Readfile() Local File Disclosure

EDB-ID:

12883

CVE:

N/A




Platform:

Multiple

Date:

2009-08-07


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux , the course required to become an Offensive Security Certified Professional (OSCP)

GET CERTIFIED

ReadFile() Local File Disclosure


Author : 599eme Man
Contact : flouf@live.fr


[--------------------------------------------]


/-Summary

/-------1] -Introduction
/-------2] -Explanation
/-------3] -Demonstration
/-------4] -How Secure It?


[--------------------------------------------]



	1] Introduction

	The local File Disclosure is a vulnerability who give the possibility to read the source 
code of a file : If the file countain php (or another web language) in the source you will see php 
code and you could search other vulnerability in the php code. You could too read config file or 
other file. This vulnerability is very dangerous cause you can read file's source and get secret
or important informations like ftp, mysql logins etc...



	2] Explanation

	This vulnerability is due to the function php : readfile(). Indeed, if this function is not 
secure, it will read the file like his name suggests and disclose the source file (all source).
File_get_contents is like readfile but it return the file in a string.



	3] Demonstration

	Anyfile.php :

##################################
# <?php
#
# echo 'Milw0rm';
#
# ?>
##################################

	Readfile.php

##################################
# <?php
#
# $file = $_GET['file'];
#
# $readfile = readfile($file);
#
# ?>
##################################

If you navig on anyfile.php you will see : Milw0rm and in the source : Milw0rm.

Now use readfile.php :

http://www.site.com/readfile.php?file=anyfile.php

No one text will be present on the page but if you look the source, you will see the php source of 
anyfile.php.

Imagine a little admin.php like it and you want login on it :

##################################
# <?php
#
# $user = $_GET['user'];
# $password = $_GET['password'];
#
# if($user == 'admin' && $password == 'Milw0rm')
# {
# 	echo 'Logins are okay';
# }
#
# Else
# {
#	echo 'Logins no match';
# }
#
# ?>
##################################

You have just to use the vuln file for read it http://www.site.com/readfile.php?file=admin.php and 
look the source you will see all the php source code of admin.php and just to copy/paste for login.



	4] How to secure it ?

Just to restricted pages to read with this function like for secure Local file include.
Indeed, if page is restricted the readfile cant read everyfile, just read files allowed to be read,
but files allowed dont countain any sensible file who can disclose secret/important informations 
and use by anyone.

Example secure_readfile.php :

##################################
# <?php 
# 
# if ($_GET['page'] == "index")
# {
# readfile("index.php");
# }
# 
# elseif($_GET["page"]=="page2")
# {
# readfile("page2.php");
# }
# 
# elseif($_GET["page"]=="blabla")
# {
# readfile("blabla.php");
# }
# 
# elseif($_GET["page"]=="etc")
# {
# readfile("etc.php");
# }
# 
# else
# {
# die("<center>GTFO</center>");
# }
# 
# ?>
##################################


[--------------------------------------------]

Thanks : J.consultant Aka Neocoderz, Shimik Root aka Str0zen, Sheiry, Moudi, Pr0h4ck3rz, Stacker & Security-Shell Community

# milw0rm.com [2009-08-07]