[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4debaa770712190214p11cef6d3r94c250ae6ada61e5@mail.gmail.com>
Date: Wed, 19 Dec 2007 11:14:50 +0100
From: "Maciej GÄ…siorowski" <gonsiore@...il.com>
To: bugtraq <bugtraq@...urityfocus.com>
Subject: smbfs and apache+php source code disclosure
Because of different filename handling in Posix and Windows there is
an issue with resolving filenames with a backslash "\" character
appended on a windows share.
Consider you have a windows share mounted on a linux box with a php
script on it - let's say info.php.
Executing find info.php and find info.php\\ results with the same file
- info.php (same with cat info.php\\).
When using this share to serve PHP scripts with apache (from a linux
box) you can use it to display php script content directly to your
browser.
In apache, scripts are mapped to engines using the AddType directive
with file extension specified. Text files with extensions not handled
by any AddType are considered as plain text.
When visiting http://linuxbox/winshare/info.php - you get you script executed.
When visiting http://linuxbox/winshare/info.php\ or
http://linuxbox/winshare/info.php%5C - you get your script content
displayed, revealing any details like database passwords etc.
The reason is obvious, smbfs finds file info.php\, but apache doesn't
have the extension php\ mapped to php engine.
The same should apply to perl scripts with mod_perl.
I don't know if this is something new, maybe it is some configuration
mistake. I have just confirmed it on a freshly installed debian etch
box with all security updates applied using default settings of apache
and smbfs.
Regards
Maciej
Powered by blists - more mailing lists