php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #49670 prefix bypass in file_get_contents
Submitted: 2009-09-25 18:42 UTC Modified: 2009-09-27 20:47 UTC
From: david at majorsecurity dot info Assigned:
Status: Not a bug Package: Filesystem function related
PHP Version: 5.3.0 OS: Unix
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: david at majorsecurity dot info
New email:
PHP Version: OS:

 

 [2009-09-25 18:42 UTC] david at majorsecurity dot info 
Description:
------------
If you use a prefix (i.e myownprefix_ ) in your source code to make sure that only files containing this prefix can be opened, this can be bypassed within file_get_contents().

Let's say that you have placed 2 files in your htdocs folder:
1. /htdocs/david/myownprefix_home.php
2. /htdocs/david/home.php
3. /htdocs/bug.php 




Reproduce code:
---------------
---
From manual page: function.file-get-contents
---
Example code (bug.php):
<?php 
  if(isset($_GET['seite'])) {
      $seite = $_GET['seite'];
      $datei = nl2br(file_get_contents("./david/myownprefix_$seite.php"));
      echo $datei;
   }
?>

Proof of concept:
http://localhost/bug.php?seite=/../home



Expected result:
----------------
Now this would open the file /htdocs/home.php and our defined prefix will be bypassed.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-09-25 21:59 UTC] jani@php.net 
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

You must be kidding? This is not a file_get_contents() issue at all, you 
just failed the 1st rule of coding: NEVER trust the input.
 [2009-09-27 20:47 UTC] david at majorsecurity dot info 
Hello. In my oppinion this is an issue that should at least be mentioned into the documentation of the this function. Reason? Because unfortunelly there are a lot of so called "security guys" that says you should safe your page by setting a prefix like "site_" and define an extension like ".txt". That would end up in having a request like target.com/page=news which than is passed as i.e. "site_news.txt". So as php developer you may think that you're on the safe site because it is not able to open any file that does not have the defined prefix or file extention -> which is definetly wrong!

So what I'm saying is that is would make sense to inform the developers and users directly on the documenation/manual to this function that it is insecure if you trust in any prefix or suffix and mention that you should do following stept when using file_get_contents:

1.) filter out the poison null byte ( %00 )
2.) filter ".." and "/" to ensure that no directory traversal is possible any more while using file_get_contents
3.) Put all trusted parameter values into a whitelist 
4.) Meticulously go through the code forcing PHP to cast the data to the desired type, in this case the (string) casts

And it is NOT a solution just to say "NEVER trust the user input". 
There should be some infos like that on the documentation site.

That's my 2 cent ... and I am working as professional it security consultant and doing penetration tests since years ... so I know what I'm talking about.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Mon Jun 17 17:01:29 2024 UTC