Full Disclosure mailing list archives
Re: Re: Re: file_exists() bypassing , critical problem ?
From: "Nourredine Himeur" <lostnoobs () security-challenge com>
Date: Mon, 2 Feb 2004 13:38:43 +0100
Hello, first of all I find it funny that you now report this "hole" to full-disclosure. We (at security () php net) got the same mail (with the same examples/text) from a person with a totally differen name a while ago.
Yes ;)
-----------------------------------------------------------if(file_exists($page)){echo("Sorry the local page is protected"); }else{ include($page); } ?> -----------------------------------------------------------A nice artificial example. But what are you trying to achieve?
yes artificial because it's more simply for understand
The include f.e. is completely misplaced. It makes no sense that you want to include a file only if it does NOT exist. Because if you try to include a nonexistant file you will only get an include error. So on the first look the include call is completely redundant. But with fopen() wrappers activated this code construct is a security hole. It is a documented and often underlined fact that file_exists() does not work on remote files. So you are open for any remote include.
IT'S JUST AN EXAMPLE !!!
And finally, noone said that file_exists() is bugfree, but you were not able to provide any real example where a false result: "file does not exist" is a security hole.
Ok show this : http://www.opensavoir.com/test.txt http://www.opensavoir.com/test.php http://www.opensavoir.com/phpinfo.php http://www.opensavoir.com/test.php?page=phpinfo.php http://www.opensavoir.com/test.php?page=./foo/../phpinfo.php http://www.opensavoir.com/test.php?page=./anything/../phpinfo.php You see now ?
You usually only do things to files IF they exist. And maybe for the hundreth time: Never trust filenames supplied by the user. You always have to tripple check them. Stefan
Nourredine Himeur www.security-challenge.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: file_exists() bypassing , critical problem ?, (continued)
- Re: file_exists() bypassing , critical problem ? m.esco (Feb 02)
- file_exists() bypassing , critical problem ? Nourredine Himeur (Feb 02)
- file_exists() bypassing , critical problem ? Nourredine Himeur (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? Nourredine Himeur (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? m.esco (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? Nourredine Himeur (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? Stefan Esser (Feb 02)
- Re: file_exists() bypassing , critical problem ? Daniel B (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? m.esco (Feb 02)
- Message not available
- Re: file_exists() bypassing , critical problem ? Nourredine Himeur (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? VeNoMouS (Feb 02)
- Re: file_exists() bypassing , critical problem ? Jorrit Kronjee (Feb 02)