[thelist] url specific session problem
Simon Willison
cs1spw at bath.ac.uk
Wed Sep 17 12:36:34 CDT 2003
elin tjerngren. artopod wrote:
>>This is unrelated to your problem, but does that URL mean that somewhere in
>>your script you're doing this?
>>
>>include($_GET['page']);
>>
>>If so, you've got a HUGE security problem.
>
> Yeah, it's stupid. Hmm - my fix to that was this,
>
> if ($_GET['page']) {
> $page=$rootdir.$_GET['page'];
> }
That doesn't protect you completely, as attackers can still do something
like this:
index.php?page=../../../../../../etc/passwd
A more reliable method would be to use the basename() function. This
strips any directory information from a string, but unfortunately that
means that in your case it would strip off the directory information
that you want to keep.
> The $page is then checked to be a real file, and the actual catalogues on
> the server has .htaccess files with permission denied for all.
Unfortunately .htaccess files won't prevent a script from include()ing a
file that is in that directory - the .htaceess file only governs direct
requests from web browsers, but doesn't have any effect on internal
calls to a file from within PHP.
Best regards,
Simon
More information about the thelist
mailing list