[VIM] False: ext 1.0 alpha1 (feed-proxy.php) Remote File Disclosure
str0ke
str0ke at milw0rm.com
Thu Apr 26 13:41:27 UTC 2007
Tested with php5 + fedora works as well.
/str0ke
On 4/26/07, str0ke <str0ke at milw0rm.com> wrote:
> Tested with php4 + debian latest and worked just fine.
>
> /str0ke
>
> On 4/25/07, George A. Theall <theall at tenablesecurity.com> wrote:
> > On 04/25/07 21:19, Steven M. Christey wrote:
> >
> > > For PHP anyway, it works like a charm on my Solaris box.
> > >
> > > $feed = "http/../../../test.txt";
> > > if($feed != '' && strpos($feed, 'http') === 0){
> > > readfile($feed);
> > > }
> > >
> > > (where test.txt is my default directory traversal test file, and the PHP
> > > app's location doesn't have an http subdirectory).
> >
> > Hmmm, I didn't realize Solaris behaved this way.
> >
> > > That said, I vaguely remember running across situations where a
> > > non-existent subdirectory would prevent an attack from working; maybe
> > > there are variations depending on whether realpath() is used or not?
> >
> > I figured it was more of an OS feature; eg, try something like:
> >
> > ls foo/../../../../../ (*nix)
> > dir foo\..\..\..\..\..\..\ (Windows)
> >
> > from a directory not too far off root.
> >
> > Btw, I just tried this on Solaris 10 -- it produced an error rather than
> > a directory listing.
> >
> > George
> > --
> > theall at tenablesecurity.com
> >
>
More information about the VIM
mailing list