Where is the vulnerability in the PHP script?

P

psiklop2020-05-15 13:59:36

PHP

psiklop, 2020-05-15 13:59:36

The Bitrix scanner writes that there is a vulnerability here, what is the vulnerability?

$page = basename($_GET['page']);
if (file_exists("pages/$page.php")) include("pages/$page.php");

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

P

prrrrrrr, 2020-05-15
@psiklop

PHP include - remote inclusion of a PHP file

I

Ilya, 2020-05-15
@rpsv

You absolutely do not check the data that came from the user. You probably do not have an arbitrary list of possible pages, you can do scandir and check if the requested page exists.
Relative paths are not checked at all, that is, technically, you can request the file "pages/../../../../upload/word.php', and you can put the file in the upload folder in many ways (and not all of them from admins).

P

pythonist1234, 2020-05-15
@pythonist1234

The vulnerability is that the page you include may contain malicious code.

A

Alexander Aksentiev, 2020-05-15
@Sanasol

Through this, you can still delve into the files, at least find out which ones exist in the same directory.
And you can connect something interesting.
The most normal option is to check the allowed values on the white list, and not connect anything.