[<prev] [next>] [day] [month] [year] [list]
From: lostnoobs at security-challenge.com (Nourredine Himeur)
Subject: file_exists() bypassing , critical problem ?
>Hello,
>
>first of all I find it funny that you now report this "hole"
>to full-disclosure. We (at security@....net) got the same
>mail (with the same examples/text) from a person with a totally
>differen name a while ago.
Yes ;)
> > -----------------------------------------------------------
> > > > if(file_exists($page)){
> > echo("Sorry the local page is protected");
> > }else{
> > include($page);
> > }
> > ?>
> > -----------------------------------------------------------
>
>A nice artificial example. But what are you trying to achieve?
yes artificial because it's more simply for understand
>The include f.e. is completely misplaced. It makes no sense
>that you want to include a file only if it does NOT exist.
>Because if you try to include a nonexistant file you will
>only get an include error. So on the first look the include
>call is completely redundant. But with fopen() wrappers activated
>this code construct is a security hole. It is a documented
>and often underlined fact that file_exists() does not work on
>remote files. So you are open for any remote include.
IT'S JUST AN EXAMPLE !!!
>And finally, noone said that file_exists() is bugfree, but
>you were not able to provide any real example where a false
>result: "file does not exist" is a security hole.
Ok show this :
http://www.opensavoir.com/test.txt
http://www.opensavoir.com/test.php
http://www.opensavoir.com/phpinfo.php
http://www.opensavoir.com/test.php?page=phpinfo.php
http://www.opensavoir.com/test.php?page=./foo/../phpinfo.php
http://www.opensavoir.com/test.php?page=./anything/../phpinfo.php
You see now ?
>You usually only do things to files IF they exist.
>And maybe for the hundreth time: Never trust filenames supplied
>by the user. You always have to tripple check them.
>
>Stefan
>
Nourredine Himeur
www.security-challenge.com
Powered by blists - more mailing lists