well, it depends on the content. and i store all passwords and other
sensitive stuff in a database. it isn't like that's giving them shell
access or anything.
Most PHP installations have shell access. If someone gets access to
your PHP, they can probably get shell access.
it would be insecure if i had the scripts do
things, but i usually just include standard content.
My point earlier was that the suggested script let's anyone include
anything on the server without restriction. In this case, it doesn't
matter what you include - it matters what others might include. Even
if you think you know that every script on your server is safe, you
might be wrong, or it might change in the future. What if your host
changes email systems, and starts storing raw emails in a directory
accessible by PHP? Then suddenly anyone can send you an email with
malicious PHP inside, and run that script with something like this:
index.php?content=../../mail/inbox.mbox
Or your host might have insecure scripts sitting on your server in a
directory that is not accessible to you (so you don't even know it's
there), but is accessible to your PHP installation, so anyone could
run something like this:
index.php?content=../../../../../insecure_php_scripts/shell_access.php
I suspect someone with actual experience doing this kind of stuff
could find more exploits. It's possible every PHP script on your
server is safe, but why take the chance? It's easy enough to force
includes from one specific directory:
if ( substr( $_GET['content'] , 0 , 1 ) != '.' ) // nothing starting
with a period is allowed, preventing backing out of a directory.
include( 'includes/' . $_GET['content'] );
Peace,
scott.
