ASPit - Totally ASP JSit - Totally JavaScript
Search PHPit

Use this textbox to search for articles on PHPit. Seperate keywords with a space.


PHP & Security: 3 Example Exploits

(Page 2 out of 3)

This is one of the sneakiest exploits around, but it is also very simple (and easy to forget about it as a developer!). The View Source exploit was the one that caused PHPit to be "hacked" recently.

It only works when you use a script to highlight or show the source of other PHP files, using the highlight_file() function or the fopen() function. These functions allow your visitors to view the source of other files, which is the whole point of this script. But you must also implement some security measures to prevent users from viewing files that they shouldn't see (such as database files, password files, etc). The best way of doing this is using a white-list array of filenames, and only allowing these files to be opened. This method is bullet-proof and will never fail.

But perhaps you want to restrict the script to only allow files from a certain directory, e.g. the 'demos' directory. To enforce this restriction, you'd probably use code like this:

if (strpos($file, 'demos') === false) {
        echo 'Security alert. Not a demo!';
} else {
        highlight_file ($file);

This checks whether the filename contains 'demos', and if so, displays the source. Seems fairly fail-proof, but that's where the exploit strikes. An attacker could include '..' in the filename, which means "go a directory up". So C:\program files\demos\..\ means the same as C:\program files\. This basically means that an attacker has unlimited access to everything on the server. Big whoops!

Just test it yourself, with the interactive demo:

Case 1: when trying an invalid filename, error is displayed
Case 2: when trying a demo filename, it shows the correct filename
Case 3: when using the exploit, no error is displayed, and it shows a forbidden filename

How do you protect against this exploit?
The easiest way is to check if the filename contains the two dots and display an error. So the above code becomes:

if (strpos($file, 'demos') === false OR strpos($file, '..') !== false) {
        echo 'Security alert. Not a demo!';
} else {
        highlight_file ($file);

The above way isn't completely secury, and any file that contains 'demos' in the filename can still be viewed. If you really want to secure your view source script, don't allow a full path, and instead only allow a name. For example, instead of using '/home/phpit/public_html/demo/demo.php' simply use 'demo.php', and in your script add the full path. The only thing you have to worry about then is to filter out the two dots, and that's easy.

$file = '/home/phpit/public_html/demo/' . $_GET['filename'];

if (strpos($file, '..') !== false) {
        echo 'Security alert. Not a demo!';
} else {
        highlight_file ($file);

This would probably be enough to protect your view source script, and stop this exploit from working. You can also use dedicated source-viewing scripts, like phpViewSource.

« Previous: Introduction
Next: Security Case #3 - CSRF Attacks »

One Response to “PHP & Security: 3 Example Exploits”

  1. timvw Says:

    I think you’re better off with to find out if the base path is really what you want it to be..

    Anyway, a lot of articles on php and security can be found at :)

Leave a Reply

About the author
Dennis Pallett is the main contributor to PHPit. He owns several websites, including ASPit and Chill2Music. He is currently still studying.
Article Index
  1. Introduction
  2. Security Case #2 - View Source Scripts
  3. Security Case #3 - CSRF Attacks
Bookmark Article
Download Article
Download this article as a PDF file