[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] file_exists() bypassing , critical problem ?
- To: full-disclosure@lists.netsys.com
- Subject: Re: [Full-Disclosure] file_exists() bypassing , critical problem ?
- From: "Daniel B" <dan@lockedbox.net>
- Date: Mon, 2 Feb 2004 14:08:14 +0000
Hi,
"Nourredine Himeur" <lostnoobs@security-challenge.com> wrote:
> In the same directory :
> test.php
> -----------------------------------------------------------
> <?
> if(file_exists($page)){
> echo("Sorry the local page is protected");
> }else{
> include($page);
> }
> ?>
> -----------------------------------------------------------
>
> file.txt
> -----------------------------------------------------------
> Hello World
> -----------------------------------------------------------
>
> http://www.example.com/test.php?page=file.txt
>
> Result:
> Sorry the local page is protected
>
> http://www.example.com/test.php?page=./[anything]/../file.txt
> <----------------- the file exists but the function file_exists() don't show
> it. so the file is include !!!!!
>
> Result:
> Hello World
I don't get this result. Here is what I am using and what results:-
dan@freebox test $ cat test.php
<?
$_igr = ini_get('register_globals');
if ($_igr == '' OR $_igr == 'Off' OR $_igr == 0)
import_request_variables('GPC');
if(file_exists($page)){
echo("Sorry the local page is protected");
} else {
echo "including:".$page."\r\n";
include($page);
echo "\r\nEOF";
}
?>
dan@freebox test $ cat test.txt
Testing...
Results:-
dan@freebox test $ wget -O - -o /dev/null
http://dans.lockedbox.net/test/test.php?page=test.txt
Sorry the local page is protected
dan@freebox test $ wget -O - -o /dev/null
http://dans.lockedbox.net/test/test.php?page=./foo/../test.txt
including:./foo/../test.txt
EOF
Looks to me like the include is following the ./foo directory and then failing
becuase it doesnt exist. Dunno for sure thou. But yes the file_exists is being
bypassed in a fashon but the file dosent really exist. Eg, on linux:
dan@freebox test $ ls -l
total 12
drwxr-xr-x 2 dan dan 4096 Feb 2 13:39 test
-rw-r--r-- 1 dan dan 273 Feb 2 13:37 test.php
-rw-r--r-- 1 dan dan 11 Feb 2 13:37 test.txt
dan@freebox test $ cat ./foo/../test.txt
cat: ./foo/../test.txt: No such file or directory
dan@freebox test $ cd ./foo/../test/
-/bin/bash: cd: ./foo/../test/: No such file or directory
So it might be that as its passing the whole $page variable to the include its
following in the raw filesystem call.. its too much work stracing my apache
setup for a specific request, threads and all.. (if you know an easy way..mail
me)
Regards,
Daniel.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html