PHP :: Bug #36225 :: critical bypass of include "my

Bug #36225	critical bypass of include "my_dir/".$file.".data";
Submitted:	2006-01-31 13:22 UTC	Modified:	2006-01-31 21:23 UTC
From:	ludovit at scholtz dot sk	Assigned:
Status:	Not a bug	Package:	Filesystem function related
PHP Version:	5.1.2	OS:	win, unix
Private report:	No	CVE-ID:	None

View Developer Edit

[2006-01-31 13:22 UTC] ludovit at scholtz dot sk

Description:
------------
There is a serious bug in all versions of php.

When webmaster use input variables in directories functions, like is_file, include, ... , hacker could include his own file in system.
For example.
Someone do logs in files. Hacker is able to put in logs something like <? phpinfo();?>. He know the path.
let say /data/log.txt
Then there is /index.php file, which contains
<?
// if magic quotes are on
foreach($_REQUEST as $k=>$v) $_REQUEST[$k] = stripslashes($v);
if(is_file("my_lang_dir/".$_REQUEST["x"].".txt")
 include "my_lang_dir/".$_REQUEST["x"].".txt";
?>
...
Problem is when attacker use ?x=../data/log.txt%00&

function stripslashes makes from %00 chr(0)
then in is_file() fc goes my_lang_dir/../data/log.txt\0.txt

and most probably functions in os sees only my_lang_dir/../data/log.txt and zero, as terminating char.

i think this should return false, but it return true, and continue.....

I found this error while i was testing one server, and with this i have gained access to remote server.

Reproduce code:
---------------
?x=../data/log.txt%00&

<?
// if magic quotes are on
foreach($_REQUEST as $k=>$v) $_REQUEST[$k] = stripslashes($v);
if(is_file("my_lang_dir/".$_REQUEST["x"].".txt")
 include "my_lang_dir/".$_REQUEST["x"].".txt";
?>

Expected result:
----------------
it should not include anything

Actual result:
--------------
it includes log file

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-01-31 13:27 UTC] tony2001@php.net

Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

[2006-01-31 13:39 UTC] ludovit at scholtz dot sk

if this isnt bug, then i dont know what else should be.

if someone can gain full access to server because of error in php, i dont know..

i messed () in line if(is_file("my_lang_dir/".$_REQUEST["x"].".txt")
it should look like 
if(is_file("my_lang_dir/".$_REQUEST["x"].".txt"))

[2006-01-31 13:50 UTC] tony2001@php.net

If you do exec($_GET['var']); - it's your fault that user can pass ?var=rm -rf and delete everything on the disk.
Not PHP problem, users should take care of such things themselves.

[2006-01-31 13:56 UTC] ludovit at scholtz dot sk

who was talking about exec($_GET[..])?

i wrote, that there is problem, that if some webmaster expect include "my_dir/".$file.".data"; to work fine, that noone could include other files then .data, and anyone can include files with any extention, it is very bad.

[2006-01-31 13:57 UTC] ludovit at scholtz dot sk

maybe it should be better example..
?x=../data/log.txt%00&
<?
// if magic quotes are on
foreach($_REQUEST as $k=>$v) $_REQUEST[$k] = stripslashes($v);
if(is_file("my_lang_dir/".$_REQUEST["x"].".template"))
 include "my_lang_dir/".$_REQUEST["x"].".template";
?>

[2006-01-31 21:23 UTC] ludovit at scholtz dot sk

I think this is bug.

if some programmer would write this code:
<?
foreach($_REQUEST as $k=>$v) $_REQUEST[$k] = stripslashes($v);
echo $file = "my_lang_dir/".$_REQUEST["x"].".template";
if(is_file($file)){
 echo file_get_contents($file);
}
?>
ok. lets say we have this code.
proggramer want to read .template file. he think that there is NO chance to open any other file than .template.
This is mistake of php, that it allows attacker to read forexample .php file.
if you save your mysql conf in file conf.php, and attacker would run ?x=../conf.php%00, then he would read configuration for mysql, reveal password, and it is not good.

if someone dont use file_get_contents, but include, it will execute php code in that file. if attacker can write into any file on accesible path, he can corrupt whole system.

I think this is critical bug.

Solutions to patch this bugs are> to strip zero chars from string (before processiong to c),  or throw some error..
or to do something, but definitly no to include file "mydir/file.php" instead of "mydir/file.php\0.template"

I used this bug while i tested one serious server. It is not fault of programmer of system, but bug in php!!!
Ludovit Scholtz

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Dec 14 08:00:01 2025 UTC