...

View Full Version : securing script to not include from certain subdir's



mrruben5
07-09-2005, 03:38 PM
I have the following script:


<?php

$number='13'; //for cutenews news number
if ( isset($_GET['page']) ) {
$page = $_GET['page']; }
else {
$page='cutenews/show_news.php';
};
if ( stristr($page, "://") || stristr($page, "../") ) // ../ means "Parent directory", can be used to evade the "pages/" prefix. :// is a combo of http:// and ftp:// you wanted to check.
{
echo("Go away *******! This script is secured!");
return 0; // terminates output.
}
if (file_exists($page))
{
include($page);
}
else
{
include('404.html');
};
?>

I have this on my index.php in the root of my domain.

The problem is that I have subdomains, so if a user specifies a directory, it includes from that directory. But I have files in subdirs I want to be able to show, so I can't knock it if there's a slash in the page _GET.

I was thinking of making an array of not allowed subdomains, explode the _GET on /, and use some sort of array function to check if the first part of the explode iis in one of the array item's.

Can anyone help me with that?

delinear
07-09-2005, 06:09 PM
Something like this?

$restricted = ("foo", "bar", "baz"); // names of restricted directories

if($arr = explode("/", $_GET['page'])) {
if(in_array($arr[0], $restricted) {
exit('The chosen directory is restricted.');
}
}
That should check the first element of the exploded $_GET variable against the array. A better way may be to explode the $_GET variable then check each element of it to make sure that none of them appear in the restricted array, for instance:

$restricted = ("foo", "bar", "baz"); // names of restricted directories

if($arr = explode("/", $_GET['page'])) {
for($i=0; $i<count($arr); $i++) {
if(in_array($arr[$i], $restricted) {
exit('The chosen directory is restricted.');
}
}
}
This will foil people who try and trick the script by using various combinations of directory navigation techniques so that the restricted directory isn't the first element in the array.

The downside is that you have to be very clear in your naming structure, if you have two directories with the same name, one resricted and one not then this will block them both.

mrruben5
07-11-2005, 12:16 AM
I'll go with the first one. I don't have subdomain's in subdomain's, so that isn't a problem :P

It's awfully wicked :p :D :thumbsup:



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum