php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #36225 critical bypass of include "my_dir/".$file.".data";
Submitted: 2006-01-31 13:22 UTC Modified: 2006-01-31 21:23 UTC
From: ludovit at scholtz dot sk Assigned:
Status: Not a bug Package: Filesystem function related
PHP Version: 5.1.2 OS: win, unix
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: ludovit at scholtz dot sk
New email:
PHP Version: OS:

 

 [2006-01-31 13:22 UTC] ludovit at scholtz dot sk 
Description:
------------
There is a serious bug in all versions of php.

When webmaster use input variables in directories functions, like is_file, include, ... , hacker could include his own file in system.
For example.
Someone do logs in files. Hacker is able to put in logs something like <? phpinfo();?>. He know the path.
let say /data/log.txt
Then there is /index.php file, which contains
<?
// if magic quotes are on
foreach($_REQUEST as $k=>$v) $_REQUEST[$k] = stripslashes($v);
if(is_file("my_lang_dir/".$_REQUEST["x"].".txt")
 include "my_lang_dir/".$_REQUEST["x"].".txt";
?>
...
Problem is when attacker use ?x=../data/log.txt%00&

function stripslashes makes from %00 chr(0)
then in is_file() fc goes my_lang_dir/../data/log.txt\0.txt

and most probably functions in os sees only my_lang_dir/../data/log.txt and zero, as terminating char.

i think this should return false, but it return true, and continue.....

I found this error while i was testing one server, and with this i have gained access to remote server.

Reproduce code:
---------------
?x=../data/log.txt%00&

<?
// if magic quotes are on
foreach($_REQUEST as $k=>$v) $_REQUEST[$k] = stripslashes($v);
if(is_file("my_lang_dir/".$_REQUEST["x"].".txt")
 include "my_lang_dir/".$_REQUEST["x"].".txt";
?>

Expected result:
----------------
it should not include anything

Actual result:
--------------
it includes log file

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-01-31 13:27 UTC] tony2001@php.net 
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.
 [2006-01-31 13:39 UTC] ludovit at scholtz dot sk 
if this isnt bug, then i dont know what else should be.

if someone can gain full access to server because of error in php, i dont know..

i messed () in line if(is_file("my_lang_dir/".$_REQUEST["x"].".txt")
it should look like 
if(is_file("my_lang_dir/".$_REQUEST["x"].".txt"))
 [2006-01-31 13:50 UTC] tony2001@php.net 
If you do exec($_GET['var']); - it's your fault that user can pass ?var=rm -rf and delete everything on the disk.
Not PHP problem, users should take care of such things themselves.
 [2006-01-31 13:56 UTC] ludovit at scholtz dot sk 
who was talking about exec($_GET[..])?

i wrote, that there is problem, that if some webmaster expect include "my_dir/".$file.".data"; to work fine, that noone could include other files then .data, and anyone can include files with any extention, it is very bad.
 [2006-01-31 13:57 UTC] ludovit at scholtz dot sk 
maybe it should be better example..
?x=../data/log.txt%00&
<?
// if magic quotes are on
foreach($_REQUEST as $k=>$v) $_REQUEST[$k] = stripslashes($v);
if(is_file("my_lang_dir/".$_REQUEST["x"].".template"))
 include "my_lang_dir/".$_REQUEST["x"].".template";
?>
 [2006-01-31 21:23 UTC] ludovit at scholtz dot sk 
I think this is bug.

if some programmer would write this code:
<?
foreach($_REQUEST as $k=>$v) $_REQUEST[$k] = stripslashes($v);
echo $file = "my_lang_dir/".$_REQUEST["x"].".template";
if(is_file($file)){
 echo file_get_contents($file);
}
?>
ok. lets say we have this code.
proggramer want to read .template file. he think that there is NO chance to open any other file than .template.
This is mistake of php, that it allows attacker to read forexample .php file.
if you save your mysql conf in file conf.php, and attacker would run ?x=../conf.php%00, then he would read configuration for mysql, reveal password, and it is not good.

if someone dont use file_get_contents, but include, it will execute php code in that file. if attacker can write into any file on accesible path, he can corrupt whole system.

I think this is critical bug.

Solutions to patch this bugs are> to strip zero chars from string (before processiong to c),  or throw some error..
or to do something, but definitly no to include file "mydir/file.php" instead of "mydir/file.php\0.template"

I used this bug while i tested one serious server. It is not fault of programmer of system, but bug in php!!!
Ludovit Scholtz
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 26 11:01:31 2024 UTC