Re: Re: Re: [Full-Disclosure] file_exists() bypassing , critical problem ?

From: Nourredine Himeur (lostnoobs_at_security-challenge.com)
Date: 02/02/04

  • Next message: Stefan Esser: "Re: Re: [Full-Disclosure] file_exists() bypassing , critical problem ?"
    To: <s.esser@e-matters.de>
    Date: Mon, 2 Feb 2004 13:38:43 +0100
    
    

    >Hello,
    >
    >first of all I find it funny that you now report this "hole"
    >to full-disclosure. We (at security@php.net) got the same
    >mail (with the same examples/text) from a person with a totally
    >differen name a while ago.

    Yes ;)

    > > -----------------------------------------------------------
    > > > > if(file_exists($page)){
    > > echo("Sorry the local page is protected");
    > > }else{
    > > include($page);
    > > }
    > > ?>
    > > -----------------------------------------------------------
    >
    >A nice artificial example. But what are you trying to achieve?

    yes artificial because it's more simply for understand
     
    >The include f.e. is completely misplaced. It makes no sense
    >that you want to include a file only if it does NOT exist.
    >Because if you try to include a nonexistant file you will
    >only get an include error. So on the first look the include
    >call is completely redundant. But with fopen() wrappers activated
    >this code construct is a security hole. It is a documented
    >and often underlined fact that file_exists() does not work on
    >remote files. So you are open for any remote include.

    IT'S JUST AN EXAMPLE !!!

    >And finally, noone said that file_exists() is bugfree, but
    >you were not able to provide any real example where a false
    >result: "file does not exist" is a security hole.

    Ok show this :
    http://www.opensavoir.com/test.txt
    http://www.opensavoir.com/test.php
    http://www.opensavoir.com/phpinfo.php

    http://www.opensavoir.com/test.php?page=phpinfo.php

    http://www.opensavoir.com/test.php?page=./foo/../phpinfo.php

    http://www.opensavoir.com/test.php?page=./anything/../phpinfo.php

    You see now ?

    >You usually only do things to files IF they exist.
    >And maybe for the hundreth time: Never trust filenames supplied
    >by the user. You always have to tripple check them.
    >
    >Stefan
    >

    Nourredine Himeur

    www.security-challenge.com

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Stefan Esser: "Re: Re: [Full-Disclosure] file_exists() bypassing , critical problem ?"