php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #32836 security bug
Submitted: 2005-04-26 13:58 UTC Modified: 2005-04-27 12:16 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:3 of 3 (100.0%)
Same Version:1 (33.3%)
Same OS:1 (33.3%)
From: kkrusteff at intergenia dot de Assigned:
Status: Closed Package: Unknown/Other Function
PHP Version: 4.3.10 OS: linux
Private report: No CVE-ID: None
View Developer Edit
 [2005-04-26 13:58 UTC] kkrusteff at intergenia dot de 
Description:
------------
Frequently used way to include lang file include("./lang/login.php.$_REQUEST["lang"]);
The problem is if in URL use lang=../../../../../../../../../../etc/hosts
and we get the host file from computer. 



Reproduce code:
---------------
<?PHP
include("./lang/login.php.../../../../../../../../../../etc/hosts");
?>
//or
<?php
include("./lang/login.php.../../../../../../../../../etc/hosts");
?>
//that's will show the host file 

Expected result:
----------------
file not found 

Actual result:
--------------
that's will show the host file or other file .. if you know the path

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-04-26 15:53 UTC] slavi at imperia dot net 
See "#29949  	Relative include() sometimes works as expected."
  ( http://bugs.php.net/bug.php?id=29949 )
  
  I think it describes the same problem.
 [2005-04-27 04:46 UTC] iliaa@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Validate your inputs.
 [2005-04-27 09:06 UTC] kkrusteff at intergenia dot de 
No matter what you call it or verify your inputs, it's a 
BUG. In no other language / shell / usual program in 
unix/linux you can do such thing and to be accepted as 
valid file!
This file does NOT actually exists. Why including it 
results in getting wrong file?.

Wrong parsing in include() function? Yes, no doubt.
Please don't tell people 'verify your inputs'. Sometimes 
it's not possible. 

Or they should execute 'readlink -f ' before including? or do other weird stuff to avoid this case. Or 
what?
 [2005-04-27 12:11 UTC] sesser@php.net 
This is not a bug in PHP but in glibc realpath()

If you are unable to strip ../ from your user input, then either report this as bug in realpath() to the glibc folks or simply change your OS to a bsd.

(Or use the hardening patch from the hardened-php project ;)
 [2005-04-27 12:16 UTC] sesser@php.net 
wtf
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Jul 17 14:04:04 2025 UTC