|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: PHP Directory Transversal
From: Mehmet Buyukozer (mbuyukozer
gmx.co.uk)
Date: Fri Mar 11 2005 - 00:50:37 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi Andres
You said all users have read dccess, have you tried some other files in etc
directory?
-----Original Message-----
From: Andres Molinetti [mailto:andymolinettihotmail.com]
Sent: Thursday, March 10, 2005 4:48 PM
To: securityfocusfelikz.net
Cc: pen-testsecurityfocus.com; webappsecsecurityfocus.com
Subject: Re: PHP Directory Transversal
I'm sure that I'm adding the exact numer of "../" because I was able to
retrive phpinfo.php and there I have the DOCUMENT_ROOT server variable...
It's under user Apache...but anyway...it is accessing the files for reading,
and all users have priviledges to access the passwd file for reading...
thanks,
Andy
>From: Felikz <securityfocusfelikz.net>
>To: Andres Molinetti <andymolinettihotmail.com>
>CC: pen-testsecurityfocus.com, webappsecsecurityfocus.com
>Subject: Re: PHP Directory Transversal
>Date: Thu, 10 Mar 2005 14:44:17 +0000
>
>Have you tried http://www.example.com/static.php?page=/etc/passwd
>
>?????
>
>Also, the issue you may be hitting is that the website root may be in a
>deeper directory that you think, therefore you may need to do more
>../../../../
>
>It's worth giving a thought to the fact that Apache/PHP may/should be
>running as an underprivilaged user and therefore shouldn't have the ability
>to traverse that far.
>
>Andres Molinetti wrote:
>
>>Hi,
>>
>>Working on a Web app testing...I have found that the uses the
>>so-vulnerable method of including files requested by php parameters:
>>
>>www.example.com/static.php?page=hello.htm
>>(htm files are in /templates dir)
>>
>>A the page in the parameter is requested statically, I did a
>>www.example.com/static.php?page=../static.php and I got that page source
>>code.
>>
>>Therefore, I tried doing a
>>www.example.com/static.php?page=../../../../../../etc/passwd
>>but I get an error saying that file doesn't exist.
>>
>>I user the same source code in my server, and I could retrieve the
>>file...what can be happening? I don't think it is under a chroot jail...
>>
>>I'm working with Apache 2.0.48 and PHP 4.3.4
>>and the real server has Apache 2.0.52 an PHP 4.3.9....
>>
>>Thanks in advance,
>>Andy
>>
>>_________________________________________________________________
>>Descarga gratis la Barra de Herramientas de MSN
>>http://www.msn.es/usuario/busqueda/barra?XAPID=2031&DI=1055&SU=http%3A//ww
w.hotmail.com&HL=LINKTAG1OPENINGTEXT_MSNBH
>>
>>
_________________________________________________________________
Acepta el reto MSN Premium: Protección para tus hijos en internet.
Descárgalo y pruébalo 2 meses gratis.
http://join.msn.com?XAPID=1697&DI=1055&HL=Footer_mailsenviados_proteccioninf
antil
--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.7.1 - Release Date: 09.03.2005
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]