The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

include() <-- Is it secure for you?

Discussion in 'General Discussion' started by Rafaelfpviana, Apr 7, 2004.

  1. Rafaelfpviana

    Rafaelfpviana Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    142
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brazil
    First of all,
    Good morning!!

    Like is was saying. We are having some problems in our server with the include function. Take a look at the example

    PHP:
    <?

    // When i include a file in my website dir. This is ok.
    // Its my file, it is in my account, it is ok to include it
    include("myfile.php");


    // Now, this shouldn't be allowed. I shouldn't be
    // allowed to include someone else's file in my
    // php file. I'm including a file that is outside my
    // account. This is wrong, and it works!!!
    include("/home/otheruser/public_html/otheruser.php");

    ?>
    Are you following me? Do you see why i'm concerned about this?

    The thing is, how can i block this at all?

    This is really dangerous. A user can include and file from someone else and go through the variables and use them. What it the file included is a config file?

    PLEASE, CAN ANY ONE GIVE ME SOME HELP!!! :confused: :confused:
     
  2. fizz

    fizz Well-Known Member

    Joined:
    Jan 25, 2002
    Messages:
    202
    Likes Received:
    0
    Trophy Points:
    16
    in WHM, goto tweak security, and check Open Base Dir restrictions.
     
  3. Rafaelfpviana

    Rafaelfpviana Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    142
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brazil
    Will that allow normal includes from the accounts?
     
  4. fizz

    fizz Well-Known Member

    Joined:
    Jan 25, 2002
    Messages:
    202
    Likes Received:
    0
    Trophy Points:
    16
    Yes, just wont allow them to include from outside the users home (own) directory.
     
  5. shaun

    shaun Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    698
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Clemente, Ca
    you should be more worried about the people who do....

    include($_GET['file]]);

    :)

    I hate when i find those!
     
  6. fizz

    fizz Well-Known Member

    Joined:
    Jan 25, 2002
    Messages:
    202
    Likes Received:
    0
    Trophy Points:
    16
    is that even with open base dir restrictions on?
     
  7. Rafaelfpviana

    Rafaelfpviana Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    142
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brazil

    What do you mean?? Does it get the php code too? With the variables also??
     
  8. Rafaelfpviana

    Rafaelfpviana Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    142
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brazil
    does anyone know something about this??
     
  9. wknight

    wknight Member

    Joined:
    Dec 3, 2002
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Hello,
    You better turn on safe_mode. This will prevent users from opening other users files, it will also disable some functions like system(), exec() which allow the user to run commands on the shell.

    Go to your php.ini file , find safe_mode and change Off to On.
    Restart apache.

    Do as what fizz said.

    Now , you don't have to worry about users being able to open others files.

    About what shaun mentioned, this allow the visitor to send any file name he/she wants at the end of the page name. You don't have to worry about this unless you are a programmer. And yes, this can happen even with that option on , in fact even if safe_mode is on. (in the case that the file resides in the same user folders)

    Do search the forum, I remember seeing threads about this, you will find more detailed information.

    Regards,
     
  10. fizz

    fizz Well-Known Member

    Joined:
    Jan 25, 2002
    Messages:
    202
    Likes Received:
    0
    Trophy Points:
    16
    What other negatives are there from safe_mode on?
    I have a php script i run from cron with some system commands, so this will obviously break that.. I can always port to perl i guess. Basically it just changes permissions on some mail files every night.
     
  11. Rafaelfpviana

    Rafaelfpviana Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    142
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brazil

    I tried looking for it but i didn't find it. Does any know where to find it?
     
  12. Rafaelfpviana

    Rafaelfpviana Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    142
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brazil
    Well, changing the subject a little bit.
    So i turned on the the Open Base Dir restricitons, but some cgi scripts included in CPanel are not working.
    Check out the file atached. This is a counter script.
     

    Attached Files:

  13. shaun

    shaun Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    698
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Clemente, Ca
    Rafaelfpviana, you dont have to worry about what i said too much. Some poeple out there program things and do it the wrong way. openbase dir protection will help secure php. I would turn it on.
     
  14. Rafaelfpviana

    Rafaelfpviana Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    142
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brazil
    Open Base Dir protection is turned on, the thing is, the couter cgi script that is included in CPanel doesn't work anymore. Thats the problem that i'm having.
     
  15. dan_erat

    dan_erat Registered

    Joined:
    Jun 24, 2003
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    I think this is unrelated. cPanel uses Count.cgi, which is written in C and is therefore unaffected by any restrictions you might place on PHP scripts.
     
  16. The MAzTER

    The MAzTER Well-Known Member

    Joined:
    Jul 3, 2003
    Messages:
    106
    Likes Received:
    0
    Trophy Points:
    16
Loading...

Share This Page