Full Disclosure mailing list archives
Re: file_exists() bypassing , critical problem ?
From: "Daniel B" <dan () lockedbox net>
Date: Mon, 2 Feb 2004 14:08:14 +0000
Hi, "Nourredine Himeur" <lostnoobs () security-challenge com> wrote:
In the same directory : test.php ----------------------------------------------------------- <? if(file_exists($page)){ echo("Sorry the local page is protected"); }else{ include($page); } ?> ----------------------------------------------------------- file.txt ----------------------------------------------------------- Hello World ----------------------------------------------------------- http://www.example.com/test.php?page=file.txt Result: Sorry the local page is protected http://www.example.com/test.php?page=./[anything]/../file.txt <----------------- the file exists but the function file_exists() don't show it. so the file is include !!!!! Result: Hello World
I don't get this result. Here is what I am using and what results:- dan@freebox test $ cat test.php <? $_igr = ini_get('register_globals'); if ($_igr == '' OR $_igr == 'Off' OR $_igr == 0) import_request_variables('GPC'); if(file_exists($page)){ echo("Sorry the local page is protected"); } else { echo "including:".$page."\r\n"; include($page); echo "\r\nEOF"; } ?> dan@freebox test $ cat test.txt Testing... Results:- dan@freebox test $ wget -O - -o /dev/null http://dans.lockedbox.net/test/test.php?page=test.txt Sorry the local page is protected dan@freebox test $ wget -O - -o /dev/null http://dans.lockedbox.net/test/test.php?page=./foo/../test.txt including:./foo/../test.txt EOF Looks to me like the include is following the ./foo directory and then failing becuase it doesnt exist. Dunno for sure thou. But yes the file_exists is being bypassed in a fashon but the file dosent really exist. Eg, on linux: dan@freebox test $ ls -l total 12 drwxr-xr-x 2 dan dan 4096 Feb 2 13:39 test -rw-r--r-- 1 dan dan 273 Feb 2 13:37 test.php -rw-r--r-- 1 dan dan 11 Feb 2 13:37 test.txt dan@freebox test $ cat ./foo/../test.txt cat: ./foo/../test.txt: No such file or directory dan@freebox test $ cd ./foo/../test/ -/bin/bash: cd: ./foo/../test/: No such file or directory So it might be that as its passing the whole $page variable to the include its following in the raw filesystem call.. its too much work stracing my apache setup for a specific request, threads and all.. (if you know an easy way..mail me) Regards, Daniel. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- file_exists() bypassing , critical problem ? Lost Noobs (Feb 02)
- Re: file_exists() bypassing , critical problem ? m.esco (Feb 02)
- <Possible follow-ups>
- file_exists() bypassing , critical problem ? Nourredine Himeur (Feb 02)
- file_exists() bypassing , critical problem ? Nourredine Himeur (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? Nourredine Himeur (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? m.esco (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? Nourredine Himeur (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? Stefan Esser (Feb 02)
- Re: file_exists() bypassing , critical problem ? Daniel B (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? m.esco (Feb 02)
- Message not available
- Re: file_exists() bypassing , critical problem ? Nourredine Himeur (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? VeNoMouS (Feb 02)
- Re: file_exists() bypassing , critical problem ? Jorrit Kronjee (Feb 02)