ionCube Logo
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


 
Post new topic   Reply to topic    ionCube Forum Index -> ionCube PHP Encoder

Security of Encoded Files (An Include Protection Tutorial)

Author Message
MisterPopularity



Joined: 25 May 2005
Posts: 29
Location: South Bend, Indiana

PostPosted: Sun Jan 15, 2006 6:32 am    Post subject: Security of Encoded Files (An Include Protection Tutorial) Reply with quote

Hi guys,

Strange thing came up in a meeting today...

we're trying to prevent people from including an encoded file into a non-encoded file and print_r($GLOBALS) or some other type of scheme to see what you have as variables, constants, etc.

Is there some functionality built into the encoders to prevent this? or do we need to come up with some elaborate scheme? Smile
Back to top
View user's profile Send private message
MisterPopularity



Joined: 25 May 2005
Posts: 29
Location: South Bend, Indiana

PostPosted: Sun Jan 15, 2006 6:38 am    Post subject: Reply with quote

basically... we have a hard-coded variable that we MUST protect....

so aside from "unsetting" it IMMEDIATELY after we're done with it, can anyone think of a way that it can be retrieved?
Back to top
View user's profile Send private message
liaison
ionCube Support


Joined: 16 Dec 2004
Posts: 2788

PostPosted: Sun Jan 15, 2006 2:40 pm    Post subject: Include Attack Prevention Tutorial Reply with quote

Hi

You're describing an "include attack", and the Encoder has features to block this kind of attack.

Essentially you want to restrict two files to only interoperate with each other such that A can only include B if B is the "real deal", and in particular, you want B to only be included by A if A is authorised.

You can use the option --include-if to restrict files to only interoperate with other files if they have particular properties defined, and use --property or --properties to define properties. Properties are encoded meta data that exist soley in the Loader.

Here is a short tutorial on this.

E.g. Given x.php:
Code:

<?php

echo "before include\n";

include "y-enc.php";

echo "after include\n";

?>


and y.php:
Code:

<?php
 
$y = 123;

?>


First, we'll encode y.php as y-enc.php and run without any protection.

Code:

$ ioncube_encoder y.php -o y-enc.php

$ php x.php
before include
after include


As expected, everything works fine. Now, let's encode y.php with include protection.

Code:

$ ioncube_encoder y.php -o y-enc.php --include-if x=666

$ php x.php
before include

The encoded file y-enc.php has been included by the unauthorised file x.php


where x=666 is an arbitrary property name and integer value.

Now we'll encode x.php, and define a property but with the wrong value

Code:

$ ioncube_encoder x.php -o x-enc.php --property x=42

$ php x-enc.php
before include

The encoded file y-enc.php has been included by the unauthorised file x-enc.php


Finally we'll re-encode x.php, this time with the correct value.

Code:

$ ioncube_encoder x.php -o x-enc.php --property x=666

$ php x-enc.php
before include
after include
123


Now everything works. In this case, x-enc.php would be able to include an unencoded y-enc.php as x.php was not encoded with its own include-if restriction, however if it had been then the symetric protection would be given as well.

Another option to mention is --disable-auto-prepend-append
This will prevent operation when the append/prepend feature of PHP is being used, as that provides another route that unintended files can be executed, and which is often not considered by the PHP developer.

Whilst this mechanism is great, I would still caution against the use of globals though because they could potentially be accessed by someone modifying the PHP sources. If you are trying to gain access to a "secret" value, there are some other alternatives.

One way would be to use the properties mechanism. Properties can be queried and decoded via the Loader API (they're stored and usually only ever processed in a mangled form). Even if the values returned were discovered somehow, and a bogus file encoded by a third party with the same properties, the include protection check would still fail for other reasons. Properties can only be queried by the file that defines them, and so you could then make the property value available via a function to your other PHP scripts.

Alternatively you could still be to use a function to return the value, but just have the value stored in the PHP code.

The type of approach you come up with would depend on what you're trying to do, but the main thing is that the include attack protection can prevent unauthorised files.
_________________
Community Admin
Back to top
View user's profile Send private message
savetheorcas



Joined: 24 Mar 2006
Posts: 4

PostPosted: Sat Mar 25, 2006 9:16 am    Post subject: Reply with quote

How do you set this "property" to a file using the Windows GUI? I have tried everything and get get this to work.

Thanks.
Back to top
View user's profile Send private message
liaison
ionCube Support


Joined: 16 Dec 2004
Posts: 2788

PostPosted: Sat Mar 25, 2006 1:06 pm    Post subject: Reply with quote

Arbitrary properties cannot currently be set via the GUI, however the GUI does have an option to enable include attack protection and to set a property as a protection key.
_________________
Community Admin
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    ionCube Forum Index -> ionCube PHP Encoder All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum