SitePoint Sponsor |
|
User Tag List
Results 1 to 11 of 11
Thread: is this a security hole?
-
Apr 5, 2009, 17:20 #1
- Join Date
- Mar 2008
- Location
- Asheville, NC
- Posts
- 183
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
is this a security hole?
this looks bad to me, but it solves a lot of problems.
basically I got files inside /app/webroot
I got a .htaccess file, that redirects URLs to /loader.php?include_page=[whatever you type], as follows:
RewriteEngine on
RewriteRule ^(.*)$ loader.php?include=/$1 [QSA,L,NC]
so, for instance, if you visit /search/foo/, apache redirects traffic to /loader.php?include=/search/foo/
eventually (after doing lots of stuff), loader.php includes the page specified in $_GET['include'], in this way:
include '/app/webroot' . $_GET['include']
it looks to me like a bad security hole, but I've tried all possible values I could think of, and nothing bad happened.
I think this doesn't allow loading external sites or system files like /etc/passwd, because the way the include is, the file must be inside /app/webroot, and whatever it's in this directory you access from the web anyway.
am I missing something? is this bad?
any suggestion appreciated.
-
Apr 5, 2009, 17:26 #2
try this value '/../../etc/passwd'
And yes that is a very bad hole.
-
Apr 5, 2009, 17:34 #3
- Join Date
- Mar 2008
- Location
- Asheville, NC
- Posts
- 183
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
guess gotta find another way to solve other problems...
thanks!
-
Apr 5, 2009, 17:35 #4
- Join Date
- Jul 2005
- Location
- Orlando
- Posts
- 634
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
-
Apr 5, 2009, 18:17 #5
- Join Date
- Mar 2008
- Location
- Asheville, NC
- Posts
- 183
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
... meaning probs the include would solve
-
Apr 5, 2009, 18:52 #6
- Join Date
- Mar 2004
- Location
- Kenneth City, FL
- Posts
- 823
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
What about running any paths containing data from the user through this ?
PHP Code:function path_jailed($path, $jail = '.')
{
$path = sprintf("$jail/%s", preg_replace('#^[A-Z]+:|\\+|\.+/#i', '/', $path));
return preg_replace('#/{2,}#', '/', $path);
}
PHP Code:include path_jailed($_GET['include'], '/app/webroot');
-
Apr 5, 2009, 19:07 #7
Or you can just apply "realpath" and get to the same place.
PHP Code:$safe = preg_replace( '~[\\\\/]+~', '/', dirname( __FILE__ ) . '/' );
$user = preg_replace( '~[\\\\/]+~', '/', realpath( $_GET['path'] ) . '/' );
if ( strpos( $user, $safe ) !== 0 ) {
exit( 'Bad path!' );
}
-
Apr 5, 2009, 20:45 #8
- Join Date
- Mar 2004
- Location
- Kenneth City, FL
- Posts
- 823
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
That jails you to the application directory regardless though, doesn't it ?
What if you have multiple sites using the same includes ?
-
Apr 5, 2009, 20:52 #9
If the path goes outside of the desired location, or goes to a location that doesn't exists. That would tell me that someone is trying to hack into the system, and/or find an exploit. The common user is not going to forge paths.
And I'm not sure what "...multiple sites using the same includes..." is suppose to mean in this context.
-
Apr 6, 2009, 01:50 #10
- Join Date
- Mar 2004
- Location
- Kenneth City, FL
- Posts
- 823
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Assume you have a server with the following paths on the filesystem.
/www/domain-one.com/
/www/domain-two.com/
/www/common/
The first path is the DocumentRoot for an Apache virtual host named "domain-one.com", the second path is a DocumentRoot for "domain-two.com", and the third path is a set of common includes accessible by both sites so the administrator doesn't need to maintain two sets of includes for the two sites.
-
Apr 6, 2009, 05:18 #11
- Join Date
- Mar 2008
- Location
- Asheville, NC
- Posts
- 183
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
yeah that was a bad idea to start with.
I now got another solution figured out that doesn't affect security.
even though the path jail might work, it it's bad then better not have code like that at all.
Bookmarks