I've found out the hard way that my website can be hacked by passing a query string parameter that has many ../s to access files outside of the website directory, and then hack the website.
Is there a way, perhaps through the php.ini, to not allow file includes outside of a certain root directory?
To make things worse, most of what is running on the server is not my code. The website runs on the CMS Joomla! and the exploit was done through a purchased plugin.
I cannot change the scripts, if it has to come to that, I'll just uninstall the affected plugins.
Yes, PHP has a configuration parameter called open_basedir exactly for that purpose.
(don't forget to add to it at least session_save_path directory)
But! You have to check every passed parameter anyway!
if it's supposed to be just a filename, truncate it using basename() function.
if it's supposed to be a directory, you can check it with such a code
$basedir = "/your/app/path/";
$realdir = realpath($basedir.$filename); //$filename is the parameter we checking
if (substr($realdir,0,strlen($basedir)) !== $basedir) {
header ("HTTP/1.0 403 Forbidden");
exit;
}
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 爷的心禁止访问 的文章《Prevent access to files outside a certain director》','https://www.manongdao.com/article-422597.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}