[VIM] False: ext 1.0 alpha1 (feed-proxy.php) Remote File Disclosure

Steven M. Christey coley at linus.mitre.org
Thu Apr 26 00:36:47 UTC 2007


On Wed, 25 Apr 2007, George A. Theall wrote:

>    if($feed != '' && strpos($feed, 'http') === 0){
>            header('Content-Type: text/xml');
>            readfile($feed);
>            return;
>    }
>
> Now doesn't the strpos() along with the "===" test mean that the feed
> parameter must start with "http"??? So did Alkomandoz Hacker bother to
> test his/her proof of concept???

Just guessing here...

  http://us2.php.net/manual/en/function.strpos.php

says that strpos "may return Boolean FALSE, but may also return a
non-Boolean value which evaluates to FALSE, such as 0".  The question then
becomes how "===" is handled, and whether it's handled uniformly across
all PHP versions and configs.

BUT...

There's still an issue if you do this:

   http/../../../../etc/passwd

would pass the test and be useful as a directory traversal attack.

(I verified that my PHP 4.4.4 will accept an "up-and-down" traversal with
a non-existent subdirectory.  This usually works in other traversal
scenarios too, not just PHP.)

There's a possibility that $feed is processed elsewhere, but I didn't look
at the code.

> Now I suppose if the remote has allow_url_fopen enabled, you might be
> able to abuse this to try to hide yourself from attacks against
> third-party sites, but that's a separate issue.

readfile() with a URL can also be used for XSS, although people
concentrate so much on RFI that they don't bother pointing this out.

You bring up a very interesting attack angle for attacks against
third-party sites - readfile() as an attack proxy.  I LOVE it!  Wonder if
it's being used in real-world attacks.

PHP, oh PHP, the intricate beauty of your gifts is eternal.

- Steve


More information about the VIM mailing list