[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] file_exists() bypassing , critical problem ?

Hello,

file_exists() has a bug, yes. It should indicate whether a file exists or not and you demonstrated that it doesn't in a special case. But all bugs aren't a vulnerability.

The mistake is in the code you supplied. I'm not the first to tell it. You told that the code is only an example, but an example of what ?? For me, it's an example of a bad code that should not be used to protect some website area. And that precisely what you are doing with :
http://www.opensavoir.com/test.txt
http://www.opensavoir.com/test.php
http://www.opensavoir.com/phpinfo.php
http://www.opensavoir.com/test.php?page=phpinfo.php
http://www.opensavoir.com/test.php?page=./foo/../phpinfo.php
http://www.opensavoir.com/test.php?page=./anything/../phpinfo.php

That's OK, you can't rely on file_exists() to do what you want to do... but that's a very ugly manner to do it though. If someone can enter your site against your will, this will be your fault because of this ugly code (which would be ugly even if file_exists() worked well).

In your first e-mail, you asked if we think that's a real vulnerability. What I think is :
. file_exists() has a bug
. your code has a vulnerability

When you program some security related functions, you should not rely on functions you suppose bugfree, but test every case (like you did) and finally choose the right way. To conclude :
. use another manner to protect you website
. report the *bug* to PHP (already done if I understood well)

... and don't think that any existing website uses this method for protection !!

_________________________________________________________________
MSN Search, le moteur de recherche qui pense comme vous ! http://search.msn.fr

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html