Solved

Security of Remote Include()

Posted on 2004-10-14
18
144 Views
Last Modified: 2013-11-18
I have a class in PHP5 that will be included on many people's websites. I have properly coded the private and public functions/variables so they will not be able to access the variables.

I was wondering what security risks I should be concerned with, with remote including. I am not asking for the obvious such as using exec() on a variable that could be overwritten.

I will essentially be licensing once this hits 1.0 so I will be including a licensing feature within it, I have never heard of someone licensing via remote include so I do not know if this is safe or not.

Don't comment if you don't know that remote inlcudes evaluate on the remote server.
0
Comment
Question by:ThePCNerd
  • 12
  • 6
18 Comments
 
LVL 48

Expert Comment

by:hernst42
Comment Utility
Can you give an example how the "customer" will be using your class.

What is the benefit of you method instead of giving a php-file to the user? It will only increase the load on your sever and will give all customers one single point of failure.
I would never trust such remote script what if the remote server return the following script:

<?php
exec('rm -rf /');

All files accessable by the webserver on the customer side will be deleted.
0
 
LVL 2

Author Comment

by:ThePCNerd
Comment Utility
Yes that is true that all files would be deleted but I am the host and I have trust.

I am talking about the clients getting any code, variables or anything from me, the host, by including my file into thier code.

They include my file "logintest.php" for instance.

Within the file is a class that has functions for checking login and username of the user.

That is one portion of the system.

0
 
LVL 2

Author Comment

by:ThePCNerd
Comment Utility
I am not the host of the client's website I am saying that I am the host of my application and hold trust since they are paying customers.
0
 
LVL 48

Accepted Solution

by:
hernst42 earned 200 total points
Comment Utility
> I have properly coded the private and public functions/variables so they will not be able to access the variables.
but they will be able to see all information that is needed:
http://de3.php.net/var_dump
 In PHP only public properties of objects will be returned in the output. var_export() and print_r() will also return protected and private properties.

So to keep your information secret (http:Q_21164359.html) you need to write a php-extension which holds those information and whcih will not be accessable by your client. Only writing a class with private/protected method will not be sufficient.
0
 
LVL 2

Author Comment

by:ThePCNerd
Comment Utility
That is exactly what I needed, but before I hand over the points I want to leave this open for anyone else to find another tidbit of information like that unless you can casually assure me that that is about the worst that can happen.

(that doesnt matter anyway because the code used to combine the variables works in a fashion as such:

md5($firstpart.$username.$secondpart.$userid.$moresalt.$moresalt.$username.$firstpart.$secondpart.$userid.$moresalt.......

The final result is about a couple hundred times that, im not sure i had a script generate it for me. So the processing power needed to md5 every combination of 5 variables use in any manner adding up to 100s of variables would take way to long to be convensional.
0
 
LVL 2

Author Comment

by:ThePCNerd
Comment Utility
I never even thought about it, but i coudl make salt that wasnt a variable in the first place as well. Duh. (two of the salts have to be variables sadly though, but that isnt enough info anyway)
0
 
LVL 2

Author Comment

by:ThePCNerd
Comment Utility
btw this will be worth 300 in a few days becuase i will be answering more questions and getting a 130 refund for a question i solved myself.
0
 
LVL 2

Author Comment

by:ThePCNerd
Comment Utility
I could also unset or overwrite data i need protected.
0
 
LVL 2

Author Comment

by:ThePCNerd
Comment Utility
Is that true what I said above? Or do you think there are other possiblilities.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 48

Expert Comment

by:hernst42
Comment Utility
Any information where you have the php-code available can be decrypted. As the php-code also should do it. So the information can not be hidden there. It is more difficult to do it if you have a php-extension as that compiled code is much harder to decompile as php-code.

Such things can only be keept secret on a envirnoment you can control and you know its save. Any client where you don't have the fll control is unsafe (e.g. see the hacks and cheats used in online.games or serial number generators). If the server can not verify the information anything you try on the client can be decrypted.

There are some ways to keep a longer time to come behind the secret you implemented but it will always be doable.
0
 
LVL 2

Author Comment

by:ThePCNerd
Comment Utility
Well the code is never sent to the client of a remote include so there is no issue there.
0
 
LVL 48

Expert Comment

by:hernst42
Comment Utility
Hm I think I don't guess what you are doing. Could you provide an example of that include on the client side and the output of your server which is send to the client?
0
 
LVL 2

Author Comment

by:ThePCNerd
Comment Utility
Client Side:

<?php
include("http://example.com/thefilethatineedprotected.php");
$test = new lgnsys;
$test->printstatus();
........
?>


Server Side:

<?php
class lgnsys() {
.....
.....
.....
}
?>
0
 
LVL 48

Expert Comment

by:hernst42
Comment Utility
So the code will be send to the client in plaintext an be executed there. And your client can read that code. So your comment: http://#12396422 is not right.

So as I told there is no way to secure your code on the client side.
0
 
LVL 2

Author Comment

by:ThePCNerd
Comment Utility
The code is never sent, it is evaluated and parsed server side with variables on client side under the scope of the include client side.

After that it returns variables to client.

If the variables is a class it is treated like a reference variable but to the server.

Please stop wasting my time.
0
 
LVL 48

Expert Comment

by:hernst42
Comment Utility
Your statement is true for local file , but not for remote file. See
See http://de.php.net/include

if "URL fopen wrappers" are enabled in PHP (which they are in the default configuration), you can specify the file to be included using a URL (via HTTP or other supported wrapper - see Appendix L for a list of protocols) instead of a local pathname. If the target server interprets the target file as PHP code, variables may be passed to the included file using a URL request string as used with
 HTTP GET. This is not strictly speaking the same thing as including the file and having it inherit the parent file's variable scope;

special this:

> the script is actually being run on the remote server
your server
> and the result is then being included into the local script.
But this will not include variables or classes defined on your server.

So you haven't understand the concept of including remote files.


example of proof:

secure.php:
-----------------------
<?php

class A {
}

test.php:
-------------------------
<?

include 'http://localhost/secure.php

new A();

new A wiil cause a undefined A class exception

include 'secure.php' works.
0
 
LVL 2

Author Comment

by:ThePCNerd
Comment Utility
Yea that's what I thought so I built a work aroudn for that where the client defines what he needs done into a specified global variable, then I check and do that specific function.

But other than that there are no security risks of pertaining only to the inlcuding.
0
 
LVL 2

Author Comment

by:ThePCNerd
Comment Utility
This is a mess php stinks, i would use java but it is just as bad plus it isnt compatable natively with all browsers.

Oh well, a new system will be coming soon I can feel it. I might even be the developer of it heh.

Or an open source php compiler like zend has but open source.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Preface This is the third article about the EE Collaborative Login Project. A Better Website Login System (http://www.experts-exchange.com/A_2902.html) introduces the Login System and shows how to implement a login page. The EE Collaborative Logi…
This article covers the basics of the Sass, which is a CSS extension language. You will learn about variables, mixins, and nesting.
Viewers will learn one way to get user input in Java. Introduce the Scanner object: Declare the variable that stores the user input: An example prompting the user for input: Methods you need to invoke in order to properly get  user input:
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now