Re: Re: [Full-Disclosure] file_exists() bypassing , critical problem ?
Date: Mon Feb 02 2004 - 07:22:31 EST
Hello,
first of all I find it funny that you now report this "hole"
to full-disclosure. We (at security@php.net) got the same
mail (with the same examples/text) from a person with a totally
differen name a while ago.
> -----------------------------------------------------------
> <?
> if(file_exists($page)){
> echo("Sorry the local page is protected");
> }else{
> include($page);
> }
> ?>
> -----------------------------------------------------------
A nice artificial example. But what are you trying to achieve?
The include f.e. is completely misplaced. It makes no sense
that you want to include a file only if it does NOT exist.
Because if you try to include a nonexistant file you will
only get an include error. So on the first look the include
call is completely redundant. But with fopen() wrappers activated
this code construct is a security hole. It is a documented
and often underlined fact that file_exists() does not work on
remote files. So you are open for any remote include.
And finally, noone said that file_exists() is bugfree, but
you were not able to provide any real example where a false
result: "file does not exist" is a security hole.
You usually only do things to files IF they exist.
And maybe for the hundreth time: Never trust filenames supplied
by the user. You always have to tripple check them.
Stefan
-- -------------------------------------------------------------------------- Stefan Esser s.esser@e-matters.de e-matters Security http://security.e-matters.de/ GPG-Key gpg --keyserver pgp.mit.edu --recv-key 0xCF6CAE69 Key fingerprint B418 B290 ACC0 C8E5 8292 8B72 D6B0 7704 CF6C AE69 -------------------------------------------------------------------------- Did I help you? Consider a gift: http://wishlist.suspekt.org/ -------------------------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.htmlReceived on Mon Feb 02 08:25:59 2004
This archive was generated by hypermail 2.1.8 : Mon Feb 02 2004 - 09:01:02 EST
