Re: file_exists() bypassing , critical problem ?

["first-name last-name" <nothing_null () hotmail com>]

Hello,

file_exists() has a bug, yes. It should indicate whether a file exists or 
not and you demonstrated that it doesn't in a special case. But all bugs 
aren't a vulnerability.

The mistake is in the code you supplied. I'm not the first to tell it. You 
told that the code is only an example, but an example of what ?? For me, 
it's an example of a bad code that should not be used to protect some 
website area. And that precisely what you are doing with :
http://www.opensavoir.com/test.txt
http://www.opensavoir.com/test.php
http://www.opensavoir.com/phpinfo.php
http://www.opensavoir.com/test.php?page=phpinfo.php
http://www.opensavoir.com/test.php?page=./foo/../phpinfo.php
http://www.opensavoir.com/test.php?page=./anything/../phpinfo.php

That's OK, you can't rely on file_exists() to do what you want to do... but 
that's a very ugly manner to do it though. If someone can enter your site 
against your will, this will be your fault because of this ugly code (which 
would be ugly even if file_exists() worked well).

In your first e-mail, you asked if we think that's a real vulnerability. 
What I think is :
. file_exists() has a bug
. your code has a vulnerability

When you program some security related functions, you should not rely on 
functions you suppose bugfree, but test every case (like you did) and 
finally choose the right way. To conclude :
. use another manner to protect you website
. report the *bug* to PHP (already done if I understood well)

... and don't think that any existing website uses this method for 
protection !!

_________________________________________________________________
MSN Search, le moteur de recherche qui pense comme vous !  
http://search.msn.fr

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html