RE: PHP Directory Transversal

["Mehmet Buyukozer" <mbuyukozer () gmx co uk>]

Hi Andres

You said all users have read dccess, have you tried some other files in etc
directory?

-----Original Message-----
From: Andres Molinetti [mailto:andymolinetti () hotmail com] 
Sent: Thursday, March 10, 2005 4:48 PM
To: securityfocus () felikz net
Cc: pen-test () securityfocus com; webappsec () securityfocus com
Subject: Re: PHP Directory Transversal

I'm sure that I'm adding the exact numer of "../" because I was able to 
retrive phpinfo.php and there I have the DOCUMENT_ROOT server variable...

It's under user Apache...but anyway...it is accessing the files for reading,

and all users have priviledges to access the passwd file for reading...

thanks,
Andy

> From: Felikz <securityfocus () felikz net>
> To: Andres Molinetti <andymolinetti () hotmail com>
> CC: pen-test () securityfocus com, webappsec () securityfocus com
> Subject: Re: PHP Directory Transversal
> Date: Thu, 10 Mar 2005 14:44:17 +0000
>
> Have you tried http://www.example.com/static.php?page=/etc/passwd
>
> ?????
>
> Also, the issue you may be hitting is that the website root may be in a 
> deeper directory that you think, therefore you may need to do more 
> ../../../../
>
> It's worth giving a thought to the fact that Apache/PHP may/should be 
> running as an underprivilaged user and therefore shouldn't have the ability

> to traverse that far.
>
> Andres Molinetti wrote:
>
> > Hi,
> >
> > Working on a Web app testing...I have found that the uses the 
> > so-vulnerable method of including files requested by php parameters:
> >
> > www.example.com/static.php?page=hello.htm
> > (htm files are in /templates dir)
> >
> > A the page in the parameter is requested statically, I did a 
> > www.example.com/static.php?page=../static.php and I got that page source 
> > code.
> >
> > Therefore, I tried doing a 
> > www.example.com/static.php?page=../../../../../../etc/passwd
> > but I get an error saying that file doesn't exist.
> >
> > I user the same source code in my server, and I could retrieve the 
> > file...what can be happening? I don't think it is under a chroot jail...
> >
> > I'm working with Apache 2.0.48 and PHP 4.3.4
> > and the real server has Apache 2.0.52 an PHP 4.3.9....
> >
> > Thanks in advance,
> > Andy
> >
> > _________________________________________________________________
> > Descarga gratis la Barra de Herramientas de MSN 
> > http://www.msn.es/usuario/busqueda/barra?XAPID=2031&DI=1055&SU=http%3A//ww
w.hotmail.com&HL=LINKTAG1OPENINGTEXT_MSNBH
> >

_________________________________________________________________
Acepta el reto MSN Premium: Protección para tus hijos en internet. 
Descárgalo y pruébalo 2 meses gratis. 
http://join.msn.com?XAPID=1697&DI=1055&HL=Footer_mailsenviados_proteccioninf
antil



-- 
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.7.1 - Release Date: 09.03.2005