security advice including file

phprock

Dear all,

I am using the following code to make module system cms.

//index.php
require_once("mainfile.php");

global $site_path;


if (!isset($_GET["file"]))
 {
 $file="index";
 }
else {
$file=$_GET["file"];

}

if (!isset($_GET["mod"]))
 {
 $mod="home";
 }
 else {

 $mod=$_GET["mod"];

 }

if(ereg("\.\.",$mod) || ereg("\.\.",$file)) {
 echo "Bad boy";

exit();

 }


$file ="$site_path/modules/$mod/$file.php";

if (file_exists("$file")) {
  include($file);
} else {

   die("sorry, File does not exist");
}

You can see that I am using this concept
http://www.mysite.com/ index.php?mod=$modulename&file=$modulefilename

I just want to know is there any security hole in the code.

How to stop direct access to a file withouth my main index.php file ?

let say i have module call"member" and inside i have index.php,myprofile.php etc... and I want to stop direct access to these file(ie.http://www.mysite.com/member/index.php)

onlyway, http://www.mysite.com/index.php?mod=member&file=index is allowed in this case

Thanks for your time.

Regards

olaf

Hallo,

if someone konw the filenames it is possible to download the files. Put a .htaccess file in the directory and write a download script while using a function like fpassthru.

Jeb_

Originally posted by phprock
How to stop direct access to a file withouth my main index.php file ?

As olaf hinted on, if they know the filenames of your scripts, they can access them directly. However, storing them in another directory (possibly outside the web root) should keep you relatively safe.

Notice I said "should". If you want to be nearly 100% safe, you need to use a constant check in your included script. If this constant is not defined, the script should die. The constant should be defined in index.php, before you include your file.

Like so, maybe:

// index.php
<?php
//define a constant.
include_once("somefile.php");
?>

// somefile.php
<?php
// if constant not defined, die with message.
?>

This is the method I use all the time. As far as I can tell, there's no way to fault it.

drawmack

don't pass sensitive information (i.e. directory names) around in the get unless they are masked with md5.