ReadFile by dulindall

VIEWS: 10 PAGES: 3

									ReadFile() Local File Disclosure Author : 599eme Man Contact : flouf@live.fr [--------------------------------------------] /-Summary /-------1] /-------2] /-------3] /-------4] -Introduction -Explanation -Demonstration -How Secure It?

[--------------------------------------------]

1] Introduction The local File Disclosure is a vulnerability who give the possibility to read the source code of a file : If the file countain php (or another web language) in the source you will see php code and you could search other vulnerability in the php code. You could too read config file or other file. This vulnerability is very dangerous cause you can read file's source and get secret or important informations like ftp, mysql logins etc...

2] Explanation This vulnerability is due to the function php : readfile(). Indeed, if this function is not secure, it will read the file like his name suggests and disclose the source file (all source). File_get_contents is like readfile but it return the file in a string.

3] Demonstration Anyfile.php : ################################## # <?php # # echo 'Milw0rm'; # # ?> ################################## Readfile.php

################################## # <?php # # $file = $_GET['file']; # # $readfile = readfile($file); # # ?> ################################## If you navig on anyfile.php you will see : Milw0rm and in the source : Milw0rm. Now use readfile.php : http://www.site.com/readfile.php?file=anyfile.php No one text will be present on the page but if you look the source, you will see the php source of anyfile.php. Imagine a little admin.php like it and you want login on it : ################################## # <?php # # $user = $_GET['user']; # $password = $_GET['password']; # # if($user == 'admin' && $password == 'Milw0rm') # { # echo 'Logins are okay'; # } # # Else # { # echo 'Logins no match'; # } # # ?> ################################## You have just to use the vuln file for read it http://www.site.com/readfile.php?file=admin.php and look the source you will see all the php source code of admin.php and just to copy/paste for login.

4] How to secure it ? Just to restricted pages to read with this function like for secure Local file include. Indeed, if page is restricted the readfile cant read everyfile, just read files allowed to be read, but files allowed dont countain any sensible file who can disclose secret/important informations and use by anyone. Example secure_readfile.php :

################################## # <?php # # if ($_GET['page'] == "index") # { # readfile("index.php"); # } # # elseif($_GET["page"]=="page2") # { # readfile("page2.php"); # } # # elseif($_GET["page"]=="blabla") # { # readfile("blabla.php"); # } # # elseif($_GET["page"]=="etc") # { # readfile("etc.php"); # } # # else # { # die("<center>GTFO</center>"); # } # # ?> ################################## [--------------------------------------------] Thanks : J.consultant Aka Neocoderz, Shimik Root aka Str0zen, Sheiry, Moudi, Pr0h4ck3rz, Stacker & Security-Shell Community # milw0rm.com [2009-08-07]


								
To top