PHP file access and security

Forum Moderators: coopster

Message Too Old, No Replies

PHP file access and security

j4mes

3:07 pm on Jun 21, 2005 (gmt 0)

Here's some code I wrote to show a page's source:

$page = $_GET['page'];
if ($page!= "") {
$fetch = fopen($page,"r");
if (!$fetch) {
$page = "http://$page";
$fetch = fopen($page,"r");
}
if (!$fetch) {
echo $url_error;
break;
}
$source = fread($fetch, 262144);
fclose($fetch);
$source = htmlspecialchars($source);
echo $source;
}
else {
echo $no_url_error;
}

Nice, huh? So i can get the source code for, for example, Google's home page with:

source.php?page=www.google.com

etc.

Spotted the problem yet? How about:

source.php?page=/etc/passwd

Yup, works great too :-( Eek!

So basically, my question is: how do I stop this? Just for this particular file you understand, not for other PHP files on my server (as many Apache tweaks have it) so that it will work great for everything except my server?

(Apache 1.3.33/PHP 4.3.11/Slackware)

TIA, J.

Sathallrin

3:34 pm on Jun 21, 2005 (gmt 0)

In your script you should add a check to not do anything if $page equals certain files which you do not wish to have displayed. In these cases you could have it echo someting like "Permission Denied".

j4mes

4:00 pm on Jun 21, 2005 (gmt 0)

Hi Sathallrin,

Thanks for your feedback.

I did have a go at this, however I quickly realised that I'm never going to get anywhere near all the files, plus new ones will be being added all the time!

Damn this is tricky :-(

jatar_k

4:15 pm on Jun 21, 2005 (gmt 0)

don't worry about blocking what you don't want

how about only allowing what you do want

you want a url, so try a pattern or method that will only accept a url

j4mes

5:33 pm on Jun 21, 2005 (gmt 0)

Hi jatar_k,

Aha! Sorted, cheers :-)