Re: PHP Directory Transversal

From: Andres Molinetti (andymolinetti@hotmail.com)
Date: Thu Mar 10 2005 - 09:48:28 EST

• Next message: David M. Zendzian: "Re: PHP Directory Transversal"
• Previous message: Felikz: "Re: PHP Directory Transversal"
• In reply to: Felikz: "Re: PHP Directory Transversal"
• Next in thread: David M. Zendzian: "Re: PHP Directory Transversal"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I'm sure that I'm adding the exact numer of "../" because I was able to
retrive phpinfo.php and there I have the DOCUMENT_ROOT server variable...

It's under user Apache...but anyway...it is accessing the files for reading,
and all users have priviledges to access the passwd file for reading...

thanks,
Andy

>From: Felikz <securityfocus@felikz.net>
>To: Andres Molinetti <andymolinetti@hotmail.com>
>CC: pen-test@securityfocus.com, webappsec@securityfocus.com
>Subject: Re: PHP Directory Transversal
>Date: Thu, 10 Mar 2005 14:44:17 +0000
>
>Have you tried http://www.example.com/static.php?page=/etc/passwd
>
>?????
>
>Also, the issue you may be hitting is that the website root may be in a
>deeper directory that you think, therefore you may need to do more
>../../../../
>
>It's worth giving a thought to the fact that Apache/PHP may/should be
>running as an underprivilaged user and therefore shouldn't have the ability
>to traverse that far.
>
>Andres Molinetti wrote:
>
>>Hi,
>>
>>Working on a Web app testing...I have found that the uses the
>>so-vulnerable method of including files requested by php parameters:
>>
>>www.example.com/static.php?page=hello.htm
>>(htm files are in /templates dir)
>>
>>A the page in the parameter is requested statically, I did a
>>www.example.com/static.php?page=../static.php and I got that page source
>>code.
>>
>>Therefore, I tried doing a
>>www.example.com/static.php?page=../../../../../../etc/passwd
>>but I get an error saying that file doesn't exist.
>>
>>I user the same source code in my server, and I could retrieve the
>>file...what can be happening? I don't think it is under a chroot jail...
>>
>>I'm working with Apache 2.0.48 and PHP 4.3.4
>>and the real server has Apache 2.0.52 an PHP 4.3.9....
>>
>>Thanks in advance,
>>Andy
>>
>>_________________________________________________________________
>>Descarga gratis la Barra de Herramientas de MSN
>>http://www.msn.es/usuario/busqueda/barra?XAPID=2031&DI=1055&SU=http%3A//www.hotmail.com&HL=LINKTAG1OPENINGTEXT_MSNBH
>>
>>

_________________________________________________________________
Acepta el reto MSN Premium: Protección para tus hijos en internet.
Descárgalo y pruébalo 2 meses gratis.
http://join.msn.com?XAPID=1697&DI=1055&HL=Footer_mailsenviados_proteccioninfantil

• Next message: David M. Zendzian: "Re: PHP Directory Transversal"
• Previous message: Felikz: "Re: PHP Directory Transversal"
• In reply to: Felikz: "Re: PHP Directory Transversal"
• Next in thread: David M. Zendzian: "Re: PHP Directory Transversal"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:17 EDT