security problem

etusha's Avatar, Join Date: Jan 2007
Newbie Member
first hi all whast up ?!!!!!!
second sorry for my englisht is not my mother language
i`m new in PHP programmng and i have problem with RFI (Remote Fle Inclusion)
exemple

index.php
Code:
<?php 
$i= "index2"; 
include("index1.php"); 
$b="1"; 
$p= $b + $d; 
echo $p; 
?>

index1php
Code:
<?php 
$f="4"; 
include($i.".php"); 
$d= $f + $s ; 
?>
index2php
Code:
<?php 
$s="5"; 
?>
it cen be exploit in this way
http://www.site.com/index1.php?i=[phpshell_pth]?
i wont to stop RFI
how can I
0
pradeep's Avatar, Join Date: Apr 2005
Team Leader
You can check the referrer to grant/deny the file inclusion!
0
DaWei's Avatar, Join Date: Dec 2006
Team Leader
Note that 'HTTP_REFERER' is set by the user agent, if at all, and can't be trusted. Rely on your server and its permission mechanisms.
0
SabeelWeb's Avatar, Join Date: Jan 2007
Light Poster
i think there's a small solution using eregi()
you can make a small filter for "." & "/"