Go4Expert

Go4Expert (http://www.go4expert.com/)
-   PHP (http://www.go4expert.com/forums/php/)
-   -   security problem (http://www.go4expert.com/forums/security-problem-t2591/)

etusha 17Jan2007 16:22

security problem
 
first hi all whast up ?!!!!!!
second sorry for my englisht is not my mother language
i`m new in PHP programmng and i have problem with RFI (Remote Fle Inclusion)
exemple

index.php
Code:

<?php
$i= "index2";
include("index1.php");
$b="1";
$p= $b + $d;
echo $p;
?>


index1php
Code:

<?php
$f="4";
include($i.".php");
$d= $f + $s ;
?>

index2php
Code:

<?php
$s="5";
?>

it cen be exploit in this way
http://www.site.com/index1.php?i=[phpshell_pth]?
i wont to stop RFI
how can I

pradeep 18Jan2007 10:50

Re: security problem
 
You can check the referrer to grant/deny the file inclusion!

DaWei 22Jan2007 19:34

Re: security problem
 
Note that 'HTTP_REFERER' is set by the user agent, if at all, and can't be trusted. Rely on your server and its permission mechanisms.

SabeelWeb 30Jan2007 06:50

Re: security problem
 
i think there's a small solution using eregi()
you can make a small filter for "." & "/"


All times are GMT +5.5. The time now is 16:54.