[VIM] False: ext 1.0 alpha1 (feed-proxy.php) Remote File Disclosure

George A. Theall theall at tenablesecurity.com
Thu Apr 26 01:06:49 UTC 2007


On 04/25/07 20:36, Steven M. Christey wrote:

> says that strpos "may return Boolean FALSE, but may also return a
> non-Boolean value which evaluates to FALSE, such as 0".  The question then
> becomes how "===" is handled, and whether it's handled uniformly across
> all PHP versions and configs.

It's a PHP 4+ thingy -- the two arguments must compare equal *and* be of 
the same type. AFAIK, its behaviour doesn't depend on any configuration 
settings.

> There's still an issue if you do this:
> 
>    http/../../../../etc/passwd
> 
> would pass the test and be useful as a directory traversal attack.
> 
> (I verified that my PHP 4.4.4 will accept an "up-and-down" traversal with
> a non-existent subdirectory.  This usually works in other traversal
> scenarios too, not just PHP.)

I think that works under Windows but not *nix.

> There's a possibility that $feed is processed elsewhere, but I didn't look
> at the code.

I quoted all of it before, only leaving out a comment and the PHP tags 
at the start / end.


George
-- 
theall at tenablesecurity.com


More information about the VIM mailing list