[VIM] False: ext 1.0 alpha1 (feed-proxy.php) Remote File Disclosure
str0ke
str0ke at milw0rm.com
Thu Apr 26 13:39:03 UTC 2007
Tested with php4 + debian latest and worked just fine.
/str0ke
On 4/25/07, George A. Theall <theall at tenablesecurity.com> wrote:
> On 04/25/07 21:19, Steven M. Christey wrote:
>
> > For PHP anyway, it works like a charm on my Solaris box.
> >
> > $feed = "http/../../../test.txt";
> > if($feed != '' && strpos($feed, 'http') === 0){
> > readfile($feed);
> > }
> >
> > (where test.txt is my default directory traversal test file, and the PHP
> > app's location doesn't have an http subdirectory).
>
> Hmmm, I didn't realize Solaris behaved this way.
>
> > That said, I vaguely remember running across situations where a
> > non-existent subdirectory would prevent an attack from working; maybe
> > there are variations depending on whether realpath() is used or not?
>
> I figured it was more of an OS feature; eg, try something like:
>
> ls foo/../../../../../ (*nix)
> dir foo\..\..\..\..\..\..\ (Windows)
>
> from a directory not too far off root.
>
> Btw, I just tried this on Solaris 10 -- it produced an error rather than
> a directory listing.
>
> George
> --
> theall at tenablesecurity.com
>
More information about the VIM
mailing list