[VIM] False: ext 1.0 alpha1 (feed-proxy.php) Remote File Disclosure
George A. Theall
theall at tenablesecurity.com
Thu Apr 26 02:01:45 UTC 2007
On 04/25/07 21:19, Steven M. Christey wrote:
> For PHP anyway, it works like a charm on my Solaris box.
>
> $feed = "http/../../../test.txt";
> if($feed != '' && strpos($feed, 'http') === 0){
> readfile($feed);
> }
>
> (where test.txt is my default directory traversal test file, and the PHP
> app's location doesn't have an http subdirectory).
Hmmm, I didn't realize Solaris behaved this way.
> That said, I vaguely remember running across situations where a
> non-existent subdirectory would prevent an attack from working; maybe
> there are variations depending on whether realpath() is used or not?
I figured it was more of an OS feature; eg, try something like:
ls foo/../../../../../ (*nix)
dir foo\..\..\..\..\..\..\ (Windows)
from a directory not too far off root.
Btw, I just tried this on Solaris 10 -- it produced an error rather than
a directory listing.
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list