Full Disclosure mailing list archives
file_exists() bypassing , critical problem ?
From: "Nourredine Himeur" <lostnoobs () security-challenge com>
Date: Mon, 2 Feb 2004 15:45:02 +0100
But all bugs aren't a vulnerability.
I don't thinks , for me , all bugs ARE a vulnerability. You show only my example but imagine you want to verifie if do this : http://www.security-challenge.com/123456/outils/source.php traduct: Lire une source HTML = Read a HTML source source.php: ------------------------------------------------------------------- $contenu = file( $url ); while ( list( $numero_ligne, $ligne ) = each( $contenu ) ) { echo "<B>Ligne $numero_ligne:</B> ".htmlspecialchars( $ligne ) . "<br>"; } ------------------------------------------------------------------- with function file() I show the HTML source But you don't want ,visitor see the local source of your own file because if file() open a local file PHP it see the PHP source. If you used file_exists() to protect your own page , a malicious visitor can use the vulnerability of this function to see the source php of your own page.php !!! You talk only about my example , it's stupid . Every bug are a vulnerability in informatik.( If a function don't work as good you can exploit it) You've gone say : "Your code is vulnerable" For finish with this subject I 'm gone to say (same as securityfocus) : "Prevent is better to cure" Nourredine Himeur www.security-challenge.com If I had been prevented I shall not have been pirated ... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- file_exists() bypassing , critical problem ?, (continued)
- file_exists() bypassing , critical problem ? Nourredine Himeur (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? Nourredine Himeur (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? m.esco (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? Nourredine Himeur (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? Stefan Esser (Feb 02)
- Re: file_exists() bypassing , critical problem ? Daniel B (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? m.esco (Feb 02)
- Message not available
- Re: file_exists() bypassing , critical problem ? Nourredine Himeur (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? VeNoMouS (Feb 02)
- Re: file_exists() bypassing , critical problem ? Jorrit Kronjee (Feb 02)