Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 9 of 9
  1. #1
    Banned
    Join Date
    Apr 2007
    Posts
    428
    Thanks
    29
    Thanked 5 Times in 5 Posts

    is this safe, couse no-script poped when i tested

    Hy guys,
    i have this code

    PHP Code:
    if (!isset($_GET['id'])){
            include(
    "INC/index-inc.php"); 
            }
            else  {
                
    $filepath "INC/".htmlspecialchars($_GET['id']).".html";
                
                if (
    file_exists($filepath)) {
                    include (
    $filepath);
                }
                else {
                    echo 
    "<p>Sorry, you want file that doesn't exist anymore</p>";
                }
            
            
            } 
    i'm wondering how safe it is from XSS attacks. i tested it with writing ?id=<script> directly to address bar and No-Script poped warning "potential XSS attack". I'm just wondering can someone somehow pull of XSS attack, even if file with that name doesn't exist.

    thanks

  • #2
    New Coder
    Join Date
    Nov 2007
    Location
    Kent, United Kingdom
    Posts
    67
    Thanks
    6
    Thanked 2 Times in 2 Posts
    looks as if its safe to XSS.
    but im worried about Remote File Inclusion.. / Local File Inclusion

  • #3
    Banned
    Join Date
    Apr 2007
    Posts
    428
    Thanks
    29
    Thanked 5 Times in 5 Posts
    Quote Originally Posted by Jesuspwnt View Post
    looks as if its safe to XSS.
    but im worried about Remote File Inclusion.. / Local File Inclusion
    umm, can you gimme example? , or at least explain a bit more

  • #4
    New Coder
    Join Date
    Nov 2007
    Location
    Kent, United Kingdom
    Posts
    67
    Thanks
    6
    Thanked 2 Times in 2 Posts
    remote file inclusion allows an attacker to include a file from anywhere on the net, usually a malicious peice of code called a "shell".

    With a shell the attacker could gain r00t and own your systems...

  • Users who have thanked Jesuspwnt for this post:

    matak (12-27-2007)

  • #5
    Banned
    Join Date
    Apr 2007
    Posts
    428
    Thanks
    29
    Thanked 5 Times in 5 Posts
    through which protocol someone can make that remote file inclusion?

  • #6
    New Coder
    Join Date
    Nov 2007
    Location
    Kent, United Kingdom
    Posts
    67
    Thanks
    6
    Thanked 2 Times in 2 Posts
    protocal http, port 80, through a web browser..

  • #7
    Banned
    Join Date
    Apr 2007
    Posts
    428
    Thanks
    29
    Thanked 5 Times in 5 Posts
    yeah, i checked wiki just before i saw your answer. hmm.. i think that this parts

    "INC/".htmlspecialchars($_GET['id']).".html"

    especialy the INC/ one unable it, but i shell look into that situation by testing it from another server.

    thanks

  • #8
    Senior Coder
    Join Date
    Sep 2005
    Posts
    1,791
    Thanks
    5
    Thanked 36 Times in 35 Posts
    there's no point running the filename thought htmlspecialchars - the manual page makes it pretty clear what that function is designed for.

    On unix/linux servers, the file '..' in any directory is a special link to the parent directory, which means that given a few tries, it would be possible for someone to put something like '../../../../file-with-passwords' into the address bar and they'd see the contents

    When including files dynamically, always work with a whitelist - a list of all files that you want to be allowed that you check the input against.
    My thoughts on some things: http://codemeetsmusic.com
    And my scrapbook of cool things: http://gjones.tumblr.com

  • #9
    Banned
    Join Date
    Apr 2007
    Posts
    428
    Thanks
    29
    Thanked 5 Times in 5 Posts
    or just use file_get_contents() instead of include, since it PHP doesn't parse when using file_get_contents()


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •