Re: Re: Re: [Full-Disclosure] file_exists() bypassing , critical problem ?

From: Nourredine Himeur (
Date: 02/02/04

  • Next message: Stefan Esser: "Re: Re: [Full-Disclosure] file_exists() bypassing , critical problem ?"
    To: <>
    Date: Mon, 2 Feb 2004 13:38:43 +0100

    >first of all I find it funny that you now report this "hole"
    >to full-disclosure. We (at got the same
    >mail (with the same examples/text) from a person with a totally
    >differen name a while ago.

    Yes ;)

    > > -----------------------------------------------------------
    > > > > if(file_exists($page)){
    > > echo("Sorry the local page is protected");
    > > }else{
    > > include($page);
    > > }
    > > ?>
    > > -----------------------------------------------------------
    >A nice artificial example. But what are you trying to achieve?

    yes artificial because it's more simply for understand
    >The include f.e. is completely misplaced. It makes no sense
    >that you want to include a file only if it does NOT exist.
    >Because if you try to include a nonexistant file you will
    >only get an include error. So on the first look the include
    >call is completely redundant. But with fopen() wrappers activated
    >this code construct is a security hole. It is a documented
    >and often underlined fact that file_exists() does not work on
    >remote files. So you are open for any remote include.


    >And finally, noone said that file_exists() is bugfree, but
    >you were not able to provide any real example where a false
    >result: "file does not exist" is a security hole.

    Ok show this :

    You see now ?

    >You usually only do things to files IF they exist.
    >And maybe for the hundreth time: Never trust filenames supplied
    >by the user. You always have to tripple check them.

    Nourredine Himeur

    Full-Disclosure - We believe in it.

  • Next message: Stefan Esser: "Re: Re: [Full-Disclosure] file_exists() bypassing , critical problem ?"