WebApp Sec mailing list archives
RE: PHP Directory Transversal
From: "Mehmet Buyukozer" <mbuyukozer () gmx co uk>
Date: Fri, 11 Mar 2005 08:50:37 +0200
Hi Andres You said all users have read dccess, have you tried some other files in etc directory? -----Original Message----- From: Andres Molinetti [mailto:andymolinetti () hotmail com] Sent: Thursday, March 10, 2005 4:48 PM To: securityfocus () felikz net Cc: pen-test () securityfocus com; webappsec () securityfocus com Subject: Re: PHP Directory Transversal I'm sure that I'm adding the exact numer of "../" because I was able to retrive phpinfo.php and there I have the DOCUMENT_ROOT server variable... It's under user Apache...but anyway...it is accessing the files for reading, and all users have priviledges to access the passwd file for reading... thanks, Andy
From: Felikz <securityfocus () felikz net> To: Andres Molinetti <andymolinetti () hotmail com> CC: pen-test () securityfocus com, webappsec () securityfocus com Subject: Re: PHP Directory Transversal Date: Thu, 10 Mar 2005 14:44:17 +0000 Have you tried http://www.example.com/static.php?page=/etc/passwd ????? Also, the issue you may be hitting is that the website root may be in a deeper directory that you think, therefore you may need to do more ../../../../ It's worth giving a thought to the fact that Apache/PHP may/should be running as an underprivilaged user and therefore shouldn't have the ability
to traverse that far. Andres Molinetti wrote:Hi, Working on a Web app testing...I have found that the uses the so-vulnerable method of including files requested by php parameters: www.example.com/static.php?page=hello.htm (htm files are in /templates dir) A the page in the parameter is requested statically, I did a www.example.com/static.php?page=../static.php and I got that page source code. Therefore, I tried doing a www.example.com/static.php?page=../../../../../../etc/passwd but I get an error saying that file doesn't exist. I user the same source code in my server, and I could retrieve the file...what can be happening? I don't think it is under a chroot jail... I'm working with Apache 2.0.48 and PHP 4.3.4 and the real server has Apache 2.0.52 an PHP 4.3.9.... Thanks in advance, Andy _________________________________________________________________ Descarga gratis la Barra de Herramientas de MSN http://www.msn.es/usuario/busqueda/barra?XAPID=2031&DI=1055&SU=http%3A//ww
w.hotmail.com&HL=LINKTAG1OPENINGTEXT_MSNBH
_________________________________________________________________ Acepta el reto MSN Premium: Protección para tus hijos en internet. Descárgalo y pruébalo 2 meses gratis. http://join.msn.com?XAPID=1697&DI=1055&HL=Footer_mailsenviados_proteccioninf antil -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.7.1 - Release Date: 09.03.2005
Current thread:
- PHP Directory Transversal Andres Molinetti (Mar 13)
- Re: PHP Directory Transversal Felikz (Mar 13)
- Re: PHP Directory Transversal Andres Molinetti (Mar 13)
- RE: PHP Directory Transversal Mehmet Buyukozer (Mar 13)
- Re: PHP Directory Transversal Andres Molinetti (Mar 13)
- Re: PHP Directory Transversal Richard Moore (Mar 13)
- Re: PHP Directory Transversal Sarath Kummamuru (Mar 13)
- RE: PHP Directory Transversal Ravish (Mar 13)
- Re: PHP Directory Transversal David M. Zendzian (Mar 13)
- Re: PHP Directory Transversal John GALLET (Mar 18)
- Re: PHP Directory Transversal Andres Molinetti (Mar 18)
- Re: PHP Directory Transversal Alex 'CAVE' Cernat (Mar 20)
- Re: PHP Directory Transversal Andres Molinetti (Mar 18)
- Re: PHP Directory Transversal Felikz (Mar 13)