[PHP] Is there any exploits that I missed?

Hey guys, I was wondering, In the code below, is there any exploits (Being able to make files (I should be able to veiw), run web files (.php, .html, …), etc.)
Thanks for helpin'!

Spoiler

<?php
// Global Variables
$UnallowedExtensions = array( "css", "html", "htm", "php", "xml" );
$Extension = end(explode(".", $_GET['i']));
$file;

if(isset($_REQUEST['i'])){
if (!in_array($Extension, $UnallowedExtensions)){
if ($_GET['i'] != ""){
$file = fopen("Files/" . $_GET['i'], "r") or exit("Couldn't open file");
}else{
exit("Couldn't open file");
}
}else{
exit("Can't read from a blocked file");
}
}else{
exit("Filepath Not Detected");
}

while (!feof($file)) {
echo fgets($file) . "<br>";
}
fclose($file);
?>

BTW: I'm a total noob to PHP and html5. This was acctualy my first script after reading w3schools.com

ComputerCraft | Programmable Computers For Minecraft

Minecraft:
Website
Wikipeda Page
Forums

I think you're in the wrong place. Otherwise, sorry. Lol.

Um, sorry but this is a forum for a video game mod which contains lua-based virtual computers. I think you're in the wrong place.

Zoinky, on 12 January 2013 - 09:39 PM said:

I think you're in the wrong place. Otherwise, sorry. Lol.

He is clearly doing something server based with his program and doesn't want any exploits, like has previously happened on this forum with another persons program…

My understanding of this is it just gets a file on the web server, and prints the contents to the webpage.

Within this script, I don't think you're going to need many security features - no harm such as the harm done to NDFJay could be done using such a script that just simply read files.

Your main security problems will arise from the upload file script - this is the one where you need to focus your security efforts.

Couple of suggestions:
- Use

 and 

(without the spaces) in your post to make the PHP code look nice
- Don't use HTTP get. Use HTTP post. Then people can't access any files by visiting the PHP script in their web browser (it also prevents people from spamming your upload script by mashing the refresh button in their browsers)
- Don't bother with checking the file extension and reading from it. This is useless because if people know the location of the file in your web server, they can just visit the file themselves, running it. They don't need your PHP script to download the file. Say you have the file www.example.com/hello/test.php. Using your script you could get it, or people could just get the file by visiting it in their browser. Just make the assumption when reading a file from your web server that it will not be malicious - let the upload script handle malicious files.
- When you don't pass a variable to a PHP script, it will be null, not an empty string. Just do something like:

$location = $_GET["filename"];
if ($location != null) {
  // Code
} else {
  echo "Invalid Parameters";
}

And a last note: You don't need a download script :P/>
You can just download files by using (in Lua):

local res = http.get("http://www.example.com/Files/" .. filename)
local content = res.readAll()
res.close()

TL;DR: A download script cannot be used to exploit a server (from my knowledge). And, a download script is useless.

The most obvious exploit is: yourfile.php?i=&amp;#46;&amp;#46;/&amp;#46;&amp;#46;/&amp;#46;&amp;#46;/&amp;#46;&amp;#46;/&amp;#46;&amp;#46;/creditcardinfo.txt (example, I assume you're smart enough to not put your credit card info on the server, but it could be some other file)
By the way, it won't "run" css, html, htm, php or xml files - it'll send their contents back to the person or program that requested the web page, like any other file.
You could check that the filename only contains certain characters (perhaps a-z, A-Z, 0-9, -, _ and .)
If you blocked / and \, there could be other obscure character that does the same thing. (there shouldn't be, but you don't want to risk it)

Also, to the first two posters, I quote:
Discuss Anything and Everything Relating to Anything and Everything

tiin57, on 13 January 2013 - 04:15 AM said:

Also, to the first two posters, I quote:
Discuss Anything and Everything Relating to Anything and Everything

This was originally in Ask a Pro. It was moved to General by a mod :P/>

What if you made it so you have to whitelist file extensions rather than blacklist extensions? It would be more secure that way. For example, make it so you can only upload txt files. That way people can't upload asp js or any file type you might have missed

Zoinky, on 12 January 2013 - 09:39 PM said:

ComputerCraft | Programmable Computers For Minecraft

Minecraft:
Website
Wikipeda Page
Forums

I think you're in the wrong place. Otherwise, sorry. Lol.

General: discuss anything and everything relating to anything and everything

Dlcruz129, on 13 January 2013 - 05:50 AM said:

Zoinky, on 12 January 2013 - 09:39 PM said:

I think you're in the wrong place. Otherwise, sorry. Lol.

General: discuss anything and everything relating to anything and everything

What's the point of quoting the thread description he didn't even post under? Here, maybe this will help :P/>

Ask A Pro. (Anyone is able to answer your question, though "Pro's" will be designated by a special label

dissy, on 13 January 2013 - 05:56 AM said:

Dlcruz129, on 13 January 2013 - 05:50 AM said:

Zoinky, on 12 January 2013 - 09:39 PM said:

I think you're in the wrong place. Otherwise, sorry. Lol.

General: discuss anything and everything relating to anything and everything

Ask A Pro. (Anyone is able to answer your question, though "Pro's" will be designated by a special label

This is in General. :P/>

Seriously guys? When did we get into the habit of crucifying new members? Especially with the recent focus on php exploits in this community, it's perfectly reasonable for somebody to ask for help on a php script related to CC.

GravityScore, on 13 January 2013 - 05:10 AM said:

tiin57, on 13 January 2013 - 04:15 AM said:

Also, to the first two posters, I quote:
Discuss Anything and Everything Relating to Anything and Everything

This was originally in Ask a Pro. It was moved to General by a mod :P/>

Dlcruz129, on 13 January 2013 - 05:57 AM said:

dissy, on 13 January 2013 - 05:56 AM said:

Dlcruz129, on 13 January 2013 - 05:50 AM said:

Zoinky, on 12 January 2013 - 09:39 PM said:

I think you're in the wrong place. Otherwise, sorry. Lol.

General: discuss anything and everything relating to anything and everything

Ask A Pro. (Anyone is able to answer your question, though "Pro's" will be designated by a special label

This is in General. :P/>

This is a very pointless discussion. :)/> You're all repeating what others said earlier in this very same thread.

Orwell, on 13 January 2013 - 06:04 AM said:

This is a very pointless discussion. :)/> You're all repeating what others said earlier in this very same thread.

We're all repeating what others said earlier in this very same thread? ;}


On a serious note, not much php assistance can be expected from lua programmers. Using php forums would garner more useful answers than here even if we posted nothing at all in reply

Thanks guys! To answer a few questions:
1) If I made a "whitelist" of allowed extensions it would try and block filename if it doesn't end with a .extension
2) The reason why it needs to block these extensions is because there will be a database containing passwords and such on this as well. And even though these will be blocked from access with .htaccess, I tested it and because this file has permission to accsesss the server it has access to the password files, therfore meaning, you can read password files through this (if it wasn't for the blacklist) but not through the direct path.

About the Ask A Pro vs. General: My bad, I thought this should go under ask a pro seeing as it's a question. :)/>

@Whitelisting: Couldn't you rename it to add a .txt if it doesn't have an extension, and then when it downloads it will drop the extension? Or you could whitelist having no extension.

The only extensions that really need to be blocked for security are those your server configuration classifies as "active" files. Generally those such as .php, .cgi, .aspx. Any extension that the server is configured to run through the parser. You'd have to check your specific configuration for an exact list.