[RESOLVED] Help with referrer/hacking prevention

schick79

Hello all. I have a web site that I used to maintain myself and then the company I worked for paid someone to redesign it. They did so partially using php, which unfortunately I don't write in. I'm great with HTML and Perl, but no php. Alas, the new web team's office was destroyed in Hurricane Ivan and I have no contact with them as they all left the area.

Anyway, they use some code to embed another page within a main index.php page. Here is a url as an example:

http://www.mysite.com/index.php?page=http://www.mysite.com/newpage.html

This inserts newpage.html inside a predetermined place in index.php

The problem is they didn't write any code into the index.php that prevents someone from including their own file on a server other than mine. I know how to write this in Perl. I just don't know how in php. Here's the code currently being used to accomplish this in index.php:

<? include($page) ?>

If someone could possibly be so kind as to provide some code that would verify the page in the URL is coming from mysite.com, or from a particular IP address.

Much appreciation and thanks in advance!

Regards,

Steve

schick79

After further thought, I don't think I phrased my question properly. It's not so much a referrer issue as it is making sure the URL in the $page variable is the same as the site. In simple logic commands, this is what I'm looking for:

If $page starts with http://www.mysite.com
or
$page starts with https://www.mysite.com
or
$page starts with http://192.168.0.1
or
$page starts with https://192.168.0.1
then proceed
else redirect to home page

Again, no idea how to do this in php. Could hook this up in Perl in 2 minutes but... Any help is appreciated, thanks!

bradgrafelman

$site = 'localhost.com';
$ip = gethostbyname($site); // if you don't want to waste a DNS query, replace this with the actual IP

$pattern = '@^(http[s]{0,1}://){0,1}((.\.)*' . str_replace('.', '\\.', $site) . ')|(' . str_replace('.', '\\.', $ip) . ')@Ui';

if(!preg_match($pattern, $page)) {
     // didnt match, need to redirect
} else {
     // did match, proceed
}

laserlight

Check with [man]substr/man, though that may still be risky.

The best would be to check the entire URL against a list of known, valid URLs.

MarkR

Do not use include() on remote files. It does not do what you think.

If you want to output the contents of a remote file directly to the browser, try readfile(). Even that has important security implications.

But using include() on a remote file allows the owner of the remote server to execute arbitrary PHP code on yours.

This is a hideous security risk, as should be obvious.

Mark

laserlight

Actually, considering that schick79's files are actually local files, there is no need to have them as absolute URLs to begin with. One still has to check against a known list of filenames, and there is no security risk as long as that is done.

schick79

Thank you bradgrafelman! I will try this shortly.

MarkR - I definitely understand the security risks with this method. Unfortunately I'm stuck with it until the site gets completely re-done again. The people that did this created the entire site this way. Every single file gets called through that type of interface. And since I didn't/don't code in php I had no idea the risks until we started getting hacked - and badly. I will also try changing the inlcude to readfile.

laserlight - Yes, it is only being used (supposed to be, anyway) to call files on the same webserver. I thought just as you did that the http:// would not be necessary. However, it doesn't work unless it contains the full http:// header. Just using /newpage.html doesn't work.

Thanks again, all!

schick79

All of that definitely took care of it. The readfile works just fine, and the code works in preventing non-local files from being called. Again, thank you all so much for your help!

bradgrafelman

Hold on a sec! If you're only including files on the local webserver, then do NOT use http:// .. you're just wasting resources like crazy.

Just use the absolute (or relative path) and include the files from the local filesystem.