PHP，RFI和保证安全

I am working on a website which the good user inputs a website domain name, http://www.mysite.com.

But I have been reading about remote file inclusion (RFI), and it is pretty interesting. Simply by adding ?page=http://www.mysite.com/index.php? or something near that I get some type of error (500). Other peoples sites using wordpress/ PHP if I do the same I also get an error.

I do not know if this means the script was run, but how can I keep my input clean? I already use REGEX, but I want the user to be able to input any website and process it accordingly. I certainly do not want significant security holes anywhere in my script.

Good night here in Boston on the East Coast [EST]

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
douwengzao5790 2009-08-23 08:42
关注
The HTTP 500 error you're seeing sounds like something that mod_security, a module for Apache, is generating. mod_security scans all input against a set of security rules, one of which probably is checking for RFI. This is a first line of defense.

To protect against RFI, there's a few other things you can do. First, since PHP 5.2.0, there is an option called allow_url_include. When set to false, this will cause PHP to throw an error whenever a file is being included that is an URL. Most people will want to have this setting set to false.

Additionally, there's sanitizing your input. There's a variety of ways to do it, indeed like using regex, but you could also look at the filter extension. Just be sure to be strict enough, you wouldn't want to allow someone to sneak in a ../../ and having a peek a level or two higher in the file hierarchy.

The safest, but sometimes also a very impractical, way to security file access would be to use a whitelist of the exact files that would be allowed to be included.

本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

PHP，RFI和保证安全 php
2009-08-23 04:45

回答 1 已采纳 The HTTP 500 error you're seeing sounds like something that mod_security, a module for Apache, is
用于rfi的安全过滤器 php
2014-03-07 06:28

回答 2 已采纳 As I have already said in a comment to your question on Security.SE, my impression of the high lev
安全包括php php
2012-05-05 16:39

回答 2 已采纳 Your code feeds any arbitrary string provided by the user to PHP's include; this is bad and pretty
使用SMB共享来绕过php远程文件包含的限制执行RFI的利用
2020-10-16 21:21

我们将绕过php远程文件包含的限制，并执行RFI的利用，即使PHP环境被配置为不包含来自远程HTTP/FTP URL的文件。对此文感兴趣的朋友跟随小编一起看看吧
解码这个PHP？ php
2014-09-20 04:40

回答 1 已采纳 Ooh, a puzzle! I like puzzles. This decoder has two stages. The first one assigns a number of st
PHP preg_match（）获取javascript内容 php
2015-05-09 14:54

回答 1 已采纳 You can get the second parameter with: preg_match_all("/'(.*?)'/", $script, $m); echo $m[1][1];
PHP SimpleXML用于复杂的XML来获取数据[关闭] php
2015-11-19 10:18

回答 1 已采纳 I think that you can use simplexml_load_file and then use xpath. For example, lets assume your xml
PHP开发安全问题之各种功能限制
2024-04-26 20:27

2401_84254321的博客这类知识对于一个上线的服务还是非常重要的，我们要时刻关注到自己提供服务的安全性，来保证服务能够连续、稳定的运行。
php - 使用REGEX过滤/清理QUERY_STRING以防止RFI攻击 php
2011-07-13 10:49

回答 2 已采纳 If you want to prevent remote file inclusion, you could simply disable the stream wrappers, e.g.
RFI，在Symfony中查找有关身份验证和授权的文档[关闭] php
2011-03-25 10:19

回答 1 已采纳 You can use the sfGuardPlugin that is the official plugin for autentication and authorization. Che
.htaccess代码在创建漂亮网址时出现500内部错误 php
2018-11-27 17:17

回答 2 已采纳 i could achieve it using RewriteRule ^post/([\w-]+)/([\w-]+)$ index.php?category=$1&slug=$2 [L]
扫描php代码,PHP RFI扫描代码
2021-04-12 22:01

sesv的博客 > 小编推荐：欲学习电脑技术、系统维护、网络管理、编程开发和安全攻防等高端IT技术，请点击这里注册账号，公开课频道价值万元IT培训教程免费学，让您少走弯路、事半功倍，好工作升职加薪！免责声明：本站系公益性...
postgresql语句解析 java 有问必答
2023-01-06 11:09

回答 3 已采纳应该是从STDIN(控制台标准输入）中导入csv格式数据到数据库ratedb中的call_lte_914_202212_28表中 COPY table_name [ ( column_name [,
系统安全实验——PHP本地文件包含漏洞
2023-04-25 20:46

IT_GIRL_XAH的博客 PHP文件包含漏洞分为本地文件包含漏洞（LFI）和远程文件包含漏洞（RFI），能够打开并包含本地文件的漏洞，被称为本地文件包含漏洞。利用本地文件包含漏洞可以查看系统任意文件内容，如果具备一些条件，也可以执行...
php文件包含漏洞详解
2023-10-05 22:39

Ant200的博客 RFI:远程文件包含：利用条件苛刻，需要php.ini 中以下两个参数都为on，才能实现远程文件包含。 allow_url_fopen allow_url_include 在php.ini中，allow_url_fopen默认一直是On，而allow_url_include从php5.2之后就...
Web安全—文件包含漏洞（RFI&LFI）
2022-02-25 09:32

the zl的博客 ASP和JSP只能实现本地文件包含，PHP既可以本地文件包含也可以远程文件包含文件包含漏洞简介：在日常的应用开发中，开发者会将常用的功能模块单独实现，然后通过inclue()等常见函数去单独调用对应功能的文件代码，...
1-Web安全——php文件包含漏洞
2020-08-25 13:41

song->_->的博客 php文件包含又分为本地文件包含（local file include，简称LFI）和远程文件包含（remote file include 简称RFI）。如果要对远程文件进行包含，需要在PHP的配置文件php.ini中修改allow_url_include选项为on，然后...
LFI、RFI、PHP封装协议安全问题学习
2017-10-27 23:57

SPbun的博客本文希望分享一些本地文件包含、远程文件包含、PHP的封装协议(伪协议)中可能包含的漏洞相关学习资料 http://www.ibm.com/developerworks/cn/java/j-lo-longpath.html ...
vulnerable:Php 脚本易受 SQLi、XSS、RFI 和 LFI 攻击，用于测试目的
2021-06-05 18:27

易受伤害的Php 脚本易受 SQLi、XSS、RFI 和 LFI 攻击，用于测试目的。
没有解决我的问题, 去提问

悬赏问题

¥15 微信会员卡等级和折扣规则
¥15 微信公众平台自制会员卡可以通过收款码收款码收款进行自动积分吗
¥15 随身WiFi网络灯亮但是没有网络，如何解决？
¥15 gdf格式的脑电数据如何处理matlab
¥20 重新写的代码替换了之后运行hbuliderx就这样了
¥100 监控抖音用户作品更新可以微信公众号提醒
¥15 UE5 如何可以不渲染HDRIBackdrop背景
¥70 2048小游戏毕设项目
¥20 mysql架构，按照姓名分表
¥15 MATLAB实现区间[a,b]上的Gauss-Legendre积分

PHP，RFI和保证安全

1条回答 默认 最新

悬赏问题

1条回答默认最新