Using an absolute path in a require () function is enough to prevent attacks?

1

Is the use of the dirname(__FILE__) function or the __DIR__ magic constant appropriately safe to disable a local file inclusion or a remote file inclusion in a require() that receives parameters by GET?

Is there a solution to this problem?

    
asked by anonymous 18.10.2016 / 13:23

1 answer

1
  

Placing the absolute path to directories avoids accessing other folders?

No. If the attacker puts ../ , knowing the file path, it can access an unwanted directory anyway.

That is, for the following structure below:

app/
    database.php
web/
    index.php
    pages/
       home.php
       contact.php

If web/index.php is the "root" of your application, but the malicious user puts ?page=../app/database.php , it theoretically would be doing what PHP does include normally.

For you to understand. All this below results in the same operation

include 'app/database.php';

include __DIR__ . '/app/database.php'

#supondo que estamos na pasta 'web'

include __DIR__ . '../app/database.php';

Note that providing an absolute name for the root directory of a given directory or file does not prevent other (outside) files from being accessed.

In this case, I think it is very appropriate for functions to be loaded with specific treatments for page load through get .

Example:

function page_include($page)
{

    if (strpos($page, '..') !== false) {
       throw new Exception("Caractere inválido detectado");
    }

    include WEB_DIRECTORY . '/pages/' . $page;
}

Maybe this is basic. You could include other checks, avoiding attacks.

  

Remote file inclusion

allow_url_include is a setting that allows you to use include in urls (which I do not think is good). On this I recommend that you disable the allow_url_include setting, because in that case, allowing such a setting is giving your hands-kissed application into the hand of malicious people.

  

PHP injection

It's another common problem involving files or folders in PHP. Read about it here: What is PHP Injection? What's the difference between it and SQL Injection? And how to avoid it?

    
18.10.2016 / 13:24