Extra Security Method [ALL]

[Guest Drizzle]

]Ok, so i've seen a method around that checks pages for $globals, which is supposed to not let the file run if it isnt defined. However, its just a waste of space, because anyone can just put $globals=1; and bam. So here's what i came up with:

$pages = array('/headers.php','/index.php'); // Put all your page names in here that you want ran.

//Make sure page is defined. If it isnt, give the error.
if(isset($page)){
 //The below code checks if $page is equal to that pages script. Usually, people would think just putting the pages in an array would do it, however,
//That would fail because anyone who uploads a file could easily put 1 of the filenames and it will run. Now, $page must equal both the script name and be in the array :)
 if($page != $_SERVER['PHP_SELF']){
  echo '<div class="error">This page is not authorized for use.</div>';
   exit;
 }
//The below checks if the page name is in the $pages array defined earlier. 
 if(!in_array($page, $pages)){
   echo '<div class="error">This page is not authorized for use.</div>';
   exit;
 } //The below code means if $page isnt even mentioned, to give an error.
} else {
 echo '<div class="error">This page is not authorized for use.</div>';
   exit;
}

 

I don't know how much you guys will get use of it, but its better than the usual $globals i see floating around. :P

Oh and another note, make sure you dont add the $page=w/e inside globals or any of the major files, as it will error.

[Guest Dylan1994]

I heard that ['PHP_SELF'] Was un-secure

[Guest Drizzle]

I dont really see how it is. I dont know where you heard that. But in this there is really nothing to exploit.

[Zeggy]

What kind of exploit does this protect from?

[Guest Drizzle]

Well, say someone uploads a file to your server somehow with just including globals. This code will render it useless, giving anyone who tries to view the uploaded page an error. It checks for $page defined on pages. If $page is defined, it then checks if $page is the same as the page's page_name_here.php. After that, it checks if the url is in the array of allowed urls ($pages). Then if all checks are passed the page is fed to the user.

[Zeggy]

Well, if somebody managed to upload a file that can be run as a php file, then there really isn't anything you can do to stop it from doing whatever it wants, as any security features you add can be defeated quite easily when you can upload scripts run on the server side. By this point you've already lost. You need to prevent them from ever getting to this stage.

[Guest Drizzle]

I do agree that they shouldnt be able to upload, but this is just an upgraded version of the old non-working one.

[rulerofzu]

PHP_SELF can be exploited as you can append to the url

youra.php

youra.php/noob

and anything appended will be treated as valid code so can lead to all kind of trouble.

[Djkanna]

PHP_SELF can be exploited as you can append to the url

youra.php

youra.php/noob

and anything appended will be treated as valid code so can lead to all kind of trouble.

Love the example ;)

[Spudinski]

Bah... a simple command prevents all uploads.

chmod 0755 *
chmod 0755 */*
chmod 0755 */*/*
---
aka. only the user should be able to read, write and execute
In addition, permit no execution within the uploads dir.

 

Not really efficient, as some requires more permissions; but this is the most solid permission set that is widely used.

In addition, you can run Apache in a chrooted state and chown the files to Apache.

[Zero-Affect]

BTW $page isn't defined...

$_SERVER['PHP_SELF'] alternative/vulnerability

This reminds me a little of something i did ages ago...

[mccodes]Secure demo account