lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: s.esser at e-matters.de (Stefan Esser)
Subject: file_exists() bypassing , critical problem ?

Hello,

first of all I find it funny that you now report this "hole"
to full-disclosure. We (at security@....net) got the same
mail (with the same examples/text) from a person with a totally
differen name a while ago.

> -----------------------------------------------------------
> <?
> if(file_exists($page)){
> echo("Sorry the local page is protected");
> }else{
> include($page);
> }
> ?>
> -----------------------------------------------------------

A nice artificial example. But what are you trying to achieve?
The include f.e. is completely misplaced. It makes no sense
that you want to include a file only if it does NOT exist.
Because if you try to include a nonexistant file you will
only get an include error. So on the first look the include
call is completely redundant. But with fopen() wrappers activated
this code construct is a security hole. It is a documented
and often underlined fact that file_exists() does not work on
remote files. So you are open for any remote include.

And finally, noone said that file_exists() is bugfree, but 
you were not able to provide any real example where a false
result: "file does not exist" is a security hole.

You usually only do things to files IF they exist. 
And maybe for the hundreth time: Never trust filenames supplied
by the user. You always have to tripple check them.

Stefan

-- 

--------------------------------------------------------------------------
 Stefan Esser                                        s.esser@...atters.de
 e-matters Security                         http://security.e-matters.de/

 GPG-Key                gpg --keyserver pgp.mit.edu --recv-key 0xCF6CAE69 
 Key fingerprint       B418 B290 ACC0 C8E5 8292  8B72 D6B0 7704 CF6C AE69
--------------------------------------------------------------------------
 Did I help you? Consider a gift:            http://wishlist.suspekt.org/
--------------------------------------------------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ