PHP - cms security

Question

Would this be safe??

I would just like to hear if this "Cms" would be safe. So people cant do example.com/../../../systemfile.conf

My index.php

<?php

$url= rtrim($_GET['page'], '/');

echo $url;

include_once "sites/$url";

?>

My .htaccess

RewriteEngine On
options +FollowSymlinks
RewriteBase /
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.* - [L]
RewriteRule ^(.+)/? index.php?page=$1 [L,QSA]

No, this is not secure: `index.php?page=../../../systemfile.conf` — Gumbo, Mar 19 '14 at 16:35
[Preventing Directory Traversal in PHP but allowing paths](http://stackoverflow.com/q/4205141/53114) might answer your question. — Gumbo, Mar 19 '14 at 20:33

score 0 · Answer 1 · answered Mar 19 '14 at 16:40

0

include_once "sites/$url";

Should be changed to...

$inc='sites/' . realpath($url);
if (!is_readable($inc)) {
      header("HTTP/1.0 404 Not Found");
      exit;
}
include($inc);

as a minimum

answered Mar 19 '14 at 16:40

symcbean

47,736
6
59
94

-1 This won’t work. `realpath` already returns the canonical absolute path or `false`. – Gumbo Mar 19 '14 at 20:31
Ahh, true, I didn't say I'd *tested* it :) How about ...$stub=dirname(__FILE__).'/sites/'; $inc=realpath($stub.$url); if (substr($inc, 0, strlen($stub))!=$stub || ! is_radable($inc)) { – symcbean Mar 19 '14 at 23:08
That would work and is basically what [@ircmaxell suggested on *Preventing Directory Traversal in PHP but allowing paths*](http://stackoverflow.com/a/4205278/53114). – Gumbo Mar 20 '14 at 05:50

duper51 · Answer 2 · 2014-03-19T16:48:05.277

-1

I think that the answer to this would be no. The person may still be able to access system files, and the method seems quite worthless. Why not use cURL or something like it to access the page. It's safer but not the safest. But your script won't work in the first place considering,

include_once "sites/$url";

Should be changed to,

include_once "sites/" . $url;

So your script doesn't start sending users to "/sites/$url". You could do this if you want to be secure:

if(isset($_GET['pageid'])) {
    if($_GET['pageid']=='1') {
         include_once 'page1.php';
    }
}

You could make a new $_GET['pageid']== check for every page you need to send the user to.

edited Mar 19 '14 at 16:48

answered Mar 19 '14 at 16:36

duper51

770
1
5
20

Would this fix the problem? – KaareZ Mar 19 '14 at 16:37
Honestly if you're trying to load page content using PHP, you should store the content in a database, then print it out using PHP. Anything allowing the user to enter a file name in a GET/POST request should be considered unsafe. – duper51 Mar 19 '14 at 16:39
I cant do that. I need to exute php scripts from my sites – KaareZ Mar 19 '14 at 16:41
I'm going to edit my answer with a suggestion right now. – duper51 Mar 19 '14 at 16:43
Thanks ;D --> ignore "6 more to go" – KaareZ Mar 19 '14 at 16:44
Edited, hope you find it useful. – duper51 Mar 19 '14 at 16:48
There's better ways to do this. – Rob W Mar 19 '14 at 17:57
I'm all ears Half Crazed – duper51 Mar 19 '14 at 18:07

PHP - cms security

2 Answers2