Jump to content

insert webpage with-in webpage


proskater123

Recommended Posts

php include

I really hope that was a joke and not something that you actually do.

To do it you use iframes as mentioned but you really shouldn't unless you have a really good reason. Links are better and aren't Evil.

Link to comment
Share on other sites

php include

I really hope that was a joke and not something that you actually do.

To do it you use iframes as mentioned but you really shouldn't unless you have a really good reason. Links are better and aren't Evil.

actually it is something i do ALL THE TIME, and i find it INCREDIBLY USEFUL. got any reason not to do it? imo it's the better alternative to frames, for example maintaining a navigation menu from one file.

Link to comment
Share on other sites

actually it is something i do ALL THE TIME, and i find it INCREDIBLY USEFUL. got any reason not to do it? imo it's the better alternative to frames, for example maintaining a navigation menu from one file.

If you do it with files that only you have control over it is acceptable but I got the impression that the topic starter wanted to use remote files. Since the content in the included file is run as a php script it really needs to be from a trusted source. Which is why unless you really need the file to be run as php you should use file_get_contents or something similar and include should only be used when you know you need it.

Link to comment
Share on other sites

file_get_contents

And then he just opens the system up to remote code execution ;)

<?php 

// code by sunjester 

// www.hgsdomination.com 

// 2006 

if(isset($website)) { 

header('Content-Type: text/plain'); 

$website = $_POST[website]; 

$info = file_get_contents($website); 

header('Content-Type: text/html'); 

echo "<center><textarea cols=80 rows=20>$info</textarea></center>"; 

} else { 

?> 

<form method=post action=index.php> 

<input type=text name=website><bR><input type=submit value=submit></form> 

<? } ?>

Try it and exploit the file_get_contents() function.

<onTopic>

I wouldnt use php for something like this it is just over kill and can open your site up to attack. <iframe> will work perfect for what you want to do

&lt;html&gt;

&lt;head&gt;

&lt;title&gt;My Title&lt;/title&gt;

&lt;/head&gt;

&lt;body&gt;

&lt;iframe src="http://www.mySite.com"&gt;Error Message Goes Here For People That Are Still In 1990 And Dont Have A Browser That Supports iframe&lt;/iframe&gt;

&lt;/body&gt;

&lt;/html&gt;

</onTopic>

Link to comment
Share on other sites

And then he just opens the system up to remote code execution ;)

Of course, it still isn't a Good Thing to do with non trusted code. Just thought it was better with an XSS hole than the opportunity to bork the whole server. The general rule for security when coding is of course to trust noone, not even yourself.

And I would still say linking is the best way of doing it. The example given in the thread of a site with frames did it nicely but most just don't do it right and give the impression that what is in the frame is something of theirs. It also breaks navigation rules in most browsers.

Link to comment
Share on other sites

placing someone's site insite my own is something i never do anyway. i have this anal thing that to view someone elses site it should also NOT open in a new window, but should navigate them away from my site. seems silly, but thats how i prefer it.

as for linking another file, i'll continue to use include, i often do want code to be executed in other files, and they are created by me, a trusted source.

Link to comment
Share on other sites

And then he just opens the system up to remote code execution ;)

Of course, it still isn't a Good Thing to do with non trusted code. Just thought it was better with an XSS hole than the opportunity to bork the whole server.

there is no XSS injection points, the include has the problem that it can allow remote file inclusion, That is if the user can tell the site which webpage they want to see.

&lt;?php

$file =$_GET['file'];

include($file);

?&gt;

something like that will allow an attack to get his own php code executed on the server, which we dont want. But if that was done so the user cant say what site. something like

&lt;?php

$file ='http://www.google.com';

include($file);

?&gt;

then the user can not attack the site with a remote file inclusion, as there is no entry point for the user. The same thing applies with the file_get_contents(); function, expcept this time instead of getting php code executed the user can pull up data from the system. for example if the code took the var $file from $_GET[]; then the user could pass it something like /etc/passwd and make it echo out the contents of that file, which of course we dont want. But if $file could not be changed by the user, if it was set inside code then the user cant use it to attack. Of course all this could be fixed with some nice filters. The include might be harder to stop though. But i would strongly advise against using php for this it isnt needed, html has the tags that you need to do it with.

Link to comment
Share on other sites

And then he just opens the system up to remote code execution ;)

Of course, it still isn't a Good Thing to do with non trusted code. Just thought it was better with an XSS hole than the opportunity to bork the whole server.

there is no XSS injection points, the include has the problem that it can allow remote file inclusion, That is if the user can tell the site which webpage they want to see.

.... yadda yadda include is bad which was already established yadda ...

Of course there are XSS problems, there always are. And me not thinking of the file inclusion problem instantly is a clear example of why you shouldn't even trust yourself :) .

But this is getting seriously off topic, sorry.

Link to comment
Share on other sites

i would rather have an XSS bug then those other two bugs, XSS isnt that big of a problem really. That is only going to come in from the include() function, but that is opening up remote file inclusion, so why would the attack bother with xss when he can get a php shell onto the system?

Link to comment
Share on other sites

i would rather have an XSS bug then those other two bugs, XSS isnt that big of a problem really. That is only going to come in from the include() function, but that is opening up remote file inclusion, so why would the attack bother with xss when he can get a php shell onto the system?

I didn't think I said you should have to choose between bugs? What I think I said was:

1. Use links instead (actual answer to the topic)

2. include is very very bad unless it's used with trusted files and file_get_contents should be used for untrusted files instead. Didn't say anything about allowing users to supply the path. From the topic I assumed that it was a fixed file on a remote server.

To always filter your input is a different but still important issue for any user input.

Link to comment
Share on other sites

assuming is bad iframes work, end of story. Even if it isnt a fixed location iframes still work and dont open the thing up. and by the way you dont actually have to pick which bug, if you remove the remote file inclusion you also remove XSS and plus the XSS injection will only be helpful to the attack if the website is used with a membership kind of system, and that membership is using cookies. And once again like i said the file_get_contents can be used to exploit the system still, even if it is used for trusted files. So like i said from the begining and like im saying now, use iframes. iframes can be used with php so the user can say what site to include, or it can be hard coded

&lt;?php

//User picks website

$file =$_GET['file'];

echo '&lt;iframe src="' .$file .'"&gt;Blah&lt;/iframe&gt;';

?&gt;

See nice isnt it, no bugs what so ever that can open the system up, oh and no need to filter input :wink:

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...