Reputation: 9487
Is this script vulnerable to LFI (Local File Injection)?
I was wondering if this little snippet was subject to Local File Injection vulnerability.
<?php
$lang = $_GET['lang'];
include '/some/dir/prefix_'.$lang.'whatever';
I know the whatever can be ignore by putting '%00' (Null byte) in the request. But if there is no sub-directory beginning with 'prefix_' in the /some/dir/ directory, can the exploit occur? How?
Thanks in advance for the anwser.
Upvotes: 3
Views: 1481
Answers (3)
Reputation: 300
Well, you can white list this one, something like
$possible_languages = array('en','fr','pt'); #preferably not hardcoded
$lang = $_GET['lang']
if( in_array($lang, $possible_languages) ){
# do your thing
}
else {
#error out
}
Basically... never trust user input.
Upvotes: 1
Reputation: 132011
Do you mean something like this?
$lang .= 'en/../../../../../etc/passwd' . 0x00;
You can avoid this by
$path = '/some/dir/prefix_'.$_GET['path'].'whatever';
$path = realpath($path);
if (($path !== false) && (strncmp('/dir/some/prefix_', $path, 17) === 0)) {
// $path is fine
}
This tests, if the path exists and if its really under the directory-tree, that you allow it to be. It should be sufficient.
Upvotes: 3
Reputation: 4733
Using user input directly in your code is always dangerous.
It would be better to make it check if the value is in an array of acceptable values.
Upvotes: 2
Related Questions
- Where's vulnerability in this php code?
- Am i right in suspecting that this generated PHP code is vulnerable?
- PHP code injection. Do we have a security risk?
- is_file() and local file inclusion vulnerability
- Is this PHP code dangerous?
- Code injection with PHP
- hard coded text with user input in include statement - vulnerable to a LFI attack?
- PHP File Injection?
- PHP Code Injection
- Would this redirect script open me up for code injection or remote file inclusion?