ReadFile() Local File Disclosure
Author : 599eme Man
Contact : flouf@live.fr
[--------------------------------------------]
/-Summary
/-------1] -Introduction
/-------2] -Explanation
/-------3] -Demonstration
/-------4] -How Secure It?
[--------------------------------------------]
1] Introduction
The local File Disclosure is a vulnerability who give the possibility to read the source
code of a file : If the file countain php (or another web language) in the source you will see php
code and you could search other vulnerability in the php code. You could too read config file or
other file. This vulnerability is very dangerous cause you can read file's source and get secret
or important informations like ftp, mysql logins etc...
2] Explanation
This vulnerability is due to the function php : readfile(). Indeed, if this function is not
secure, it will read the file like his name suggests and disclose the source file (all source).
File_get_contents is like readfile but it return the file in a string.
3] Demonstration
Anyfile.php :
##################################
# <?php
#
# echo 'Milw0rm';
#
# ?>
##################################
Readfile.php
##################################
# <?php
#
# $file = $_GET['file'];
#
# $readfile = readfile($file);
#
# ?>
##################################
If you navig on anyfile.php you will see : Milw0rm and in the source : Milw0rm.
Now use readfile.php :
http://www.site.com/readfile.php?file=anyfile.php
No one text will be present on the page but if you look the source, you will see the php source of
anyfile.php.
Imagine a little admin.php like it and you want login on it :
##################################
# <?php
#
# $user = $_GET['user'];
# $password = $_GET['password'];
#
# if($user == 'admin' && $password == 'Milw0rm')
# {
# echo 'Logins are okay';
# }
#
# Else
# {
# echo 'Logins no match';
# }
#
# ?>
##################################
You have just to use the vuln file for read it http://www.site.com/readfile.php?file=admin.php and
look the source you will see all the php source code of admin.php and just to copy/paste for login.
4] How to secure it ?
Just to restricted pages to read with this function like for secure Local file include.
Indeed, if page is restricted the readfile cant read everyfile, just read files allowed to be read,
but files allowed dont countain any sensible file who can disclose secret/important informations
and use by anyone.
Example secure_readfile.php :
##################################
# <?php
#
# if ($_GET['page'] == "index")
# {
# readfile("index.php");
# }
#
# elseif($_GET["page"]=="page2")
# {
# readfile("page2.php");
# }
#
# elseif($_GET["page"]=="blabla")
# {
# readfile("blabla.php");
# }
#
# elseif($_GET["page"]=="etc")
# {
# readfile("etc.php");
# }
#
# else
# {
# die("<center>GTFO</center>");
# }
#
# ?>
##################################
[--------------------------------------------]
Thanks : J.consultant Aka Neocoderz, Shimik Root aka Str0zen, Sheiry, Moudi, Pr0h4ck3rz, Stacker & Security-Shell Community
# milw0rm.com [2009-08-07]