Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    Regular Coder
    Join Date
    Nov 2004
    Location
    The Netherlands
    Posts
    551
    Thanks
    0
    Thanked 0 Times in 0 Posts

    securing script to not include from certain subdir's

    I have the following script:

    PHP Code:
    <?php

    $number
    ='13'//for cutenews news number
    if ( isset($_GET['page']) ) {
    $page $_GET['page']; }
    else {
    $page='cutenews/show_news.php';
    };
    if ( 
    stristr($page"://") || stristr($page"../") ) // ../ means "Parent directory", can be used to evade the "pages/" prefix. :// is a combo of http:// and ftp:// you wanted to check.
    {
     echo(
    "Go away *******! This script is secured!");
     return 
    0// terminates output.
    }
    if (
    file_exists($page))
    {
     include(
    $page);
    }
    else
    {
     include(
    '404.html');
    };
    ?>
    I have this on my index.php in the root of my domain.

    The problem is that I have subdomains, so if a user specifies a directory, it includes from that directory. But I have files in subdirs I want to be able to show, so I can't knock it if there's a slash in the page _GET.

    I was thinking of making an array of not allowed subdomains, explode the _GET on /, and use some sort of array function to check if the first part of the explode iis in one of the array item's.

    Can anyone help me with that?
    CATdude about IE6: "All your box-model are belong to us"

  • #2
    Regular Coder
    Join Date
    Feb 2005
    Location
    West Midlands, UK
    Posts
    623
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Something like this?
    PHP Code:
    $restricted = ("foo""bar""baz"); // names of restricted directories

    if($arr explode("/"$_GET['page'])) {
        if(
    in_array($arr[0], $restricted) {
            exit(
    'The chosen directory is restricted.');
        }

    That should check the first element of the exploded $_GET variable against the array. A better way may be to explode the $_GET variable then check each element of it to make sure that none of them appear in the restricted array, for instance:
    PHP Code:
    $restricted = ("foo""bar""baz"); // names of restricted directories

    if($arr explode("/"$_GET['page'])) {
        for(
    $i=0$i<count($arr); $i++) {
            if(
    in_array($arr[$i], $restricted) {
                exit(
    'The chosen directory is restricted.');
            }
        }

    This will foil people who try and trick the script by using various combinations of directory navigation techniques so that the restricted directory isn't the first element in the array.

    The downside is that you have to be very clear in your naming structure, if you have two directories with the same name, one resricted and one not then this will block them both.

  • #3
    Regular Coder
    Join Date
    Nov 2004
    Location
    The Netherlands
    Posts
    551
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I'll go with the first one. I don't have subdomain's in subdomain's, so that isn't a problem :P

    It's awfully wicked
    Last edited by mrruben5; 07-11-2005 at 12:18 AM.
    CATdude about IE6: "All your box-model are belong to us"


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •