urgent: hacked php files.....>

Spud_Nic

On a server I use webspace on, there are several accounts all seperated by usernames and passwords and have seperate ftp access etc. However, they are all in the same domain i.e they appear to be, from the url, all part of the same directory.

BUT... someone today notified me they had been able to get php source code from my account, by catching the code before the server parses it. Apprently this is possible because it's all in the same domain.

The person who notified me told me the start of the php file he used (sadly would not give me the whole thing).
This is:

 <?php
           // downloading a file
           $filename = $_GET['filename'];
           $filename = "../0201376/server/incs/phplogin7inc.php";
           // fix for IE catching or PHP bug issue
           header("Pragma: public");
           header("Expires: 0"); // set expiration time
           header("Cache-Control: must-revalidate, post-check=0,
           pre-check=0"); 
           // browser must download file from server instead of cache

I dont know if that is any help to anyone, or anyone recognises it, but can anyone recognise a way to protect files, or get around this security flaw?

Thank you

Cloud

You have to be really careful when it comes to stuff like that. I admit I am not an expert to filter out malicious output. But I've had some experience. You want to watch out for periods, slashes (and a combination of the two). Also on my windows system I filtered out ../ and /\ (etc.) So that the user couldn't go up. But I found that they could easily type c:\ and get to the root. I think a simple / also got them to the root also.

I eventually added a base dir var that I appended to the beginning of the path. This made it so people could access files outside of the scripts directory but it kept other directories safe. I still used the filter though to keep out malicious code.

Hope I helped a little. It's a tricky issue.

The_Chancer

If someone is using PHP on their site - and the server is setup in such a fashion so that directory browsing through the filesystem functions is not disabled in the PHP.ini (by disabling certain functions) it will be possible to browse through the complete server (be it unix based OR windows) and pick any file at will, download and view the source.

Shrike

There's a PHP directive in php.ini (open_basedir) which disallows you from opening any file which is above the script in the directory tree. This prevents you from searching the entire server via PHP. I think theres a much better approach using an Apache directive though, can't remember what it is, and of course it only works on Apache 🙂