security problem

Discussion in 'PHP' started by etusha, Jan 17, 2007.

  1. etusha

    etusha New Member

    Joined:
    Jan 14, 2007
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    0
    first hi all whast up ?!!!!!!
    second sorry for my englisht is not my mother language
    i`m new in PHP programmng and i have problem with RFI (Remote Fle Inclusion)
    exemple

    index.php
    Code:
    <?php 
    $i= "index2"; 
    include("index1.php"); 
    $b="1"; 
    $p= $b + $d; 
    echo $p; 
    ?>

    index1php
    Code:
    <?php 
    $f="4"; 
    include($i.".php"); 
    $d= $f + $s ; 
    ?>
    index2php
    Code:
    <?php 
    $s="5"; 
    ?>
    it cen be exploit in this way
    http://www.site.com/index1.php?i=[phpshell_pth]?
    i wont to stop RFI
    how can I
     
  2. pradeep

    pradeep Team Leader

    Joined:
    Apr 4, 2005
    Messages:
    1,645
    Likes Received:
    87
    Trophy Points:
    0
    Occupation:
    Programmer
    Location:
    Kolkata, India
    Home Page:
    http://blog.pradeep.net.in
    You can check the referrer to grant/deny the file inclusion!
     
  3. DaWei

    DaWei New Member

    Joined:
    Dec 6, 2006
    Messages:
    835
    Likes Received:
    5
    Trophy Points:
    0
    Occupation:
    Semi-retired EE
    Location:
    Texan now in Central NY
    Home Page:
    http://www.daweidesigns.com
    Note that 'HTTP_REFERER' is set by the user agent, if at all, and can't be trusted. Rely on your server and its permission mechanisms.
     
  4. SabeelWeb

    SabeelWeb New Member

    Joined:
    Jan 30, 2007
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    0
    Occupation:
    Programmer
    Location:
    SabeelWeb Inc.
    Home Page:
    http://www.SabeelWeb.com
    i think there's a small solution using eregi()
    you can make a small filter for "." & "/"
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice