[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: dan at lockedbox.net (Daniel B)
Subject: file_exists() bypassing , critical problem ?
Hi,
"Nourredine Himeur" <lostnoobs@...urity-challenge.com> wrote:
> In the same directory :
> test.php
> -----------------------------------------------------------
> <?
> if(file_exists($page)){
> echo("Sorry the local page is protected");
> }else{
> include($page);
> }
> ?>
> -----------------------------------------------------------
>
> file.txt
> -----------------------------------------------------------
> Hello World
> -----------------------------------------------------------
>
> http://www.example.com/test.php?page=file.txt
>
> Result:
> Sorry the local page is protected
>
> http://www.example.com/test.php?page=./[anything]/../file.txt
> <----------------- the file exists but the function file_exists() don't show
> it. so the file is include !!!!!
>
> Result:
> Hello World
I don't get this result. Here is what I am using and what results:-
dan@...ebox test $ cat test.php
<?
$_igr = ini_get('register_globals');
if ($_igr == '' OR $_igr == 'Off' OR $_igr == 0)
import_request_variables('GPC');
if(file_exists($page)){
echo("Sorry the local page is protected");
} else {
echo "including:".$page."\r\n";
include($page);
echo "\r\nEOF";
}
?>
dan@...ebox test $ cat test.txt
Testing...
Results:-
dan@...ebox test $ wget -O - -o /dev/null
http://dans.lockedbox.net/test/test.php?page=test.txt
Sorry the local page is protected
dan@...ebox test $ wget -O - -o /dev/null
http://dans.lockedbox.net/test/test.php?page=./foo/../test.txt
including:./foo/../test.txt
EOF
Looks to me like the include is following the ./foo directory and then failing
becuase it doesnt exist. Dunno for sure thou. But yes the file_exists is being
bypassed in a fashon but the file dosent really exist. Eg, on linux:
dan@...ebox test $ ls -l
total 12
drwxr-xr-x 2 dan dan 4096 Feb 2 13:39 test
-rw-r--r-- 1 dan dan 273 Feb 2 13:37 test.php
-rw-r--r-- 1 dan dan 11 Feb 2 13:37 test.txt
dan@...ebox test $ cat ./foo/../test.txt
cat: ./foo/../test.txt: No such file or directory
dan@...ebox test $ cd ./foo/../test/
-/bin/bash: cd: ./foo/../test/: No such file or directory
So it might be that as its passing the whole $page variable to the include its
following in the raw filesystem call.. its too much work stracing my apache
setup for a specific request, threads and all.. (if you know an easy way..mail
me)
Regards,
Daniel.
Powered by blists - more mailing lists