How to avoid File Inclusion failure?

Asked

Viewed 251 times

0

Personnel using a vulnerability search tool, vul File Inclusion was found, which is in the following codes:

$url = (isset($_GET['url'])) ? htmlentities(strip_tags($_GET['url'])) : '';
$parametros = explode('/', $url);
$paginas_permitidas = array('pedidos','novo_ticket','tickets_abertos','tickets_fechados','ticket','perfil','detalhes','categorias');

if($url == ''){
    include_once "../../pages/home.php";
}elseif(in_array($parametros[0], $paginas_permitidas)){
    include_once "../../pages/".$parametros[0].'.php';
}elseif($parametros[0] == 'categoria'){
    if(isset($parametros[1]) && !isset($parametros[2])){
        include_once "../../pages/categoria.php";
    }elseif(isset($parametros[2])){
        include_once "../../pages/subcategoria.php";
    }
}else{
    include_once "../../pages/erro404.php";
}


// Também da alerta de File Inclusion neste codigo


if(!isset($_GET['pagina']) || $_GET['pagina'] == ''){
    include_once "../../../pages/home.php";
}else{
    $pagina = strip_tags($_GET['pagina']);

    if(file_exists('../../../pages/'.$pagina.'.php')){
        include_once "../../../pages/$pagina".'.php';

    }else{
        echo '<div class="alert alert-danger">
              <strong>Desculpe mas a pagina que você procura, não existe!</strong>
              </div>';
    }
}

A friend suggested using the following code as the basis:

$path_parts = pathinfo(dirname(__FILE__) . "/{$file}.php");
$str = "{$path_parts['filename']}.php";
(file_exists($str)) ? require_once($str) : exit(Functions::__error("ERROR OPEN FILE: {$str}"));

However, I floated while trying to implement in my system by not knowing much of programming, someone can help me or give hint on how to implement the above code so vul is eliminated?

  • Have you considered disabling the error_reporting php place at the top of the page error_reporting(0) so that the file path is not found

  • @rray and if the attacker scans advanced and sees the vulnerability, screwed

  • recommend you use url amigavel is much safer see here

  • @Marcosbrinner but I’m using friendly url

1 answer

0

Understanding what File Inclusion is

Local file inclusion (also known as LFI) is the process of adding files, which are already locally present on the server, through exploiting vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that should be included and this entry is not properly protected, allowing directory passage characters (such as directory Traversal Attack) to be injected.

That is usually the attacks occur over the include() that is not adequately protected.

After all, what ways to protect/avoid against File Inclusion ?

There are several ways for a hacker to get their information, as no system is totally secure, for example, some hackers use even the Google Dorking to see which websites are vulnerable to attacks.

Well, there are several ways to avoid attacks to fail File Inclusion.

Some of them are :

Never use arbitrary input data in a literal file include request.

Use a filter to completely scrub input parameters against possible file inclusions.

Create a whitelist

Reject filenames that contain. , .. or / (or in Windows)

File name limit for basic alphanumeric characters

Precede to include the directory name and attach the appropriate extension

Here an example of whitelist,to avoid file inclusion and code injections failures :

 $whitelist = array('home', 'page');

  if (in_array($_GET['page'], $whitelist)) {
        include($_GET['page'].'.php');
  } else {
        include('home.php');
  }

OBS : Be sure to check that the page is in Whitelist

Using url-friendly

The user-friendly URL is a web address that is easy to read and includes words that describe the content of the page. This type of URL can be "nice" in two ways.

1) It can help visitors remember the web address.

2) It can help describe the page for the search engines.

Creating a Url-friendly

To create you will need to go on .htaccess and place the following codes :

First way to do it

  RewriteEngine on
  RewriteRule ^/news/([0-9]+)\.html /news.php?news_id=$1

And this map request of

/news.php?news_id=63

To

/news/63.html

2nd way of doing

Options +FollowSymLinks

RewriteEngine on

RewriteRule suaPaginaPhp/(.*)/ suaPaginaPhp.php?u=$1

RewriteRule suaPaginaPhp/(.*) suaPaginaPhp.php?u=$1   

If you want to take a look at other ways to protect yourself against this and other failures, article.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.