Portal Home > Knowledgebase > Articles Database > php server side include exploit --please read--
php server side include exploit --please read--
| Posted by jessex, 11-03-2011, 02:13 PM |
| When I started building websites 3 years ago I was using php 4 with allow_url_fopen on by default on my windows server 2003. With that said, I have designed and programmed over 100 php websites of which all of them using this php inculde here:
for all my headers and bottom navigations menus.
Since then this PHP include Security risk came about and now they changed that rule allow_url_fopen to be off by default to close this risk which would render my original php include line of code useless and only pull a error. However, I have researched and found the following code would work fine Would this fix the exploit? Also, My issue is, I do not want to go over every website created and make the include code change to over a 1000 locations, so im wondering if there are any other fixes? Maybe by adding a rule in the .htaccess?
Maybe something like this: RewriteRule index\.php?(?!id|altid|DataSet1_currentPage).+ /404.php [I,RP,L]
|
| Posted by File1eu, 11-04-2011, 11:11 AM |
| This is not an exploit. Remote code execution is only dangerous if you don't trust the other domain. Since you manage the remote domain this should be fine as far as I can understand your question.
|
| Posted by quantumphysics, 11-04-2011, 11:12 AM |
| they're both absolutely terrible ideas..
just take a few hours and rewrite everything one day.
why are you even using doing remote eval()?
|
| Posted by topgun, 11-04-2011, 06:34 PM |
| It's posts like this which give PHP a bad rep. Aside from all the potential security problems with evaluating remote code, you are also creating additional http requests with each include which will ramp up your server load.
|
| Posted by webstartavenue, 11-05-2011, 09:59 PM |
| Instead of trying to find and change all the include() lines of code, you could just change the default setting in the php.ini file (on a Windows server this is typically located in C:\Windows\).
To change this setting just add the following line:
Then restart your web server.
|
| Posted by bear, 11-05-2011, 10:22 PM |
| The issue from post #1 is that it's a security risk to have that set. Why would he want to set it to true again?
|
| Posted by webstartavenue, 11-05-2011, 10:42 PM |
| Good point. The exploit here is that if jessex were to allow user input ($_GET/$_POST/etc) into an include/require parameter then potentially arbitrary code could be executed by a malicious user.
Whether or not this is a security risk for jessex's certain situation depends.
Generally I would not recommend setting allow_url_fopen or allow_url_include to true but if you are operating under the knowledge that they are set to true you can write perfectly secure applications.
If jessex cannot change the PHP ini settings then the safest option is to copy the needed libraries (or files) to the necessary servers.
If that is absolutely too much work, then using file_get_contents is a work around, especially if these files output only HTML.
|
| Posted by quantumphysics, 11-05-2011, 11:56 PM |
| I think the larger issue is the massive amount of hole-ridden worst-practices legacy code that eventually needs to be updated...
|
| Posted by jessex, 11-07-2011, 12:33 PM |
| Going a different direction.....
yes my coding is legacy and im proud of it My pages get indexed onto the 1st page of google for the keywords they represent so im sticking to what works. lol
Thanks for the responses thus far. webstartavenue is there a security risk if i leave my "allow_url_fopen true" set? If i add a rule to the .htaccess file like the example following, will this help me patch the hole?
RewriteRule index\.php?(?!id|altid|DataSet1_currentPage).+ /404.php [I,RP,L]
i have other rewrites rules in place but i am unsure if you can even fix this issues in the .htaccess file but then again i am only a legacy programming so i dont know shat... lol your advise is appreciated Thanks
|
| Posted by VectorVPS, 11-08-2011, 04:24 PM |
| Coding doesn't matter one bit for SEO. Web browsers and search engine spiders don't ever see the code, they see the results of it (the generated HTML).
Your best bet is to copy this include file to each site so they can access it properly (locally).
Half-assing it and not spending the time to properly fix this issue will only get you burned.
|
| Posted by TwineDev, 11-09-2011, 06:02 AM |
| I have a great car, it is decked out, tweaked out, fast as all get out. I never lock it, and I keep the keys under the front seat.
But since I win awards at competitions with it, I shouldn't have to worry about it getting stolen right? Who needs to worry about security when when I use it as I intend, it preforms well?
Once you find a security issue (either a current one, or bad practice that could lead to one) there is no excuse for not getting things corrected, you are just asking for trouble. If you server ever gets compromised, and someone figures out that one site has an "opening", it will not take long for them to start testing all other sites they find on the same server (Faced this where I used to work with an older server with sites from before I was there. What a mess!)
You say you have over 100 sites, this is where a program that will search/replace over an entire directory will help. (ex. Notepad++)
Assuming that all your include's are pointing back to their own domain, and are in the format you gave above, in Notepad++, when you do a find (CTRL-F), you can change it to FIND IN FILES, hit the checkbox to use regular expressions, and then use:
FIND: include \("http://[^/]+
REPLACE: include ($_SERVER['DOCUMENT_ROOT']."
This will change: To:
|
| Posted by jessex, 11-14-2011, 05:08 PM |
| Thanks for the great analogy TwineDev. Makes sense. I have just one questions tho, so no matter what, i should set the server "allow_url_fopen to false" and make all the include changes to my 100 other websites in 1000s of locations?
|
| Posted by foobic, 11-14-2011, 09:38 PM |
| Yes, that's exactly what you should do. Using any decent IDE or editor (eg. Notepad++, as TwineDev suggested), it's not even that difficult.
|
| Posted by TwineDev, 11-15-2011, 08:34 AM |
| With any replace in files, make sure you have a backup of them all before you try anything, and have it just do it one test file first before letting it loose ;-)
-Greg
|
| Posted by jessex, 11-15-2011, 05:43 PM |
| Thank you and we are getting somewhere but i have a few more ?s
i use a mac so is this a good alternative to notepad ++ ?
http://decoding.wordpress.com/2010/0...-for-mac-os-x/
After i flip the switch allow_url_fopen to false, the code below works fine for my uses but for some reason i feel as if i should avoid using static remote file inclusions based on what think you guys have been saying, is this true?
Thanks for your help
|
| Posted by whmcsguru, 11-16-2011, 07:21 AM |
| This
Then again, I've said the same thing about globals for far, far too many years now. No php setting is 'insecure'. It's all about proper usage, proper coding, proper sanitation.
Unfortunately, because of poor coders (not the OP, mind you), these things have been disabled and written out of php. Wow, I guess I shouldn't be surprised.
|
| Posted by TwineDev, 11-16-2011, 10:43 AM |
| I'm not sure on that. I do know where I used to work the Mac developers there loved Coda (not free though.
One thing to note though, the SEARCH/REPLACE above was for the regular expression type that Notepad++ used so definitely test it on a single file first. Looks like they used the same engine (the one you linked to), but better safe then sorry
-Greg
|
| Posted by jessex, 11-18-2011, 12:37 PM |
| Greg, thanks for the head up!
do you forsee any issues with me using this include
|
| Posted by quantumphysics, 11-18-2011, 12:46 PM |
| yes, that's a terrible idea and i'm not sure why you would use that.
when possible include locally, or use curl + throw exception and provide alternative content if down + use a timeout.
|
| Posted by jessex, 11-18-2011, 01:12 PM |
| My issues is i have 6 different parent companies that have 100+ sub websites and pull their data via the parent websites. Im a lil unsure how to do this locally. Whats a safe way to do this across directories?
here is my set up
parent 1 website has about 40 sites with the same content being included from the main parent directory via includes.
parent 2 website has about 30 sites with the same content being included from the main parent directory via includes.
so on and so forth.
Forgive me for my ignorance but i wanna get this right and thanks for the help.
|
| Posted by quantumphysics, 11-18-2011, 01:25 PM |
| this depends on a lot, like shared database read access, if the data changes often or not, are they on the same server, etc
|
| Posted by jessex, 11-18-2011, 01:31 PM |
| im on a dedicated 2003 windows server and the data does not change a lot.Yes all the websites are on the same sever in teh E:\vhosts. when the data does change it goes across all its corresponding sister websites. does this help?
|
| Posted by jessex, 11-28-2011, 12:15 PM |
| Did my last post help?
|
| Posted by Matt R, 11-29-2011, 03:26 AM |
| I'm surprised I haven't seen this in here yet... why not just fire up cURL and use that?
It takes all of 10 seconds to copy/paste a basic curl script to grab the contents of a remote site.
I'll even do it for you!
Now, drop that function somewhere and whenever you want the contents of a web page by remote, you just go...
|
| Posted by jessex, 11-29-2011, 11:53 AM |
| Sounds like a fix to me Thanks! I have a couple questions. So i include the big block of code you described above any place in the body tag? Also, How do you included the echo in the php script? Do i just open another php tag in the header location, the footer location and possible the right links locations. Is this how to use the code?
|
| Posted by Matt R, 11-29-2011, 11:57 AM |
| It seems like you understand how it works.
Play with it a bit! If I give it all away entirely, you won't remember what you've learned next time!
I will say this: You just need to add that function into your file once.
You can put it into a file named "functions.php" and use include() to include that file. From there, you just whereever you want to load a file from remote
|
| Posted by jessex, 11-29-2011, 12:30 PM |
| Ok thanks a lot! let me give it a test
|
| Posted by jessex, 11-29-2011, 12:54 PM |
| Ok i tested it and i know im making a dumb mistake but im unsure what. the function is in the same directory named "functions.php" like you recommended. on the webpage i used this
and i pulled this error
Fatal error: Call to undefined function getRemoteContent() in E:\vhosts\website.com\httpdocs\example.php on line 65
what do you suggest?
|
| Posted by Matt R, 11-29-2011, 01:07 PM |
| Make sure you run before you run the function for the first time
You need to tell PHP that you want to load functions from that file. It's not going to just know where it is
|
| Posted by jessex, 11-29-2011, 01:39 PM |
| i added your msn, can you go there?
|
Add to Favourites 
Print this Article
Also Read
