...

View Full Version : is this safe, couse no-script poped when i tested



matak
12-27-2007, 04:33 PM
Hy guys,
i have this code


if (!isset($_GET['id'])){
include("INC/index-inc.php");
}
else {
$filepath = "INC/".htmlspecialchars($_GET['id']).".html";

if (file_exists($filepath)) {
include ($filepath);
}
else {
echo "<p>Sorry, you want file that doesn't exist anymore</p>";
}


}

i'm wondering how safe it is from XSS attacks. i tested it with writing ?id=<script> directly to address bar and No-Script poped warning "potential XSS attack". I'm just wondering can someone somehow pull of XSS attack, even if file with that name doesn't exist.

thanks

Jesuspwnt
12-27-2007, 04:47 PM
looks as if its safe to XSS.
but im worried about Remote File Inclusion.. / Local File Inclusion

matak
12-27-2007, 04:53 PM
looks as if its safe to XSS.
but im worried about Remote File Inclusion.. / Local File Inclusion

umm, can you gimme example? :confused:, or at least explain a bit more

Jesuspwnt
12-27-2007, 05:08 PM
remote file inclusion allows an attacker to include a file from anywhere on the net, usually a malicious peice of code called a "shell".

With a shell the attacker could gain r00t and own your systems...

matak
12-27-2007, 08:39 PM
through which protocol someone can make that remote file inclusion?

Jesuspwnt
12-27-2007, 08:43 PM
protocal http, port 80, through a web browser..

matak
12-27-2007, 10:27 PM
yeah, i checked wiki just before i saw your answer. hmm.. i think that this parts

"INC/".htmlspecialchars($_GET['id']).".html"

especialy the INC/ one unable it, but i shell look into that situation by testing it from another server.

thanks

GJay
12-27-2007, 11:27 PM
there's no point running the filename thought htmlspecialchars - the manual page makes it pretty clear what that function is designed for.

On unix/linux servers, the file '..' in any directory is a special link to the parent directory, which means that given a few tries, it would be possible for someone to put something like '../../../../file-with-passwords' into the address bar and they'd see the contents

When including files dynamically, always work with a whitelist - a list of all files that you want to be allowed that you check the input against.

matak
12-28-2007, 10:05 AM
or just use file_get_contents() instead of include, since it PHP doesn't parse when using file_get_contents()



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum