lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: lostnoobs at security-challenge.com (Nourredine Himeur) Subject: file_exists() bypassing , critical problem ? Hi, There is a security problem on the file_exists() function who allows unauthorized users to bypassing the function. For example, an user use this function for checking the existence and display the source code of his file "my_file.php" in the "/test" directory. He use for this a script like this one : ----- file_exists.php ----- <?php if(file_exists($var)){ echo("File exist<br><br>"); $source = file( $var ); while ( list( $num_line, $line ) = each( $source ) ) { echo "<B>Line $num_line:</B> ".htmlspecialchars( $line ) . "<br>"; } }else{ echo("File doesn't exist<br<br "); $source = file( $var ); while ( list( $num_line, $line ) = each( $source ) ) { echo "<B>Line $num_line:</B> ".htmlspecialchars( $line ) . "<br>"; } } ? ----- file_exists.php ----- He test his script with the following adress on his server : http://[server]/test/file_exists.php?var=my_file.php The file "my_file.php" contain the following text : ----- my_file.php ----- PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. ----- my_file.php ----- After launching his script, he obtain : ----- http://[server]/test/file_exists.php?var=my_file.php ----- File exist Line 0: PHP is a widely-used Line 1: general-purpose scripting Line 2: language that is especially Line 3: suited for Web development Line 4: and can be embedded into HTML. ----- http://[server]/test/file_exists.php?var=my_file.php ----- Up to here everything seems to be normal. If he test it with another name file, he obtain : ----- http://[server]/test/file_exists.php?var=another_file.php ----- File doesn't exist Warning: file(test): failed to open stream: No such file or directory in /home/xxx/www/test/file_exists.php on line 11 Warning: Variable passed to each() is not an array or object in /home/xxx/www/test/file_exists.php on line 12 ----- http://[server]/test/file_exists.php?var=another_file.php ----- It's normal too... But, if an user test this script for example with the following link : http://[server]/test/file_exists.php?var=anything/../my_file.php, he obtain : ----- http://[server]/test/file_exists.php?var=anything/../my_file.php ----- File doesn't exist Line 0: PHP is a widely-used Line 1: general-purpose scripting Line 2: language that is especially Line 3: suited for Web development Line 4: and can be embedded into HTML. ----- http://[server]/test/file_exists.php?var=anything/../my_file.php ----- We can see that the file_exists() function return that the file doesn't exist, but the source code has been displayed. It's a very critical bug because a malicious user can use it to bypassing the file_exist() protection on a include() script for example. ??????????????????????????????????????????????????????????????????????????????? Another example more simply: In the same directory : test.php ----------------------------------------------------------- <? if(file_exists($page)){ echo("Sorry the local page is protected"); }else{ include($page); } ?> ----------------------------------------------------------- file.txt ----------------------------------------------------------- Hello Word ----------------------------------------------------------- http://www.example.com/test.php?page=file.txt Result: Sorry the local page is protected http://www.example.com/test.php?page=./foo/../file.txt Result: Hello Word The function file_exists() is bypassing ??????????????????????????????????????????????????????????????????????????????? I want to know if you thinks that's a real vulnerability or not ? (securityfocus says NO and don't want to publish it) If you have any questions. Don't hesitate to contact me. Nourredine Himeur lostnoobs@...urity-challenge.com www.security-challenge.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040202/483b7525/attachment.html
Powered by blists - more mailing lists