ID: 36225
User updated by: ludovit at scholtz dot sk
Reported By: ludovit at scholtz dot sk
Status: Bogus
Bug Type: Filesystem function related
Operating System: win, unix
PHP Version: 5.1.2
New Comment:
I think this is bug.
if some programmer would write this code:
<?
foreach($_REQUEST as $k=>$v) $_REQUEST[$k] = stripslashes($v);
echo $file = "my_lang_dir/".$_REQUEST["x"].".template";
if(is_file($file)){
echo file_get_contents($file);
}
?>
ok. lets say we have this code.
proggramer want to read .template file. he think that there is NO
chance to open any other file than .template.
This is mistake of php, that it allows attacker to read forexample .php
file.
if you save your mysql conf in file conf.php, and attacker would run
?x=../conf.php%00, then he would read configuration for mysql, reveal
password, and it is not good.
if someone dont use file_get_contents, but include, it will execute php
code in that file. if attacker can write into any file on accesible
path, he can corrupt whole system.
I think this is critical bug.
Solutions to patch this bugs are> to strip zero chars from string
(before processiong to c), or throw some error..
or to do something, but definitly no to include file "mydir/file.php"
instead of "mydir/file.php\0.template"
I used this bug while i tested one serious server. It is not fault of
programmer of system, but bug in php!!!
Ludovit Scholtz
Previous Comments:
------------------------------------------------------------------------
[2006-01-31 13:57:44] ludovit at scholtz dot sk
maybe it should be better example..
?x=../data/log.txt%00&
<?
// if magic quotes are on
foreach($_REQUEST as $k=>$v) $_REQUEST[$k] = stripslashes($v);
if(is_file("my_lang_dir/".$_REQUEST["x"].".template"))
include "my_lang_dir/".$_REQUEST["x"].".template";
?>
------------------------------------------------------------------------
[2006-01-31 13:56:24] ludovit at scholtz dot sk
who was talking about exec($_GET[..])?
i wrote, that there is problem, that if some webmaster expect include
"my_dir/".$file.".data"; to work fine, that noone could include other
files then .data, and anyone can include files with any extention, it
is very bad.
------------------------------------------------------------------------
[2006-01-31 13:50:24] [EMAIL PROTECTED]
If you do exec($_GET['var']); - it's your fault that user can pass
?var=rm -rf and delete everything on the disk.
Not PHP problem, users should take care of such things themselves.
------------------------------------------------------------------------
[2006-01-31 13:39:01] ludovit at scholtz dot sk
if this isnt bug, then i dont know what else should be.
if someone can gain full access to server because of error in php, i
dont know..
i messed () in line if(is_file("my_lang_dir/".$_REQUEST["x"].".txt")
it should look like
if(is_file("my_lang_dir/".$_REQUEST["x"].".txt"))
------------------------------------------------------------------------
[2006-01-31 13:27:31] [EMAIL PROTECTED]
Sorry, but your problem does not imply a bug in PHP itself. For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions. Due to the volume
of reports we can not explain in detail here why your report is not
a bug. The support channels will be able to provide an explanation
for you.
Thank you for your interest in PHP.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/36225
--
Edit this bug report at http://bugs.php.net/?id=36225&edit=1
