Advisory #3 - PHP & JSP

["Paul Brereton" <brereton_paul () btopenworld com>]

Title :PHP and JSP Trailing Slash Exposure
Author : Paul Brereton
E-Mail : brereton_paul () btopenworld com
Risk : High

Summary : When making pages in PHP or JSP, many programmers keep include
files in the same directory as the file calling them. Programmers can then
include the file without having to code in the paths to the include file.
This would allow an attacker to reveal the true path directory used by the
server or reveal the content of the JSP file accessed.

Details :

Example:
A programmer would have 2 files. The first would be:
ShowData.php:

<? include('database.php'); ?>

And the second file would obviously be called database.php with the code
requred to connect to the database.

When a user calls http://someserver/ShowData.php the base path to
database.php is stored in the server variable as http://someserver/ and so
the include will load http://someserver/database.php. However, if you add a
trailing slash to the request (i.e. http://someserver/ShowData.php/) the
base path will be set to http://someserver/ShowData.php, causing the include
statement to try to load http://someserver/ShowData.php/database.php.

Because the include file is not found, an error is thrown back to the user,
that will include the full path to the include file that was not found.

2nd Example:
JSP files work in the same way, with many pages throwing exceptions and
showing their true path. But even more serious, it has been found that many
JSP pages, when submitted with a trailing slash (such as form logins that
redirect to the same page to check the login details) will reveal the source
code of the JSP (that usually contain sensitive information).

Solution:
Use hard coded directory paths in the 'include' statements you use (same
goes for the 'require' statements).