insert webpage with-in webpage

[proskater123]

i want to view a webpage in anouthger webpage. so that i can view my site and in the body i can view another page.

[StonedLlama]

Iframes.

[Rab]

php include

[jool]

php include

I really hope that was a joke and not something that you actually do.

To do it you use iframes as mentioned but you really shouldn't unless you have a really good reason. Links are better and aren't Evil.

[armadaender]

But having a page within a page can be increadibly useful. Take a look at my favorite torrent earch engine, www.torrents.to. Upon searching you then have the tabs of many different search engines on the same page and able to access each one indepently and easily. All thanks to frames.

[PoyBoy]

That is a really good site. Very clean interface

[Rab]

php include

I really hope that was a joke and not something that you actually do.

To do it you use iframes as mentioned but you really shouldn't unless you have a really good reason. Links are better and aren't Evil.

actually it is something i do ALL THE TIME, and i find it INCREDIBLY USEFUL. got any reason not to do it? imo it's the better alternative to frames, for example maintaining a navigation menu from one file.

[jool]

actually it is something i do ALL THE TIME, and i find it INCREDIBLY USEFUL. got any reason not to do it? imo it's the better alternative to frames, for example maintaining a navigation menu from one file.

If you do it with files that only you have control over it is acceptable but I got the impression that the topic starter wanted to use remote files. Since the content in the included file is run as a php script it really needs to be from a trusted source. Which is why unless you really need the file to be run as php you should use file_get_contents or something similar and include should only be used when you know you need it.

[Rab]

yep fair point <3

[Guest]

file_get_contents

And then he just opens the system up to remote code execution ;)

<?php 

// code by sunjester 

// www.hgsdomination.com 

// 2006 

if(isset($website)) { 

header('Content-Type: text/plain'); 

$website = $_POST[website]; 

$info = file_get_contents($website); 

header('Content-Type: text/html'); 

echo "<center><textarea cols=80 rows=20>$info</textarea></center>"; 

} else { 

?> 

<form method=post action=index.php> 

<input type=text name=website><bR><input type=submit value=submit></form> 

<? } ?>

Try it and exploit the file_get_contents() function.

<onTopic>

I wouldnt use php for something like this it is just over kill and can open your site up to attack. <iframe> will work perfect for what you want to do

<html>

<head>

<title>My Title</title>

</head>

<body>

<iframe src="http://www.mySite.com">Error Message Goes Here For People That Are Still In 1990 And Dont Have A Browser That Supports iframe</iframe>

</body>

</html>

</onTopic>

[jool]

And then he just opens the system up to remote code execution ;)

Of course, it still isn't a Good Thing to do with non trusted code. Just thought it was better with an XSS hole than the opportunity to bork the whole server. The general rule for security when coding is of course to trust noone, not even yourself.

And I would still say linking is the best way of doing it. The example given in the thread of a site with frames did it nicely but most just don't do it right and give the impression that what is in the frame is something of theirs. It also breaks navigation rules in most browsers.

[Rab]

placing someone's site insite my own is something i never do anyway. i have this anal thing that to view someone elses site it should also NOT open in a new window, but should navigate them away from my site. seems silly, but thats how i prefer it.

as for linking another file, i'll continue to use include, i often do want code to be executed in other files, and they are created by me, a trusted source.

[Guest]

And then he just opens the system up to remote code execution ;)

Of course, it still isn't a Good Thing to do with non trusted code. Just thought it was better with an XSS hole than the opportunity to bork the whole server.

there is no XSS injection points, the include has the problem that it can allow remote file inclusion, That is if the user can tell the site which webpage they want to see.

<?php

$file =$_GET['file'];

include($file);

?>

something like that will allow an attack to get his own php code executed on the server, which we dont want. But if that was done so the user cant say what site. something like

<?php

$file ='http://www.google.com';

include($file);

?>

then the user can not attack the site with a remote file inclusion, as there is no entry point for the user. The same thing applies with the file_get_contents(); function, expcept this time instead of getting php code executed the user can pull up data from the system. for example if the code took the var $file from $_GET[]; then the user could pass it something like /etc/passwd and make it echo out the contents of that file, which of course we dont want. But if $file could not be changed by the user, if it was set inside code then the user cant use it to attack. Of course all this could be fixed with some nice filters. The include might be harder to stop though. But i would strongly advise against using php for this it isnt needed, html has the tags that you need to do it with.

[jool]

And then he just opens the system up to remote code execution ;)

Of course, it still isn't a Good Thing to do with non trusted code. Just thought it was better with an XSS hole than the opportunity to bork the whole server.

there is no XSS injection points, the include has the problem that it can allow remote file inclusion, That is if the user can tell the site which webpage they want to see.

.... yadda yadda include is bad which was already established yadda ...

Of course there are XSS problems, there always are. And me not thinking of the file inclusion problem instantly is a clear example of why you shouldn't even trust yourself :) .

But this is getting seriously off topic, sorry.

[Guest]

i would rather have an XSS bug then those other two bugs, XSS isnt that big of a problem really. That is only going to come in from the include() function, but that is opening up remote file inclusion, so why would the attack bother with xss when he can get a php shell onto the system?

[jool]

i would rather have an XSS bug then those other two bugs, XSS isnt that big of a problem really. That is only going to come in from the include() function, but that is opening up remote file inclusion, so why would the attack bother with xss when he can get a php shell onto the system?

I didn't think I said you should have to choose between bugs? What I think I said was:

1. Use links instead (actual answer to the topic)

2. include is very very bad unless it's used with trusted files and file_get_contents should be used for untrusted files instead. Didn't say anything about allowing users to supply the path. From the topic I assumed that it was a fixed file on a remote server.

To always filter your input is a different but still important issue for any user input.

[Guest]

assuming is bad iframes work, end of story. Even if it isnt a fixed location iframes still work and dont open the thing up. and by the way you dont actually have to pick which bug, if you remove the remote file inclusion you also remove XSS and plus the XSS injection will only be helpful to the attack if the website is used with a membership kind of system, and that membership is using cookies. And once again like i said the file_get_contents can be used to exploit the system still, even if it is used for trusted files. So like i said from the begining and like im saying now, use iframes. iframes can be used with php so the user can say what site to include, or it can be hard coded

<?php

//User picks website

$file =$_GET['file'];

echo '<iframe src="' .$file .'">Blah</iframe>';

?>

See nice isnt it, no bugs what so ever that can open the system up, oh and no need to filter input