We have a few customers on our servers who use code similar to this


<?php
if (isset($x)) {
include($x);
} else {
include('main.htm');
}
?>


However, this unfortunately appears to allow anyone to craft a URL to pass system commands to the server, by setting x= to whatever they want.

What's the best way to secure against that? Is their anyway to secure against it short of changing the code?

Run your server (apache) as a non-privledged user, or if php has something similar to suexec

apache is run as a non-priviledged user.

phpsuexec does exist, but thus far we have not been able to implement, though this still would allow for certain things to happen (wget'ing of a file, chmod'ing it, and then executing it)

It's late so I'm probably not thinking straight, but just make sure the non-privlidged user can't run any of those system commands, it shoulnd't have to anyways.

Try using:


<?php
if (isset($x)) {
include(escapeshellcmd($x));
} else {
include('main.htm');
}
?>


kosta

Well, that's good for changing the code, but is their another way it can be done without changing the code?

My only reason is that more than one person may be using this code (in fact, I'm almost certain of it) and I'd like to turn it off all at once if possible.

Edit your php.ini and use the option

disable_functions

Add things like system, and so on into it, and restart Apache. This way, even if they run the code, it don't work.

Then why not just put safe mode on? Do you NEED safe mode? It's better if you have it on, for tightest security...

Kosta

Yes, you can just put safe mode on, or to selectively disable it. It depends to what lengths you want to go. A full list of safe mode limitations/restrictions and disabling can be found here:

http://php3.de/manual/en/features.safe-mode.functions.php