WebApp Sec mailing list archives

Re: PHP Directory Transversal

From: "Andres Molinetti" <andymolinetti () hotmail com>
Date: Thu, 10 Mar 2005 14:48:28 +0000

I'm sure that I'm adding the exact numer of "../" because I was able toretrive phpinfo.php and there I have the DOCUMENT_ROOT server variable...

It's under user Apache...but anyway...it is accessing the files for reading,and all users have priviledges to access the passwd file for reading...


thanks,
Andy

From: Felikz <securityfocus () felikz net>
To: Andres Molinetti <andymolinetti () hotmail com>
CC: pen-test () securityfocus com, webappsec () securityfocus com
Subject: Re: PHP Directory Transversal
Date: Thu, 10 Mar 2005 14:44:17 +0000

Have you tried http://www.example.com/static.php?page=/etc/passwd

?????
Also, the issue you may be hitting is that the website root may be in adeeper directory that you think, therefore you may need to do more../../../../
It's worth giving a thought to the fact that Apache/PHP may/should berunning as an underprivilaged user and therefore shouldn't have the abilityto traverse that far.
Andres Molinetti wrote:
Hi,
Working on a Web app testing...I have found that the uses theso-vulnerable method of including files requested by php parameters:
www.example.com/static.php?page=hello.htm
(htm files are in /templates dir)
A the page in the parameter is requested statically, I did awww.example.com/static.php?page=../static.php and I got that page sourcecode.
Therefore, I tried doing awww.example.com/static.php?page=../../../../../../etc/passwd
but I get an error saying that file doesn't exist.
I user the same source code in my server, and I could retrieve thefile...what can be happening? I don't think it is under a chroot jail...
I'm working with Apache 2.0.48 and PHP 4.3.4
and the real server has Apache 2.0.52 an PHP 4.3.9....

Thanks in advance,
Andy

_________________________________________________________________
Descarga gratis la Barra de Herramientas de MSNhttp://www.msn.es/usuario/busqueda/barra?XAPID=2031&DI=1055&SU=http%3A//www.hotmail.com&HL=LINKTAG1OPENINGTEXT_MSNBH


_________________________________________________________________

Acepta el reto MSN Premium: Protección para tus hijos en internet.Descárgalo y pruébalo 2 meses gratis.http://join.msn.com?XAPID=1697&DI=1055&HL=Footer_mailsenviados_proteccioninfantil

Current thread:

PHP Directory Transversal Andres Molinetti (Mar 13)
- Re: PHP Directory Transversal Felikz (Mar 13)
  - Re: PHP Directory Transversal Andres Molinetti (Mar 13)
    - RE: PHP Directory Transversal Mehmet Buyukozer (Mar 13)
- Re: PHP Directory Transversal Richard Moore (Mar 13)
- Re: PHP Directory Transversal Sarath Kummamuru (Mar 13)
- RE: PHP Directory Transversal Ravish (Mar 13)
- Re: PHP Directory Transversal David M. Zendzian (Mar 13)
- Re: PHP Directory Transversal John GALLET (Mar 18)
  - Re: PHP Directory Transversal Andres Molinetti (Mar 18)
    - Re: PHP Directory Transversal Alex 'CAVE' Cernat (Mar 20)