preg_match for input validation

[BlueCore90]

hi, i need some information about preg_match. How secure is it for input validation?

For example this code:

Code: Select all

if(preg_match('/.*INC.*/', strtoupper($_GET['site'])) > 0)
{
      echo 'not found';
}
else
{
      echo file_get_contents($_GET['file']);
}


are there some ways to get a file from within a 'include' directory?

Btw: this code is for some local training site, so file inclusion is intended

Thx,
BlueCore

[tremor77]

I use something like this to sanitize form posts...

Code: Select all

$val = preg_replace("/[^a-zA-Z0-9\-\$\/\s]/", "", $val);

However, I guess I don't have enough info on what you want to do.. here is how I get a file from another directory.. on my page I get the content of a directory... not sure preg_match is the method I would use... explain a bit more what you want to do.. for now here is this..

Code: Select all

$dirname = "INC";
$dir = opendir($dirname);
echo '<center><form method="post" action=""><select name="file">';
   while(false != ($file = readdir($dir)))   {
      if(($file != ".") and ($file != ".."))   {
         echo("<option value='$file'>$file</option>");
      }
   }
echo '&nbsp; &nbsp;<input type="submit" name="submit" value="View File"></form>';


That gives me a drop down box of the files in the directory I chose... you could go further and restrict the list to a file type I suppose. Then create the code to view the file...

Code: Select all

if ($_POST["submit"] == "View File") {
        $file = $_POST["file"];   
   $fileout = file_get_contents("$dirname/$file");
        echo $fileout;
}

I just slapped that together.. so don't hate.. I think it will work though.. and for security the drop down list, atleast you aren't taking in any user input that way...

[BlueCore90]

i just want to know if there is some possibility to bypass preg_match. I have often seen such type of verifying. In this example someone should be allowed to access all directories except a directory containing inc (for example '../include/foo.php' should fail, while '../content/bar.php' will return the content of the file).

(I want to teach some friends about web security)

[tremor77]

That may not be the most secure way of doing it. preg_match alone does not restrict someone from injecting malicous code via the input box.. or via the url bar.. since it appears you are using a form _GET method. You would want to strip special chars of the input among other things. I'd need to see the whole form and form processing code to really properyl analyze.

[BlueCore90]

hm, thats the code at all.... only some webdesign thinks around it. Thats definitely not a secure way. I only want to know if someone knows a way to bypass this code and get some files from within the include directory. I would NEVER use such code in my webpages.

But thanks for your time

(Sry for my bad english )

[thetan]

I use something like this to sanitize form posts...

Code: Select all

$val = preg_replace("/[^a-zA-Z0-9\-\$\/\s]/", "", $val);

However, I guess I don't have enough info on what you want to do.. here is how I get a file from another directory.. on my page I get the content of a directory... not sure preg_match is the method I would use... explain a bit more what you want to do.. for now here is this..

Code: Select all

$dirname = "INC";
$dir = opendir($dirname);
echo '<center><form method="post" action=""><select name="file">';
   while(false != ($file = readdir($dir)))   {
      if(($file != ".") and ($file != ".."))   {
         echo("<option value='$file'>$file</option>");
      }
   }
echo '&nbsp; &nbsp;<input type="submit" name="submit" value="View File"></form>';


That gives me a drop down box of the files in the directory I chose... you could go further and restrict the list to a file type I suppose. Then create the code to view the file...

Code: Select all

if ($_POST["submit"] == "View File") {
        $file = $_POST["file"];   
   $fileout = file_get_contents("$dirname/$file");
        echo $fileout;
}

I just slapped that together.. so don't hate.. I think it will work though.. and for security the drop down list, atleast you aren't taking in any user input that way...

^^ Vulnerable

if i were to submit:

Code: Select all

..././someDeepShit.php


the preg_replace will match and replace the first occurence of ../ ".(../)./someDeepShit.php" with nothing, resulting in "../someDeepShit.php"

The script the OP posted is vulnerable to inclusion of all files outside of INC as well as _possibly_ remote file inclusion.

[tremor77]

well if preg_match just denies any entry with just one occurrence of the invalid statement.. it would still work.. as its just checking for a singular match... preg_replace would be the statement vulrenable to that exploit. The major problem with that code is it's only looking for INC when there is so much more the code should validate such as directory traversals...