| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: full-disclosure at nospam.wafel.org (Jorrit Kronjee)
Subject: file_exists() bypassing , critical problem
?
Nourredine Himeur wrote:
>>But all bugs aren't a vulnerability.
>
>
> I don't thinks , for me , all bugs ARE a vulnerability.
>
Your personal opinion doesn't matter, facts do.
>
> traduct:
> Lire une source HTML = Read a HTML source
>
> source.php:
> -------------------------------------------------------------------
> $contenu = file( $url );
>
> while ( list( $numero_ligne, $ligne ) = each( $contenu ) )
> {
> echo "<B>Ligne $numero_ligne:</B> ".htmlspecialchars( $ligne ) .
> "<br>";
> }
> -------------------------------------------------------------------
> with function file() I show the HTML source
>
> But you don't want ,visitor see the local source of your own file because if
> file() open a local file PHP it see the PHP source.
>
> If you used file_exists() to protect your own page , a malicious visitor can
> use the vulnerability of this function to see the source php of your own
> page.php !!!
>
It's just the same for not properly escaping single quotes in dynamic
SQL statements; a vulnerability caused by bad scripting.
I think your only goal here is slandering the PHP folks. Your example is
just as badly programmed as the previous examples, not to mention the
fact your example doesn't use file_exists and if it would, how would
file_exists() protect you from reading PHP documents?
Jorrit
Powered by blists - more mailing lists