Full Disclosure mailing list archives
Re: Re: file_exists() bypassing , critical problem ?
From: Stefan Esser <s.esser () e-matters de>
Date: Mon, 2 Feb 2004 13:22:31 +0100
Hello, first of all I find it funny that you now report this "hole" to full-disclosure. We (at security () php net) got the same mail (with the same examples/text) from a person with a totally differen name a while ago.
-----------------------------------------------------------
<?
if(file_exists($page)){
echo("Sorry the local page is protected");
}else{
include($page);
}
?>
-----------------------------------------------------------
A nice artificial example. But what are you trying to achieve? The include f.e. is completely misplaced. It makes no sense that you want to include a file only if it does NOT exist. Because if you try to include a nonexistant file you will only get an include error. So on the first look the include call is completely redundant. But with fopen() wrappers activated this code construct is a security hole. It is a documented and often underlined fact that file_exists() does not work on remote files. So you are open for any remote include. And finally, noone said that file_exists() is bugfree, but you were not able to provide any real example where a false result: "file does not exist" is a security hole. You usually only do things to files IF they exist. And maybe for the hundreth time: Never trust filenames supplied by the user. You always have to tripple check them. Stefan -- -------------------------------------------------------------------------- Stefan Esser s.esser () e-matters de e-matters Security http://security.e-matters.de/ GPG-Key gpg --keyserver pgp.mit.edu --recv-key 0xCF6CAE69 Key fingerprint B418 B290 ACC0 C8E5 8292 8B72 D6B0 7704 CF6C AE69 -------------------------------------------------------------------------- Did I help you? Consider a gift: http://wishlist.suspekt.org/ -------------------------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- file_exists() bypassing , critical problem ? Lost Noobs (Feb 02)
- Re: file_exists() bypassing , critical problem ? m.esco (Feb 02)
- <Possible follow-ups>
- file_exists() bypassing , critical problem ? Nourredine Himeur (Feb 02)
- file_exists() bypassing , critical problem ? Nourredine Himeur (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? Nourredine Himeur (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? m.esco (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? Nourredine Himeur (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? Stefan Esser (Feb 02)
- Re: file_exists() bypassing , critical problem ? Daniel B (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? m.esco (Feb 02)
- Message not available
- Re: file_exists() bypassing , critical problem ? Nourredine Himeur (Feb 02)
- Re: Re: file_exists() bypassing , critical problem ? VeNoMouS (Feb 02)
- Re: file_exists() bypassing , critical problem ? Jorrit Kronjee (Feb 02)
