Monthly Archives: January 2009

Why using the “include” techniques are dangerous for the novice developers?

I don’t want to talk about the LFI (local file inclusion) or RFI (remote file inclusion) which we have a lot of articles about.
I just want to tell you about some simple errors using inclusion. I have read many web applications’ source code so far to see this scenario reoccurring. I think one of the most important logical vulnerabilities is incorrect use of the “include” techniques.

Let’s explain this by some examples:
———– Begin Example1 ———–
Example1. (ASP, PHP, JSP, ?)
Assumptions:
1. Admin.asp -> (safe) includes Check.asp, Header.asp, and Main.asp
2. Check.asp -> checks admin session
3. Header.asp -> shows the top menu
4. Main.asp -> shows the administrator’s main page

If I execute Admin.asp, I will execute all 3 other files which I mentioned too.

Question: What will happen if I point to the Main.asp or Header.asp directly without using the Admin.asp?
Answer: If Main.asp or Header.asp does not include Check.asp, attacker can see the admin page without having the administrator credentials!
Many web application have this problem at the time of writing this post!

Now assume that Check.asp is similar to this:

----------- Begin Check.asp -----------
snipped
<%
' Get an input from the user
1 Input_CurrentFolder = Request("currentFolder")

2 ' in order to get the root directory we must set an admin session

3 session("admin")=true

4 directory = GetDirectory(Input_CurrentFolder)

'Terminate admin session for the security!
5 session("admin")=false

%>
snipped
----------- End Check.asp -----------

I want to speak about the session. What do you think about this code? Is there any security problem?

Question: How can a user keep the session(“admin”)=true after line 3?
Answer: In order to do that, user needs to stop execution on line 4 obviously!
Question: Now, how can a user stop execution on line 4? Tell me more!
Answer: User must stop the program before line 5 which is only possible by causing an error in between! So, this might not be always possible, but I want to show you 2 examples! The first is even related to subject of this article!!

First scenario: Check.asp does not contain GetDirectory function, and this function is in Header.asp. Now if an attacker opens the Check.asp page directly, they can obtain the admin session due to an error on line 4!
Another scenario: the GetDirectory function must not work with the Input_CurrentFolder value. In other words, the GetDirectory function should stop working because of the Input_CurrentFolder value.
Note: we must not have something like “On error resume next” which lets the program continue after an error.
I don’t think this vulnerability is very rare although it might not be very common. I had seen this vulnerability in some real world applications such as the old version of Hosting Controller.
———– End Example1 ———–

———– Begin Example2 ———–
Example2. (PHP, ?)
This is not a new example but it is related to this subject.
Assumptions:
1. SessionControl.php -> (safe) controls the user’s session
2. EditContent.php -> by using this file, administrators can edit website’s pages
3. AdminContent.php -> (safe) includes SessionControl.php and EditContent.php.

Also assume that EditContent.php looks like this:

----------- Begin EditContent.php -----------
<?
if (!isset($_SESSION['Level'])) exit();
if ($_SESSION['Level']=='admin')
{
some lines of code only for admin 
}
?>
----------- End EditContent.php -----------

The EditContent.php file is insecure because there is not any session_start() in the code itself, and everyone can set $_SESSION[‘Level’]. Just like this: http://[something]/EditContent.php?_SESSION[Level]=admin
Note: php global variables must be on.
———– End Example2 ———–

You saw that some nasty vulnerabilities can be easily created by the bad usage of the “include” techniques.