LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-13-2011, 10:59 AM   #1
Snark1994
Senior Member
 
Registered: Sep 2010
Distribution: Debian
Posts: 1,632
Blog Entries: 3

Rep: Reputation: 346Reputation: 346Reputation: 346Reputation: 346
PHP: www.domain.com/index.php?page=xxxxx security


I was wondering how safe urls of the form "www.domain.com/index.php?page=xxxxx" are. I don't want something which could be exploited by giving values such as 'index.php' or '../../etc/passwd' or whatever. Is what I have below secure?

PHP Code:
<?php
$pages 
= array (
    
'main' => 'main.php',
    
'aboutus' => 'aboutus.php',
    
'foo' => 'bah.php'
    
);
if(!isset(
$_GET['page']) || empty($_GET['page'])){
    
$page 'main';
} else {
    
$page filter_var($_GET['page'],FILTER_SANITIZE_URL);
    if(!
array_key_exists($page,$pages)){
        
$page 'main';
    }
}
include(
'pages/' $pages[$page]);
?>
I can't think of any way to exploit that, even if the attacker were aware of the source code, but wanted to check...

Thanks!
 
Old 12-13-2011, 02:50 PM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
Having spent the last several minutes reading the code, it looks OK to me. Lets break it down:
1) you define a $pages array with the keys: main, aboutus, foo.
2) If the superglobal page does not exist or is null, you set it to main.
3) if it does exist and is not null, you "filter" it, which removes all characters except letters, digits and $-_.+!*'(),{}|\\^~[]`<>#%";/?:@&=.
4) you then match the remaining data against the set of keys. This step is the critical part and you are actually white listing by verifying supplied data against a set of known test cases, which is the correct action. You do not "process" on any supplied data.
5) once you have conclusively set $page, either by matching an array key, you include the appropriate page.

As I said, I think this code will work as intended. I am wondering, though, why go through these convoluted steps instead of just using a case statement that matches main, aboutus, foo, or sets default (main)? and includes the appropriate line?
 
1 members found this post helpful.
Old 12-13-2011, 03:23 PM   #3
Snark1994
Senior Member
 
Registered: Sep 2010
Distribution: Debian
Posts: 1,632

Original Poster
Blog Entries: 3

Rep: Reputation: 346Reputation: 346Reputation: 346Reputation: 346
Thanks!

Um... That would work too, and is probably far more readable.
 
Old 12-14-2011, 08:45 AM   #4
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
I was thinking of this thread this morning and I had an epiphany about an advantage to your approach. Your approach will let you pass in an array of sites and keys to a function and using this array, filter the results and return the correct page. If you have a lot of pages, code reuse of a tested algorithm would be better than recreating a hard coded case statement many times. I am not sure if you can pass parameters into a case block or not and I am not envisioning it working....
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] index.php/blahblah goes to home page jnyunt Linux - Server 4 08-06-2011 09:19 AM
PHP not parsing http://www.domain.com/ gold4t Linux - Server 5 01-13-2011 08:56 PM
Site error: the file /var/www/hotel/index.php requires the ionCube PHP Loader ioncube muba Linux - Software 1 06-03-2010 10:38 AM
index.php exists in the root, but when I try to access it, I get Page Not Found springertech Linux - Newbie 9 04-22-2009 05:37 AM
Apache 404 index.php not Found but index.php exists at document root mark84 Linux - Server 20 07-27-2008 01:55 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:05 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration