Important: Your site may be hacked!, if you're using index.php?x=page.html Options

[Sasha]

This message is aimed at everyone who has converted their website to PHP using the index.php?x=about.html method to include their pages, as seen in many tutorials all over the web (like for example at EnglishSun.org).

This method is very insecure, and allows hackers to gain access to your server. Because you are specifying what file to include via a URL, anyone can change the bit after x= to something else to include any file they want. This means they are able to see sensitive files, that hold password and other sensitive information. Once a hacker has gained access to your server, they will generally proceed to upload malicious scripts (like trojans or egg drops), with which they can attack other
networks and send out SPAM emails. This eats up the bandwidth and disk space you're paying for, and can get you kicked out by your host. And, even worse, if any damage is caused to the server you're hosted on, your host can hold YOU totally responsible for those damages, because
you allowed the hackers to gain access by using insecure coding! If they wanted to, they'd have the right to sue you over this.

I've discovered this because several friends of mine recently contacted me after having problems with hackers on their servers. In trying to figure out what let the hackers gain access, I discovered the insecurities in this script. Also, one of those friends noticed she had been getting a lot of referrals from Google.com for searches looking like "allinurl: index.php?x=". This means that there are people out there specifically looking for sites using these scripts, they are being targeted by hackers because it is KNOWN these sites are insecure.

Therefore, it is VERY important that you change your coding ASAP, as in RIGHT AWAY, if you were using this method of PHP coding. Here's what you should do if you used this script:

1. Change your passwords for your domain control panel and MySQL databases. It can't hurt to change your password to your email accounts as well, just in case.

2. Change your coding. There are other ways of converting your pages to PHP, two examples of which can be found here:
http://www.codegrrl.com/scripts/nlconverttophp/
http://www.codegrrl.com/tutorials/scripts_...h_your_site.php

3. Make sure there are NO urls left in your site anywhere that use the "?x=filename.html" method to include files.

4. Contact your host, and explain to them that you've just discovered you were using a script that wasn't completely secure. Tell them that it might have let hackers gain access to the server. Your host will then be able to run a security check on the server to get rid of any malicious scripts that might be present if you have been hacked.

5. Spread the word. It's very important we let as many people as possible know about this ASAP so they can protect themselves. Please post about this in your blogs, forums, mailing lists, LiveJournals, etc. If you know of anyone who has a tutorial up on how to implement this method, please send them a link to this thread. The more people read this, the more will hopefully be able to change their coding before they get hacked. Feel free to include this entire message, or alternatively, include a link to this thread about it here at CodeGrrl:
http://www.codegrrl.com/forums/index.php?s...?showtopic=3967

[Jewel]

Oh my God! I'll put it on Avon now. I'm happy I used NL-Convert to PHP!

[Vixx]

I hate hackers. Grrr.

Thanks for the heads-up. I'll post this on my LJ today.

[sects]

Sasha, what if we're using something that goes index.php?id=variable

no file name? Is that under the same attack?

[Firewater]

< sarcasm > Score! I used that in all of my sites! < /sarcasm > I will spread the word as far as I can, and will also contact my hosting company. Then, of course, will probably go and die. But thank you for the heads up Sasha!

[ywingempress]

Sasha, what if we're using something that goes index.php?id=variable

no file name? Is that under the same attack?

Yes, if you don't check the value of the variable. If you have a bunch of if statements that only allow SOME values of the variable to be included, you're fine. But if you just include $id.php or something like that, that's a big problem. Any visitors to your site can set the value of $id, which means they might be able to see any document on your server.

[del]

How does that work? I mean, if my php script is only looking for .txt files in a specific folder, how can they access other files elsewhere, or upload things?

[ywingempress]

They can access files elsewhere if you don't actually check to make sure all you're getting is a filename. They could include a file in a different directory via ../ and stuff. So it really depends on your code.

About the uploading, they can upload if they manage to get your password. And once a malicious person has upload access to a server, they can do whatever they want.

[Sasha]

Yup, everything that Amy said.

A lot of people have documents on their server that contain their MySQL username and password. I used to have them stored on my site in a document called dbinfo.inc. If I had been using that script, all you'd have to do is tack on dbinfo.inc behind the x= part, and anyone would have been able to see that file.

I'm sure entirely sure what methods exactly the hackers use, but I suspect it works something like that.

Thanks for helping spread the word, guys!

[Skybly]

I used to have them stored on my site in a document called dbinfo.inc. If I had been using that script, all you'd have to do is tack on dbinfo.inc behind the x= part, and anyone would have been able to see that file.

Although in that situation anyone could just have typed the filename into the address bar and could have seen the contents as well. Which is why all php scripts and their config files should have a .php (or .inc.php) extension. Yes, I know I've mentioned this already, but I thought it might bear repeating

Calling malicious code from another server is the most common problem with this exploit. There are whole ready-made scripts available for download that let you mess with stuff on the server, and all you need to do is point the variable to their url. Nasty. Snooping out local config files is bad too, of course!

[Guest_Jenna]

Thanks for the post Sasha. About a month ago my site was hacked and my host told me that it was Flinx or Flinx Collective that was vulnerable because I had chmoded to 777 (like you're supposed to with those). I posted questions about it here and no one else could figure out what went wrong, but it now seems likely that this was the actual problem. At the time I had one fanlisting using this method, a fanlisting that I adopted from someone else and I was using her layout/coding. When I moved to my new host I recoded it that fanlisting using the NL Convert to PHP method and changed the directory name. Since then I've noticed some strange link calls with the index.php?x=whatever in that fanilsting's old directory name in my stats. Of course they now get a 404 error.

I think I'll reinstall Flinx when I have some time.

[sects]

CODE

No hackers trolling around for me.;) Ask for it if you wish.

That's an example of how I would do something and the url looks like index.php?id=about. If that's not safe I have to find another way to do it but if it is then for anyone that is into using it - all I can say is that it is very simple to use. Just put that in the index.php page.

If it's *not* safe, nevermind, but it should be because of the fact that if I type in index.php?id=rules and I don't include the rules case it just loads the updates.php page. Make sense?

[ywingempress]

Yup, sects' code is safe. There's a finite number of values $id can be set to to make it do something, and you specify all the ones that are valid (via the case statements), so it should be fine.

[sects]

That's what I thought. Since I stopped messing with coding and scripting everything went out of my brain.

[Guest]

Unfortunately, most tutorials I saw on this method online did not include a checking of the variables like your bit does, sect. Most people who are not PHP-savvy don't even realize how dangrous this script can be.

IMO, if you're new to PHP, don't mess with includes via the URL, as it can be SUCH a security risk. If you're more advanced with PHP and know what you're doing, fair enough. But most people who were using this script didn't know what they were doing, and they didn't know how unsafe the script could be, in which case they'd be better of sticking with something safer, like NL-ConvertToPHP or something.

[Anon]

Ok I'm doing this anonymously in case any hackers happen to be prowling around looking for targets. I current use the following code in my index.php, so that index.php?variable calls up variable.inc.php in my content folder:

<?
    $string = $_SERVER['QUERY_STRING'];
    include("header.inc.php");
    if (!$string) {
    include ("/home/mydomain/public_html/content/home.inc.php");
    }
    elseif ( $querystring ) {
    include ("/home/mydomain/public_html/content/{$string}.inc.php");
    }
    include ("footer.inc.php");
?>

I use this because it means I don't have to define my hundreds of variables in my index.php file. Is this insecure?

[castigante]

It's nothing new many of people have been hacked because of insecure dynamic inclusion. Oh, but i must thank you I was looking for some tutorials on that particular subject.

A good thing to add to the script is to check the extension and limit it only to your www directory.

CODE

<?php

/*actually having the code on all one page loads MUCH slower. So include the pages. Or connect to them with a db. */

include('header.php');


if(!$_SERVER['QUERY_STRING']) {
// You can include your default page with echos or end and close php
}

elseif ($_SERVER['QUERY_STRING'] == "about") { include("about.php");  }
elseif ($_SERVER['QUERY_STRING'] == "rules") { include("rules.php"); }
elseif ($_SERVER['QUERY_STRING'] == "join") { include("join.php"); }
elseif ($_SERVER['QUERY_STRING'] == "codes") {include("code.php"); }
elseif ($_SERVER['QUERY_STRING'] == "members") { include("memebers.php"); }
elseif ($_SERVER['QUERY_STRING'] == "extra") {  include("extra.php"); }  


else{
/*purposedly this would show a default page if no variable was given, but i didn't test it.*/
}

include('footer.php'); ?>

P.S. It's misleading to call it php conversion. It uses php, but by no means is there any way toconvert to php. The script in question is referred to as dynamic page inclusion. Using dynamic variables. There are other was to go about using dynamic variables such as using a switch like so...

CODE

<?php
switch $_GET["page"]
{
   case "news":
       include('news.php');
       break;
   case "about":
       include('about.php');
       break;
   case "contact":
       include('contact.php');
       break;
   default:
       include('start.php');
}
?>

This example from juicy studio, is also vulnerable. One should use $POST instead of $GET as much as possible.

[lloyd]

if it looks like this is it ok?

<?php
if(file_exists("$page.php")){
include ("$page.php");
} elseif (file_exists("$page.html")){
include ("$page.html");
} elseif (file_exists("$id.txt")){
include ("$page.txt");
} else{
include ("file could not be include");
}
?> that in v1.php so its like buggyglobal.com/v1.php?page=name_of_page, that way it wont include anything except html,txt,or php pages, my friend its not a security risk, just that your friend was stupid, if not how can i make it secure so it doesnt allow off my site sites in it, ive tried including other sites page in it but it doesnt work but idk lol, and ive tried to make it show my file with sql info in it ans it doesnt show

[therisenrealm.com]

Just do basename() on the request, and isolate all your pages in a directory. Problems fixed. That's what I did... and I went an extra mile and used mod_rewrite to mask my pages to .html (for user friendly and search engine friendly reasons only).

http://www.therisenrealm.com

[therisenrealm.com]

Oh yea, check if they're trying to include the same page... (www.blah.com/index.php?page=index) for the heck of it.

=/