Full Disclosure mailing list archives

Re: Re: file_exists() bypassing , critical problem ?


From: Stefan Esser <s.esser () e-matters de>
Date: Mon, 2 Feb 2004 13:22:31 +0100


Hello,

first of all I find it funny that you now report this "hole"
to full-disclosure. We (at security () php net) got the same
mail (with the same examples/text) from a person with a totally
differen name a while ago.

-----------------------------------------------------------
<?
if(file_exists($page)){
echo("Sorry the local page is protected");
}else{
include($page);
}
?>
-----------------------------------------------------------

A nice artificial example. But what are you trying to achieve?
The include f.e. is completely misplaced. It makes no sense
that you want to include a file only if it does NOT exist.
Because if you try to include a nonexistant file you will
only get an include error. So on the first look the include
call is completely redundant. But with fopen() wrappers activated
this code construct is a security hole. It is a documented
and often underlined fact that file_exists() does not work on
remote files. So you are open for any remote include.

And finally, noone said that file_exists() is bugfree, but 
you were not able to provide any real example where a false
result: "file does not exist" is a security hole.

You usually only do things to files IF they exist. 
And maybe for the hundreth time: Never trust filenames supplied
by the user. You always have to tripple check them.

Stefan

-- 

--------------------------------------------------------------------------
 Stefan Esser                                        s.esser () e-matters de
 e-matters Security                         http://security.e-matters.de/

 GPG-Key                gpg --keyserver pgp.mit.edu --recv-key 0xCF6CAE69 
 Key fingerprint       B418 B290 ACC0 C8E5 8292  8B72 D6B0 7704 CF6C AE69
--------------------------------------------------------------------------
 Did I help you? Consider a gift:            http://wishlist.suspekt.org/
--------------------------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Current thread: