preg_match for input validation

Discuss the many weaknesses of browser security and ways to mitigate the threat

preg_match for input validation

Post by BlueCore90 on Thu May 06, 2010 12:14 pm
([msg=38402]see preg_match for input validation[/msg])

hi, i need some information about preg_match. How secure is it for input validation?

For example this code:
Code: Select all
if(preg_match('/.*INC.*/', strtoupper($_GET['site'])) > 0)
{
      echo 'not found';
}
else
{
      echo file_get_contents($_GET['file']);
}

are there some ways to get a file from within a 'include' directory?

Btw: this code is for some local training site, so file inclusion is intended ;)

Thx,
BlueCore
BlueCore90
New User
New User
 
Posts: 6
Joined: Wed Dec 23, 2009 2:42 pm
Blog: View Blog (0)


Re: preg_match for input validation

Post by tremor77 on Fri May 07, 2010 8:17 pm
([msg=38434]see Re: preg_match for input validation[/msg])

I use something like this to sanitize form posts...

Code: Select all
$val = preg_replace("/[^a-zA-Z0-9\-\$\/\s]/", "", $val);


However, I guess I don't have enough info on what you want to do.. here is how I get a file from another directory.. on my page I get the content of a directory... not sure preg_match is the method I would use... explain a bit more what you want to do.. for now here is this..

Code: Select all
$dirname = "INC";
$dir = opendir($dirname);
echo '<center><form method="post" action=""><select name="file">';
   while(false != ($file = readdir($dir)))   {
      if(($file != ".") and ($file != ".."))   {
         echo("<option value='$file'>$file</option>");
      }
   }
echo '&nbsp; &nbsp;<input type="submit" name="submit" value="View File"></form>';


That gives me a drop down box of the files in the directory I chose... you could go further and restrict the list to a file type I suppose. Then create the code to view the file...

Code: Select all
if ($_POST["submit"] == "View File") {
        $file = $_POST["file"];   
   $fileout = file_get_contents("$dirname/$file");
        echo $fileout;
}


I just slapped that together.. so don't hate.. I think it will work though.. and for security the drop down list, atleast you aren't taking in any user input that way...
Image
User avatar
tremor77
Contributor
Contributor
 
Posts: 866
Joined: Wed Mar 31, 2010 12:00 pm
Location: New York
Blog: View Blog (0)


Re: preg_match for input validation

Post by BlueCore90 on Sat May 08, 2010 7:22 am
([msg=38448]see Re: preg_match for input validation[/msg])

i just want to know if there is some possibility to bypass preg_match. I have often seen such type of verifying. In this example someone should be allowed to access all directories except a directory containing inc (for example '../include/foo.php' should fail, while '../content/bar.php' will return the content of the file).

(I want to teach some friends about web security)
BlueCore90
New User
New User
 
Posts: 6
Joined: Wed Dec 23, 2009 2:42 pm
Blog: View Blog (0)


Re: preg_match for input validation

Post by tremor77 on Sat May 08, 2010 11:46 am
([msg=38450]see Re: preg_match for input validation[/msg])

That may not be the most secure way of doing it. preg_match alone does not restrict someone from injecting malicous code via the input box.. or via the url bar.. since it appears you are using a form _GET method. You would want to strip special chars of the input among other things. I'd need to see the whole form and form processing code to really properyl analyze.
Image
User avatar
tremor77
Contributor
Contributor
 
Posts: 866
Joined: Wed Mar 31, 2010 12:00 pm
Location: New York
Blog: View Blog (0)


Re: preg_match for input validation

Post by BlueCore90 on Sun May 09, 2010 11:38 am
([msg=38475]see Re: preg_match for input validation[/msg])

hm, thats the code at all.... only some webdesign thinks around it. Thats definitely not a secure way. I only want to know if someone knows a way to bypass this code and get some files from within the include directory. I would NEVER use such code in my webpages.

But thanks for your time :)

(Sry for my bad english ;) )
BlueCore90
New User
New User
 
Posts: 6
Joined: Wed Dec 23, 2009 2:42 pm
Blog: View Blog (0)


Re: preg_match for input validation

Post by thetan on Tue May 11, 2010 1:52 pm
([msg=38569]see Re: preg_match for input validation[/msg])

tremor77 wrote:I use something like this to sanitize form posts...

Code: Select all
$val = preg_replace("/[^a-zA-Z0-9\-\$\/\s]/", "", $val);


However, I guess I don't have enough info on what you want to do.. here is how I get a file from another directory.. on my page I get the content of a directory... not sure preg_match is the method I would use... explain a bit more what you want to do.. for now here is this..

Code: Select all
$dirname = "INC";
$dir = opendir($dirname);
echo '<center><form method="post" action=""><select name="file">';
   while(false != ($file = readdir($dir)))   {
      if(($file != ".") and ($file != ".."))   {
         echo("<option value='$file'>$file</option>");
      }
   }
echo '&nbsp; &nbsp;<input type="submit" name="submit" value="View File"></form>';


That gives me a drop down box of the files in the directory I chose... you could go further and restrict the list to a file type I suppose. Then create the code to view the file...

Code: Select all
if ($_POST["submit"] == "View File") {
        $file = $_POST["file"];   
   $fileout = file_get_contents("$dirname/$file");
        echo $fileout;
}


I just slapped that together.. so don't hate.. I think it will work though.. and for security the drop down list, atleast you aren't taking in any user input that way...


^^ Vulnerable

if i were to submit:
Code: Select all
..././someDeepShit.php

the preg_replace will match and replace the first occurence of ../ ".(../)./someDeepShit.php" with nothing, resulting in "../someDeepShit.php"

The script the OP posted is vulnerable to inclusion of all files outside of INC as well as _possibly_ remote file inclusion.
"If art interprets our dreams, the computer executes them in the guise of programs!" - SICP

Image

“If at first, the idea is not absurd, then there is no hope for it” - Albert Einstein
User avatar
thetan
Contributor
Contributor
 
Posts: 657
Joined: Thu Dec 17, 2009 6:58 pm
Location: Various Bay Area Cities, California
Blog: View Blog (0)


Re: preg_match for input validation

Post by tremor77 on Mon May 17, 2010 9:15 am
([msg=38733]see Re: preg_match for input validation[/msg])

well if preg_match just denies any entry with just one occurrence of the invalid statement.. it would still work.. as its just checking for a singular match... preg_replace would be the statement vulrenable to that exploit. The major problem with that code is it's only looking for INC when there is so much more the code should validate such as directory traversals...
Image
User avatar
tremor77
Contributor
Contributor
 
Posts: 866
Joined: Wed Mar 31, 2010 12:00 pm
Location: New York
Blog: View Blog (0)



Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests