Hi,
There is a security problem on the file_exists() function
who allows
unauthorized users to bypassing the function. For example, an user use this function for checking the
existence and
display the source code of his file "my_file.php" in the "/test" directory. He use for this a script like this one :
----- file_exists.php -----
<?php
if(file_exists($var)){ echo("File exist<br><br>"); $source = file( $var ); while ( list( $num_line, $line ) = each( $source ) ) { echo "<B>Line $num_line:</B> ".htmlspecialchars( $line ) . "<br>"; } }else{ echo("File doesn't exist<br<br "); $source = file( $var ); while ( list( $num_line, $line ) = each( $source ) ) { echo "<B>Line $num_line:</B> ".htmlspecialchars( $line ) . "<br>"; } } ? ----- file_exists.php -----
He test his script with the following adress on his server
:
http://[server]/test/file_exists.php?var=my_file.php The file "my_file.php" contain the following text :
----- my_file.php -----
PHP is a widely-used
general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. ----- my_file.php -----
After launching his script, he obtain :
File exist
Line 0: PHP is a widely-used
Line 1: general-purpose scripting Line 2: language that is especially Line 3: suited for Web development Line 4: and can be embedded into HTML. Up to here everything seems to be normal.
If he test it with another name file, he obtain :
File doesn't exist
Warning: file(test): failed to open stream: No such file or directory in /home/xxx/www/test/file_exists.php on line 11 Warning: Variable passed to each() is not an array or
object in
/home/xxx/www/test/file_exists.php on line 12 It's normal too...
But, if an user test this script for example with the
following link :
http://[server]/test/file_exists.php?var=anything/../my_file.php, he obtain : File doesn't exist
Line 0: PHP is a widely-used
Line 1: general-purpose scripting Line 2: language that is especially Line 3: suited for Web development Line 4: and can be embedded into HTML. We can see that the file_exists() function return that the
file doesn't
exist, but the source code has been displayed. It's a very critical bug because a malicious user can use
it to bypassing
the file_exist() protection on a include() script for example. °°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°
Another example more simply:
In the same directory :
test.php
-----------------------------------------------------------
<?
if(file_exists($page)){
echo("Sorry the local page is protected");
}else{
include($page);
}
?>
-----------------------------------------------------------
file.txt
-----------------------------------------------------------
Hello Word
-----------------------------------------------------------
Result:
Sorry the local page is protected
Result:
Hello Word
The function file_exists() is bypassing
°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°
I want to know if you thinks that's a real vulnerability or not ?
(securityfocus says NO and don't want to publish it)
If you have any questions. Don't hesitate to contact me.
Nourredine Himeur
[EMAIL PROTECTED]
|
- [Full-Disclosure] file_exists() bypassing , critical pro... Lost Noobs
- Re: [Full-Disclosure] file_exists() bypassing , cri... m.esco
- [Full-Disclosure] file_exists() bypassing , critica... Nourredine Himeur
- [Full-Disclosure] file_exists() bypassing , critica... Nourredine Himeur
- Re: Re: [Full-Disclosure] file_exists() bypassing ,... Nourredine Himeur
- Re: Re: [Full-Disclosure] file_exists() bypassi... m.esco
- Re: Re: [Full-Disclosure] file_exists() byp... Nourredine Himeur
- Re: Re: [Full-Disclosure] file_exists()... Stefan Esser
- Re: [Full-Disclosure] file_exists() byp... Daniel B
- Re: [Full-Disclosure] file_exists() bypassing ,... Nourredine Himeur
- Re: Re: [Full-Disclosure] file_exists() bypassi... VeNoMouS
- Re: Re: Re: [Full-Disclosure] file_exists() bypassi... Nourredine Himeur
- [Full-Disclosure] file_exists() bypassing , critica... Nourredine Himeur