lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: dan at lockedbox.net (Daniel B)
Subject: file_exists() bypassing , critical problem ?

Hi,

"Nourredine Himeur" <lostnoobs@...urity-challenge.com> wrote:
> In the same directory :
> test.php
> -----------------------------------------------------------
> <?
> if(file_exists($page)){
> echo("Sorry the local page is protected");
> }else{
> include($page);
> }
> ?>
> -----------------------------------------------------------
> 
> file.txt
> -----------------------------------------------------------
> Hello World
> -----------------------------------------------------------
> 
> http://www.example.com/test.php?page=file.txt
> 
> Result:
> Sorry the local page is protected
> 
> http://www.example.com/test.php?page=./[anything]/../file.txt
> <----------------- the file exists but the function file_exists() don't show
> it. so the file is include !!!!!
> 
> Result:
> Hello World

I don't get this result. Here is what I am using and what results:-
dan@...ebox test $ cat test.php
<?
$_igr = ini_get('register_globals');
if ($_igr == '' OR $_igr == 'Off' OR $_igr == 0)
import_request_variables('GPC');

if(file_exists($page)){
        echo("Sorry the local page is protected");
} else {
        echo "including:".$page."\r\n";
        include($page);
        echo "\r\nEOF";
}
?>

dan@...ebox test $ cat test.txt
Testing...

Results:-
dan@...ebox test $ wget -O - -o /dev/null
http://dans.lockedbox.net/test/test.php?page=test.txt
Sorry the local page is protected
dan@...ebox test $ wget -O - -o /dev/null
http://dans.lockedbox.net/test/test.php?page=./foo/../test.txt
including:./foo/../test.txt

EOF

Looks to me like the include is following the ./foo directory and then failing
becuase it doesnt exist. Dunno for sure thou. But yes the file_exists is being
bypassed in a fashon but the file dosent really exist. Eg, on linux:

dan@...ebox test $ ls -l
total 12
drwxr-xr-x    2 dan      dan          4096 Feb  2 13:39 test
-rw-r--r--    1 dan      dan           273 Feb  2 13:37 test.php
-rw-r--r--    1 dan      dan            11 Feb  2 13:37 test.txt
dan@...ebox test $ cat ./foo/../test.txt
cat: ./foo/../test.txt: No such file or directory
dan@...ebox test $ cd ./foo/../test/
-/bin/bash: cd: ./foo/../test/: No such file or directory

So it might be that as its passing the whole $page variable to the include its
following in the raw filesystem call.. its too much work stracing my apache
setup for a specific request, threads and all.. (if you know an easy way..mail
me)

Regards,
Daniel.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ