File Traverse Fopen

EDB-ID:

13652

CVE:

N/A


Author:

GlaDiaT0R

Type:

papers


Platform:

Multiple

Date:

2010-03-28


 ###################################################
 # [+]Title: [File Traverse Fopen]
 ###################################################
 # [+] About :
 ###################################################
 # Written by : GlaDiaT0R      the_gl4di4t0r[AT]hotmail[DOT]com
 # Team :  Tunisian Power Team  ( DarkGh0st.Com )
 # Greetz: Boomrang_victim , M4rw3n_Neo & all my friends in security Challenge days 2010
 ###################################################
 # [+]    Summary: I*
 #           [1]-Intro
 #           [2]-Detection & Exploitation
 #           [3]-Source Code Vulnerable
 ###################################################


------------------------------------------

1 : INTRO

Fopen function is common in PHP applications can then writing a page on third fopen may be subject to several
as XSS vulnerability - ActivX (VBS) injection - malicious code HTML - PHP Injection and others.
File Fopen The Traverse is a vulnerability that would allow an attacker to using fopen in a way hijacked giving it the ability to write
it on any other directory than the original (to make easier, it can write the entire question).
This vulnerability is due to the fact that the source code on vulnerable predefined page name changed, or write a variable contained
in hidden field, which can then be modified by the attacker to use malicious.

------------------------------------------

2 : DETECTION
Une possible détection peut se faire rapidement en vérifiant les valeurs des variables contenue dans les champs cachés soit par
le code source , soit en vérifiant la requête passé ( le contenue des variable POST ou GET ) .
example of "input" with the preset value is not directly visible on the page:
---
<p><input type="radio" name="filnename" value="livre.html"></p>
---
<p><input type="hidden" name="filnename" value="livre.html"></p>
---
<p><input type="checkbox" name="filnename" value="livre.html"></p>
---

it suffices to modify the contents of the variable (in our example filename valued livre.html) by a third location
Example: "livre.html" becomes ".. / index.php" which will write the index.php page in the directory prior to the location previously defined.
it is possible to change the preset destination writing of Fopen pampers your but can also change the extension.
Changing the extension could in some cases allow the writing and execution of PHP code or otherwise.

-----------------------------------------

3 : SOURCE CODE VULNERABLE

<?php

         $filename = stripslashes($_POST['filename']);
         $mess = stripslashes($_POST['mess']);
         $nom = stripslashes($_POST['nom']);
         $nom = htmlspecialchars($_POST['nom']);
         $mess = htmlspecialchars($_POST['mess']);
    $fp = @fopen("livre/{$_POST['filename']}", 'a');
         @fputs($fp,"$nom - $mess <hr size=\"1\" color=\"black\">");
         @fclose($fp);
?>

<form name="form1" action="testtrasvers.php" method="post">
<p align="center"><font color="black">Pseudo :

<input type="text" name="nom">


Message :

</font><input type="text" name="mess">&lt;/textarea&gt;
</font> <p><input type="hidden" name="filename" value="livre.html"></p>
<center>
<input type="reset" name="Submit" value="Effacer">
<input name="go" type="submit" value="Envoyer" onClick="javascript:this.style.visibility ='hidden';">
<center>
</form>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Message</title>
</head>
<body>
<center>
<a href="testtrasvers.php">[/url]

<font color="#CCCCCC" size="1"></font>
<?php @include('livre/livre.html'); ?>
</center>
</body>
</html>