[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re: [Full-Disclosure] file_exists() bypassing , critical problem ?

To: Nourredine Himeur <lostnoobs@security-challenge.com>
Subject: Re: Re: [Full-Disclosure] file_exists() bypassing , critical problem ?
From: Stefan Esser <s.esser@e-matters.de>
Date: Mon, 2 Feb 2004 13:22:31 +0100

Hello,

first of all I find it funny that you now report this "hole"
to full-disclosure. We (at security@php.net) got the same
mail (with the same examples/text) from a person with a totally
differen name a while ago.

> -----------------------------------------------------------
> <?
> if(file_exists($page)){
> echo("Sorry the local page is protected");
> }else{
> include($page);
> }
> ?>
> -----------------------------------------------------------

A nice artificial example. But what are you trying to achieve?
The include f.e. is completely misplaced. It makes no sense
that you want to include a file only if it does NOT exist.
Because if you try to include a nonexistant file you will
only get an include error. So on the first look the include
call is completely redundant. But with fopen() wrappers activated
this code construct is a security hole. It is a documented
and often underlined fact that file_exists() does not work on
remote files. So you are open for any remote include.

And finally, noone said that file_exists() is bugfree, but 
you were not able to provide any real example where a false
result: "file does not exist" is a security hole.

You usually only do things to files IF they exist. 
And maybe for the hundreth time: Never trust filenames supplied
by the user. You always have to tripple check them.

Stefan

-- 

--------------------------------------------------------------------------
 Stefan Esser                                        s.esser@e-matters.de
 e-matters Security                         http://security.e-matters.de/

 GPG-Key                gpg --keyserver pgp.mit.edu --recv-key 0xCF6CAE69 
 Key fingerprint       B418 B290 ACC0 C8E5 8292  8B72 D6B0 7704 CF6C AE69
--------------------------------------------------------------------------
 Did I help you? Consider a gift:            http://wishlist.suspekt.org/
--------------------------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- Re: Re: [Full-Disclosure] file_exists() bypassing , critical problem ?
  - From: "Nourredine Himeur" <nourredine.himeur@assephira.com>
- Re: Re: [Full-Disclosure] file_exists() bypassing , critical problem ?
  - From: <m.esco@wp.pl>
- Re: Re: [Full-Disclosure] file_exists() bypassing , critical problem ?
  - From: "Nourredine Himeur" <lostnoobs@security-challenge.com>

Prev by Date: [Full-Disclosure] FirstClass 7.1: Bypass File Execution Warning
Next by Date: Re: Re: Re: [Full-Disclosure] file_exists() bypassing , critical problem ?
Previous by thread: Re: Re: [Full-Disclosure] file_exists() bypassing , critical problem ?
Next by thread: Re: [Full-Disclosure] file_exists() bypassing , critical problem ?
Index(es):
- Date
- Thread