stop php site cross-linking -- please help

hornemans

Need some help,

I have this code below on my index.php so i can allow my main page to be easily allow all my other pages on the site work inside of the index.php. However, this also seemingly allows hackers to send spam email from my site using site cross-linking. Is there a simple change i can make in the code below or perhpas a suggustion and a toally different code that will have the same effect that would stop the site cross-linking or spam emails?

<?php
if($id == "")

{ include "http://www.dragonballmaster.com/News/update.htm"; }
else
{ include "$id"; }
?>

Thanks for the hlep..

MarkR

Do not include URLs, ever.

Do not include anything that involves user-supplied input. Ever.

You're doing two things above neither of which you should do ever- please find an alternative solution.

In the first case, can you not simply get a copy of update.htm and include it locally using a relative path?

In the second case, it seems more reasonable to have a case / switch statement based on the value of $id which includes the appropriate fixed, relative path.

Otherwise, you're potentially including arbitrary code created by an attacker. Neither of the above includes should ever appear in code intended for production use.

Mark

hornemans

Here is how it is on my site:

My site links:
test 1 index.php?id=test1/index.html
test 2 index.php?id=test2/index.html
test 3 index.php?id=test3/index.html

This links work correctly with my orginal post code.

HOWEVER:

attackers post

index.php?id=http://geocities.com/st0p212/enjoy.txt

With my code posted in my orginal post above what do i need to change to stop these?

Can anyone provide me with some examples of different code or the minor changes I shoudl make to my current code?

THanks

WDPEjoe

As Mark already said, your current system is fundamentally flawed because you're essentially allowing users to input what file they want to see (anyone can change the URL to id=/whatever/file/i/want). This is bad! What if a user puts in id=/passwordfile? There goes your entire server's password file to the hacker.

What you need to do is change it so the SYSTEM decides which file should be included and only allows the include of valid files. Here is one suggestion (there are many different options for accomplishing this):

$valid = ("test1/index.htm", "test2/index.htm", "test3/index.htm", "valid/file/path.htm");
if (!in_array($id)) { $id = "News/update.htm"; }
include($id);

Every time you add a page, simply add the id argument to the $valid array. That way, anyone trying to abuse your server is stuck, they can only make requests that you have specifically allowed them to.

hornemans

okay, is there any way perhaps i can just included ALL pages from ONLY my domeain... and to block any other domains that try to use it? Because i ahve about 100 pages of content and including all the pages in the valid () eats up code?

WDPEjoe

I suppose that you could use regular expressions to check if the string is pointing to another site.

The problem is that you're trying to apply a hack to a fundamentally flawed system. It's hard to secure a system that is insecure at its core. If it were my code, I would be looking at serious restructuring to prevent this type of vulnerability.

abda53

hornemans wrote:
Need some help,

<?php
if($id == "")

{ include "http://www.dragonballmaster.com/News/update.htm"; }
else
{ include "$id"; }
?>

Thanks for the hlep..

if you want to do that you could do it this way..

if($id == "1") {include "test1/index.html";}
else if($id == "2") {include "test2/index.html";}
else if($id == "3") {include "test3/index.html";}
else {include "update.htm";}

WDPEjoe

That is exactly what he didn't want to do (over 100 pages would be an else clause mess). Read through the post before posting an obviously incorrect response, please.

Bobulous

If you really don't want to setup a more secure method, then a regex such as:

^{http://www.mydomain.com/.*.html$}

might be a reasonable solution, in that it only permits the query string to request files from your domain that end in the .html extension. But even this becomes risky when you change the extension in the regex to .php because then you're allowing rogue users to force your script to include any .php file that they want. If that causes your code to break, you could be in for trouble.

bazangare

I'm running into the same situation. One alternative I'm considering is passing only the file name of the page I want to display then concatenate my domain name with the page name e.g.

  If $page is passed the value 'SiteMap.htm'

   if ($page == "")
   {
        include 'http://www.MyDomain.com/MainPage.php';
   }
   else
   {
        $page2 = 'http://www.MyDomain.com/'.$page; 
        include $page2;
   }

If this doesn't offer enough protection add a validation routine to test for pages on my site. If the page doesn't exist don't execute the "include" statement, if it does exist concatenate the page file name to the end of the domain address.

The reason I'm trying to stay with this format is for 3 reasons. 1st it reduces the amount of pages I have to change if decide to redesign the layout of the website. 2nd I like the way the site flows from one page to the next without too many intermediate steps. 3rd I have spent a lot of coding hours and don't want to have to redo it all.

bazangare

Would this be more secure?

if ($page == "")
{
include 'http://www.MyDomain.com/MainPage.php';
}
else
{
switch(true)
{
case substr($page,0,12) === "MainPage.php":
$ValidParm = "Y";
break;
case substr($page,0,11) === "SiteMap.php":
$ValidParm = "Y";
break;
default
$ValidParm = "N";
}

if($ValidParm == "Y")
{
    $page2 = 'http://www.MyDomain.com/'.$page; 
    include $page2;
}
else
{
    include 'http://www.MyDomain.com/MainPage.php';
}

}

I used the 'substr()' clause to test only the file name part of the string just in case parameters are passed.

Please excuse my coding format. I'm use to mainframe code and this makes it easier for me to read.

hornemans

Could some give me more examples perhaps and differnt codes to use?

Weedpacket

You could perhaps take the "filename" given, perhaps check for obvious attacks by seeing if [man]parse_url[/man] thinks it's a URL, or if [man]is_file[/man] doesn't think it's a file). If it looks like a filename, use [man]realpath[/man] on it (probably after putting the site root's directory name on the start) and then seeing if the result is a file in your domain.

But really, what sort of site structure is this?

hornemans wrote:
easily allow all my other pages on the site work inside of the index.php.

Running a file system on top of a web server on top of a file system?

baznagare wrote:
Please excuse my coding format.

which collapses totally without the formatting tags 😃

Crowly

Perhaps you can make use of the BASE tag, then you only need to supply the path after the specified url in the base. This presumes that everything is on the same site/url.

void_function

$mod= $_GET['id'];

switch ($mod) {
	case 'front': $inc='core/front.page.php'; break;
	case 'user': $inc='core/user.page.php'; break;
	case 'forum': $inc='core/forum.page.php'; break;
	case 'page': $inc='core/static.page.php'; break;
        // ...
	default: $inc='core/static.page.php';			
}				

include ($inc);

render_page();

In .htaccess I rewrite the urls so that mysite.com/page would rewrite into ?id=page

Each of the .page.php files have their own definitions of render_page() functions and this is how I include components of the site according to URL.

Things are easier if id is numeric, just cast it to int ($id= (int) $_GET['id']).