so, just replace .. with nothing? and that would apply to #3? so, if[/color]
                  >
                  > My preference would be to return an error message to the user[/color]

                  I've been hacking around, and I cant traverse(?) dirs with ../ if i use
                  a prefix, like "pre_".$GET['page'].".php" But, I'm not that
                  devious...

                  I want to guard against including remote xss nastiness, too. So, it
                  seems like the prefix thing works for that, they can try to include
                  'pre_http://badsite.com/badscript.php', but i dont see how thats going
                  to do anything. What if I str_replace('ht tp',''), is there another way
                  around that?
                  [color=blue]
                  > - The file name (component) contains only acceptable characters,
                  > which might be alpha, numeric, and maybe period, underscore, and
                  > minus. NO slash, meaning all the files need to be in the same
                  > directory.[/color]

                  yeah, for most of the easy page=home type pages, this works:
                  $_GET['page'] = ereg_replace("[^[:alnum:] ]","",$_GET['page']);

                  and then,
                  if (!is_file($_GET[page].".php"))
                  {header ("Location: http://www.domain.com/404.php"); die;}

                  [color=blue][color=green][color=darkred]
                  > >> The best IMHO is to use aliases for pages, and you hard code what the alias
                  > >> mean, this way it will difficult to get the php script to display something
                  > >> else than those pages you want.[/color]
                  > >
                  > >I see, so,
                  > > if($_GET['page']=home){include myhomepage.php; }
                  > > if($_GET['page']=contact){inclu de mycontactpage.p hp;} ??
                  > >[/color]
                  >
                  > That's the idea, but I think you are missing some quotes.[/color]

                  yup

                    Comment

                    Previous template Next
                    Working...