[VIM] False: ext 1.0 alpha1 (feed-proxy.php) Remote File Disclosure
George A. Theall
theall at tenablesecurity.com
Thu Apr 26 01:06:49 UTC 2007
On 04/25/07 20:36, Steven M. Christey wrote:
> says that strpos "may return Boolean FALSE, but may also return a
> non-Boolean value which evaluates to FALSE, such as 0". The question then
> becomes how "===" is handled, and whether it's handled uniformly across
> all PHP versions and configs.
It's a PHP 4+ thingy -- the two arguments must compare equal *and* be of
the same type. AFAIK, its behaviour doesn't depend on any configuration
settings.
> There's still an issue if you do this:
>
> http/../../../../etc/passwd
>
> would pass the test and be useful as a directory traversal attack.
>
> (I verified that my PHP 4.4.4 will accept an "up-and-down" traversal with
> a non-existent subdirectory. This usually works in other traversal
> scenarios too, not just PHP.)
I think that works under Windows but not *nix.
> There's a possibility that $feed is processed elsewhere, but I didn't look
> at the code.
I quoted all of it before, only leaving out a comment and the PHP tags
at the start / end.
George
--
theall at tenablesecurity.com
More information about the VIM
mailing list