ID: 36225
User updated by: ludovit at scholtz dot sk
Reported By: ludovit at scholtz dot sk
Status: Bogus
Bug Type: Filesystem function related
Operating System: win, unix
PHP Version: 5.1.2
New Comment:
maybe it should be better example..
?x=../data/log.txt%00&
<?
// if magic quotes are on
foreach($_REQUEST as $k=>$v) $_REQUEST[$k] = stripslashes($v);
if(is_file("my_lang_dir/".$_REQUEST["x"].".template"))
include "my_lang_dir/".$_REQUEST["x"].".template";
?>
Previous Comments:
------------------------------------------------------------------------
[2006-01-31 13:56:24] ludovit at scholtz dot sk
who was talking about exec($_GET[..])?
i wrote, that there is problem, that if some webmaster expect include
"my_dir/".$file.".data"; to work fine, that noone could include other
files then .data, and anyone can include files with any extention, it
is very bad.
------------------------------------------------------------------------
[2006-01-31 13:50:24] [EMAIL PROTECTED]
If you do exec($_GET['var']); - it's your fault that user can pass
?var=rm -rf and delete everything on the disk.
Not PHP problem, users should take care of such things themselves.
------------------------------------------------------------------------
[2006-01-31 13:39:01] ludovit at scholtz dot sk
if this isnt bug, then i dont know what else should be.
if someone can gain full access to server because of error in php, i
dont know..
i messed () in line if(is_file("my_lang_dir/".$_REQUEST["x"].".txt")
it should look like
if(is_file("my_lang_dir/".$_REQUEST["x"].".txt"))
------------------------------------------------------------------------
[2006-01-31 13:27:31] [EMAIL PROTECTED]
Sorry, but your problem does not imply a bug in PHP itself. For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions. Due to the volume
of reports we can not explain in detail here why your report is not
a bug. The support channels will be able to provide an explanation
for you.
Thank you for your interest in PHP.
------------------------------------------------------------------------
[2006-01-31 13:22:00] ludovit at scholtz dot sk
Description:
------------
There is a serious bug in all versions of php.
When webmaster use input variables in directories functions, like
is_file, include, ... , hacker could include his own file in system.
For example.
Someone do logs in files. Hacker is able to put in logs something like
<? phpinfo();?>. He know the path.
let say /data/log.txt
Then there is /index.php file, which contains
<?
// if magic quotes are on
foreach($_REQUEST as $k=>$v) $_REQUEST[$k] = stripslashes($v);
if(is_file("my_lang_dir/".$_REQUEST["x"].".txt")
include "my_lang_dir/".$_REQUEST["x"].".txt";
?>
...
Problem is when attacker use ?x=../data/log.txt%00&
function stripslashes makes from %00 chr(0)
then in is_file() fc goes my_lang_dir/../data/log.txt\0.txt
and most probably functions in os sees only my_lang_dir/../data/log.txt
and zero, as terminating char.
i think this should return false, but it return true, and
continue.....
I found this error while i was testing one server, and with this i have
gained access to remote server.
Reproduce code:
---------------
?x=../data/log.txt%00&
<?
// if magic quotes are on
foreach($_REQUEST as $k=>$v) $_REQUEST[$k] = stripslashes($v);
if(is_file("my_lang_dir/".$_REQUEST["x"].".txt")
include "my_lang_dir/".$_REQUEST["x"].".txt";
?>
Expected result:
----------------
it should not include anything
Actual result:
--------------
it includes log file
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=36225&edit=1
