[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re: Re: [Full-Disclosure] file_exists() bypassing , critical problem ?

To: <s.esser@e-matters.de>
Subject: Re: Re: Re: [Full-Disclosure] file_exists() bypassing , critical problem ?
From: "Nourredine Himeur" <lostnoobs@security-challenge.com>
Date: Mon, 2 Feb 2004 13:38:43 +0100

>Hello, 
> 
>first of all I find it funny that you now report this "hole" 
>to full-disclosure. We (at security@php.net) got the same 
>mail (with the same examples/text) from a person with a totally 
>differen name a while ago. 

Yes ;) 

> > ----------------------------------------------------------- 
> > > > if(file_exists($page)){ 
> > echo("Sorry the local page is protected"); 
> > }else{ 
> > include($page); 
> > } 
> > ?> 
> > ----------------------------------------------------------- 
> 
>A nice artificial example. But what are you trying to achieve?

yes artificial because it's more simply for understand 
 
>The include f.e. is completely misplaced. It makes no sense 
>that you want to include a file only if it does NOT exist. 
>Because if you try to include a nonexistant file you will 
>only get an include error. So on the first look the include 
>call is completely redundant. But with fopen() wrappers activated 
>this code construct is a security hole. It is a documented 
>and often underlined fact that file_exists() does not work on 
>remote files. So you are open for any remote include. 

IT'S JUST AN EXAMPLE !!!

>And finally, noone said that file_exists() is bugfree, but 
>you were not able to provide any real example where a false 
>result: "file does not exist" is a security hole. 

Ok show this :
http://www.opensavoir.com/test.txt
http://www.opensavoir.com/test.php
http://www.opensavoir.com/phpinfo.php

http://www.opensavoir.com/test.php?page=phpinfo.php

http://www.opensavoir.com/test.php?page=./foo/../phpinfo.php

http://www.opensavoir.com/test.php?page=./anything/../phpinfo.php

You see now ?

>You usually only do things to files IF they exist. 
>And maybe for the hundreth time: Never trust filenames supplied 
>by the user. You always have to tripple check them. 
> 
>Stefan 
> 

Nourredine Himeur

www.security-challenge.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: Re: Re: [Full-Disclosure] file_exists() bypassing , critical problem ?
Next by Date: Re: [Full-Disclosure] file_exists() bypassing , critical problem ?
Previous by thread: [Full-Disclosure] file_exists() bypassing , critical problem ?
Next by thread: Re: [Full-Disclosure] file_exists() bypassing , critical problem ?
Index(es):
- Date
- Thread