Prevent RFI exploit, sanitize include

Darckin24

Hello,

I have an old script which i use as a link redirect for example you put index.php?http://www.google.com and you get that embeded within an iframe, but i was recently hacked and a shell was uploaded to the server due to this simple PHP file:

<?php
header('Content-type: text/html; charset="utf-8"',true);

$url = $_SERVER['QUERY_STRING'];

$google = eregi('One_Value_Here',$url);

if($google){
header("HTTP/1.1 404 Not Found");
}
elseif($url !== "") {
include('/templates/redirectortemplate.tpl');
  }
else
  {
header("HTTP/1.1 301 Moved Permanently");
header("location:http://www.google.com/");
  }
?>

Code of redirectortemplate.tpl (include)

<html>
<head>
<title>Redirecting you to - <?php echo $url; ?></title>
</head>
<iframe src="<?php echo $url; ?>">
</frameset>
</html>

I think that the problem is in the include: include('/templates/redirectortemplate.tpl'); but how should i do the include in order to make it secure and prevent a RFI exploit?.

Thank you

dgreenhouse

It looks like you'll need to sanitize the following line:
$url = $_SERVER['QUERY_STRING'];

$url is where the untrusted input comes from.

If you're allowing the user to enter any url, it would be hard to protect against this.

Also, this line in the template may allow for remote code injection.
<iframe src="<?php echo $url; ?>">

Why are you allowing users to pick a url of their choosing?

There might be good reasons for this, but I'd avoid it if possible.

dagon

1995 wants its html back :-) there are a lot better options than iframes now

http://xkcd.com/875/