[VIM] False: ext 1.0 alpha1 (feed-proxy.php) Remote File Disclosure

str0ke str0ke at milw0rm.com
Thu Apr 26 13:39:03 UTC 2007


Tested with php4 + debian latest and worked just fine.

/str0ke

On 4/25/07, George A. Theall <theall at tenablesecurity.com> wrote:
> On 04/25/07 21:19, Steven M. Christey wrote:
>
> > For PHP anyway, it works like a charm on my Solaris box.
> >
> >     $feed = "http/../../../test.txt";
> >     if($feed != '' && strpos($feed, 'http') === 0){
> >        readfile($feed);
> >     }
> >
> > (where test.txt is my default directory traversal test file, and the PHP
> > app's location doesn't have an http subdirectory).
>
> Hmmm, I didn't realize Solaris behaved this way.
>
> > That said, I vaguely remember running across situations where a
> > non-existent subdirectory would prevent an attack from working; maybe
> > there are variations depending on whether realpath() is used or not?
>
> I figured it was more of an OS feature; eg, try something like:
>
>    ls foo/../../../../../    (*nix)
>    dir foo\..\..\..\..\..\..\   (Windows)
>
> from a directory not too far off root.
>
> Btw, I just tried this on Solaris 10 -- it produced an error rather than
> a directory listing.
>
> George
> --
> theall at tenablesecurity.com
>


More information about the VIM mailing list