[VIM] False: ext 1.0 alpha1 (feed-proxy.php) Remote File Disclosure

Steven M. Christey coley at linus.mitre.org
Thu Apr 26 01:19:19 UTC 2007


On Wed, 25 Apr 2007, George A. Theall wrote:

> > (I verified that my PHP 4.4.4 will accept an "up-and-down" traversal with
> > a non-existent subdirectory.  This usually works in other traversal
> > scenarios too, not just PHP.)
>
> I think that works under Windows but not *nix.

For PHP anyway, it works like a charm on my Solaris box.

    $feed = "http/../../../test.txt";
    if($feed != '' && strpos($feed, 'http') === 0){
       readfile($feed);
    }

(where test.txt is my default directory traversal test file, and the PHP
app's location doesn't have an http subdirectory).

That said, I vaguely remember running across situations where a
non-existent subdirectory would prevent an attack from working; maybe
there are variations depending on whether realpath() is used or not?

- Steve


More information about the VIM mailing list