Full Disclosure mailing list archives
Re: file_exists() bypassing , critical problem ?
From: "Daniel B" <dan () lockedbox net>
Date: Mon, 2 Feb 2004 14:08:14 +0000
Hi, "Nourredine Himeur" <lostnoobs () security-challenge com> wrote:
In the same directory :
test.php
-----------------------------------------------------------
<?
if(file_exists($page)){
echo("Sorry the local page is protected");
}else{
include($page);
}
?>
-----------------------------------------------------------
file.txt
-----------------------------------------------------------
Hello World
-----------------------------------------------------------
http://www.example.com/test.php?page=file.txt
Result:
Sorry the local page is protected
http://www.example.com/test.php?page=./[anything]/../file.txt
<----------------- the file exists but the function file_exists() don't show
it. so the file is include !!!!!
Result:
Hello World
I don't get this result. Here is what I am using and what results:-
dan@freebox test $ cat test.php
<?
$_igr = ini_get('register_globals');
if ($_igr == '' OR $_igr == 'Off' OR $_igr == 0)
import_request_variables('GPC');
if(file_exists($page)){
echo("Sorry the local page is protected");
} else {
echo "including:".$page."\r\n";
include($page);
echo "\r\nEOF";
}
?>
dan@freebox test $ cat test.txt
Testing...
Results:-
dan@freebox test $ wget -O - -o /dev/null
http://dans.lockedbox.net/test/test.php?page=test.txt
Sorry the local page is protected
dan@freebox test $ wget -O - -o /dev/null
http://dans.lockedbox.net/test/test.php?page=./foo/../test.txt
including:./foo/../test.txt
EOF
Looks to me like the include is following the ./foo directory and then failing
becuase it doesnt exist. Dunno for sure thou. But yes the file_exists is being
bypassed in a fashon but the file dosent really exist. Eg, on linux:
dan@freebox test $ ls -l
total 12
drwxr-xr-x 2 dan dan 4096 Feb 2 13:39 test
-rw-r--r-- 1 dan dan 273 Feb 2 13:37 test.php
-rw-r--r-- 1 dan dan 11 Feb 2 13:37 test.txt
dan@freebox test $ cat ./foo/../test.txt
cat: ./foo/../test.txt: No such file or directory
dan@freebox test $ cd ./foo/../test/
-/bin/bash: cd: ./foo/../test/: No such file or directory
So it might be that as its passing the whole $page variable to the include its
following in the raw filesystem call.. its too much work stracing my apache
setup for a specific request, threads and all.. (if you know an easy way..mail
me)
Regards,
Daniel.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- file_exists() bypassing , critical problem ? Lost Noobs (Feb 02)
- Re: file_exists() bypassing , critical problem ? m.esco (Feb 02)
- <Possible follow-ups>
- file_exists() bypassing , critical problem ? Nourredine Himeur (Feb 02)
- file_exists() bypassing , critical problem ? Nourredine Himeur (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? Nourredine Himeur (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? m.esco (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? Nourredine Himeur (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? Stefan Esser (Feb 02)
- Re: file_exists() bypassing , critical problem ? Daniel B (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? m.esco (Feb 02)
- Message not available
- Re: file_exists() bypassing , critical problem ? Nourredine Himeur (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? VeNoMouS (Feb 02)
- Re: file_exists() bypassing , critical problem ? Jorrit Kronjee (Feb 02)