if you want to clean up the url, you could possibly use apaches modrewrite. If its installed on your webhost you could add the following to the .htaccess file in the affected directory:
- Code: Select all
RewriteEngine on
RewriteRule ^page/([^/\.]+)/?$ index.php?page=$1 [L]
With that you can link to ursite.com/page/contact or ursite.com/page/contact/ and internally, it'll proccess index.php?page=contact
Rewrite rules consist of: RewriteRule pattern substitution flags
So in this case it means:
- Code: Select all
^page/
If the url starts(the ^) with page/ the rule is proccessed, if not it'll be ignored
- Code: Select all
([^/\.]+)
Remember whatever is between the (), which would be 1 or more chars(the +) that aren't(the ^) a / or a .(. has special meaning so it uses \.)
- Code: Select all
/?$
The only thing after that string we just captured may be a / and nothing else.
- Code: Select all
index.php?page=$1
The page to replace it with, the $1 will be whatever we remembered between the previous ()
- Code: Select all
[L]
Don't proccess any other rewrite rules.
This will do what you need. If you're using something other then apache you might need to take a different aproach. But prettymuch all webservers have some kind of functionality for this, but you can't always set it with a file in a web dir and may need to tweak some configs.(example taken from
this site.)
Other things to remember... The php code you wrote is very vuln, you'll be hacked pretty quickly.
You don't check the contents of page, it could be anything, and they can open any file on your machine!
Not only can they use ../ to go back dirs, they can open any possible file extension by ending their string with a nullbyte(which will end the string before you .php is added)
With your current setup try opening index.php?page=../../proc/self/environ%00 (assuming its a linux box)
keep adding ../'s untill it works. You'll see all kinds of info related to the current web proccess. One of those things displayed is the users USER AGENT, something you can set yourself. And since this is included by php, even though it doesn't end with .php any code in there will be executed. So a person going there with a custom string set as their user agent, can run any code on your machine. Which in turn can run more code.. etc etc untill your box is rooted.
We call this a local file inclusion, there are loads of ways to exploit this type of thing and you'll need to secure it properly.
addslashes to deal with the nullbyte injection, and either only accept very specific pages(use a switch) or actualy check what the constructed directory would be with
realpath.
I may be forgetting things here... but that about covers it.