lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: lostnoobs at security-challenge.com (Nourredine Himeur)
Subject: file_exists() bypassing , critical problem ?

>Hello, 
> 
>first of all I find it funny that you now report this "hole" 
>to full-disclosure. We (at security@....net) got the same 
>mail (with the same examples/text) from a person with a totally 
>differen name a while ago. 

Yes ;) 

> > ----------------------------------------------------------- 
> > > > if(file_exists($page)){ 
> > echo("Sorry the local page is protected"); 
> > }else{ 
> > include($page); 
> > } 
> > ?> 
> > ----------------------------------------------------------- 
> 
>A nice artificial example. But what are you trying to achieve?

yes artificial because it's more simply for understand 
 
>The include f.e. is completely misplaced. It makes no sense 
>that you want to include a file only if it does NOT exist. 
>Because if you try to include a nonexistant file you will 
>only get an include error. So on the first look the include 
>call is completely redundant. But with fopen() wrappers activated 
>this code construct is a security hole. It is a documented 
>and often underlined fact that file_exists() does not work on 
>remote files. So you are open for any remote include. 

IT'S JUST AN EXAMPLE !!!

>And finally, noone said that file_exists() is bugfree, but 
>you were not able to provide any real example where a false 
>result: "file does not exist" is a security hole. 

Ok show this :
http://www.opensavoir.com/test.txt
http://www.opensavoir.com/test.php
http://www.opensavoir.com/phpinfo.php

http://www.opensavoir.com/test.php?page=phpinfo.php

http://www.opensavoir.com/test.php?page=./foo/../phpinfo.php

http://www.opensavoir.com/test.php?page=./anything/../phpinfo.php

You see now ?

>You usually only do things to files IF they exist. 
>And maybe for the hundreth time: Never trust filenames supplied 
>by the user. You always have to tripple check them. 
> 
>Stefan 
> 

Nourredine Himeur

www.security-challenge.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ