include file security!?

deep

Hello,

My server has been hacked using the ?page= variable that includes my pages, example:

http://mysite.com/main.php?page=news

I just used a simple include_once("news.php")....

How do i prevent this??

thanks

Shrike

Check that the file exists on your server before including it.

deep

I used this... but its still letting hackers in!!! (im testing with the url the hacker used and its letting me in)

if(file_exists($file))
include($file);

How do i check it on my server only??

Shrike

Are you using PHP 5? file_exists() can only use URL wrappers as of version 5.

if( file_exists( $_SERVER['DOCUMENT_ROOT'] . '/' . $file ))
...

deep

no im using php 4

Weedpacket

Better yet, keep a list of files that people are allowed to access, and only satisfy requests for those files.

deep

these people are using some nasty hack... im going by the instructions on this page now:

http://se2.php.net/manual/sv/function.include.php

<?php

/ verify the validity of GET var page
if not set, do a default case /
if(isset($HTTP_GET_VARS['page']))
{
$p = $HTTP_GET_VARS['page'];
}
else
{
$p = 'index';
}

switch($p)
{
case 'index':
require('welcome.php');
break;

case 'news':
require('news.php');
break;

case 'what you want':
require('the file you want');
break;

default:
exit('Wrong parameter for file inclusion');
}

but when i run the url they use to access my website using phpshell script they still get in!!!!!!!!

justsomeone

From the code you've posted, I can't see how they could be including any script other than the ones you've allowed for in your case statments.

Are you sure that this is the page they are starting from?

Is there any other code on this page which could be introducing the vulnerability? Any other files included? If they've already been in, they may have planted code which you're not even aware of and be running that!

printf debug messages to a file to see how they are sneaking through your code.

deep

ah... so many files to keep track on... i fixed it. thx!

LoganK

Please mark this as resolved!