Directory Traversal Vulnerability

Re: Directory Traversal Vulnerability

On Mon, 23 Feb 2004 20:54:36 GMT, Tim Tyler <tim@tt1lock.or g> wrote:
[color=blue]
>Today's: "Directory Traversal Vulnerability":
>
> - http://secunia.com/advisories/10955/
>
>More evidence tht PHP was hacked together rapidly without a great deal
>of thought being given to security.[/color]

It's evidence that some script named 'phpNewsManager ' was hacked together
rapidly without a great deal of thought being given to security. The same bug
can be implemented in many languages.

--
Andy Hassall <andy@andyh.co. uk> / Space: disk usage analysis tool
<http://www.andyh.co.uk > / <http://www.andyhsoftwa re.co.uk/space>

Re: Directory Traversal Vulnerability


On 23-Feb-2004, Tim Tyler <tim@tt1lock.or g> wrote:
[color=blue]
> Today's: "Directory Traversal Vulnerability":
>
> - http://secunia.com/advisories/10955/
>
> More evidence tht PHP was hacked together rapidly without a great deal
> of thought being given to security.[/color]

I suggest you attempt to learn the difference between PHP and an application
written in PHP before you embarrass yourself further.

--
Tom Thackrey

tom (at) creative (dash) light (dot) com
do NOT send email to jamesbutler@wil lglen.net (it's reserved for spammers)

Re: Directory Traversal Vulnerability

Tim Tyler wrote:
[color=blue]
> Today's: "Directory Traversal Vulnerability":
>
> - http://secunia.com/advisories/10955/
>
> More evidence tht PHP was hacked together rapidly without a great deal
> of thought being given to security.[/color]

Are you serious? or lonely? If you're the former, read on - If you're
the latter, then buy a dog and take a walk...

Read the first two lines of the article you posted... It says

"G00db0y has reported a vulnerability in phpNewsManager, which can be
exploited by malicious people to gain knowledge of sensitive information."

Note where is says "vulnerabil ity in phpNewsManager"

What part of the above do you not understand?

And... You say its "More evidence" ? Do you have some equally
compelling issues that you'd like to share with us? With evidence like
that, you ought to work for Mr Bush or Mr Blair...

Re: Directory Traversal Vulnerability

"Reply Via Newsgroup" <reply-to-newsgroup@pleas e.com> wrote in message
news:15w_b.6077 38$ts4.470009@p d7tw3no...[color=blue]
> Tim Tyler wrote:
>[color=green]
> > Today's: "Directory Traversal Vulnerability":
> >
> > - http://secunia.com/advisories/10955/
> >
> > More evidence tht PHP was hacked together rapidly without a great deal
> > of thought being given to security.[/color]
>
> Are you serious? or lonely? If you're the former, read on - If you're
> the latter, then buy a dog and take a walk...
>
> Read the first two lines of the article you posted... It says
>
> "G00db0y has reported a vulnerability in phpNewsManager, which can be
> exploited by malicious people to gain knowledge of sensitive information."
>
> Note where is says "vulnerabil ity in phpNewsManager"
>
> What part of the above do you not understand?
>
> And... You say its "More evidence" ? Do you have some equally
> compelling issues that you'd like to share with us? With evidence like
> that, you ought to work for Mr Bush or Mr Blair...
>
>
>[/color]

Are you saying the OP is a weapon of misdirection?
"8-P


--
Remove the blots from my address to reply

Re: Directory Traversal Vulnerability

Reply Via Newsgroup wrote:[color=blue]
> With evidence like
> that, you ought to work for Mr Bush or Mr Blair...[/color]

....or are currently employed by Mr. Gates? ;)

--
Justin Koivisto - spam@koivi.com
PHP POSTERS: Please use comp.lang.php for PHP related questions,
alt.php* groups are not recommended.
SEO Competition League: http://seo.koivi.com/

Re: Directory Traversal Vulnerability

Well, it does show that PHP isn't idiot-proofed enough. ASP.Net probably
would have deemed that suspicious and threw an exception or something.

I think sometimes PHP gives programmers too much rope to hang themselves. A
more sensible setup would set open_basedir initially to the same directory
as the script, and let the programmer change it to something less
restrictive.

Uzytkownik "Andy Hassall" <andy@andyh.co. uk> napisal w wiadomosci
news:jmrk30lehp vfc5jj5pui467mh lpkppcif6@4ax.c om...[color=blue]
> On Mon, 23 Feb 2004 20:54:36 GMT, Tim Tyler <tim@tt1lock.or g> wrote:
>[color=green]
> >Today's: "Directory Traversal Vulnerability":
> >
> > - http://secunia.com/advisories/10955/
> >
> >More evidence tht PHP was hacked together rapidly without a great deal
> >of thought being given to security.[/color]
>
> It's evidence that some script named 'phpNewsManager ' was hacked together
> rapidly without a great deal of thought being given to security. The same[/color]
bug[color=blue]
> can be implemented in many languages.
>
> --
> Andy Hassall <andy@andyh.co. uk> / Space: disk usage analysis tool
> <http://www.andyh.co.uk > / <http://www.andyhsoftwa re.co.uk/space>[/color]

Re: Directory Traversal Vulnerability

Reply Via Newsgroup <reply-to-newsgroup@pleas e.com> wrote or quoted:[color=blue]
> Tim Tyler wrote:[/color]
[color=blue][color=green]
> > Today's: "Directory Traversal Vulnerability":
> >
> > - http://secunia.com/advisories/10955/
> >
> > More evidence tht PHP was hacked together rapidly without a great deal
> > of thought being given to security.[/color]
>
> Are you serious? or lonely? If you're the former, read on - If you're
> the latter, then buy a dog and take a walk...
>
> Read the first two lines of the article you posted... It says
>
> "G00db0y has reported a vulnerability in phpNewsManager, which can be
> exploited by malicious people to gain knowledge of sensitive information."
>
> Note where is says "vulnerabil ity in phpNewsManager"
>
> What part of the above do you not understand?[/color]

I don't recommend trying to patronise me - you'll only wind up
making yourself look stupid.
[color=blue]
> And... You say its "More evidence" ? Do you have some equally
> compelling issues that you'd like to share with us? With evidence like
> that, you ought to work for Mr Bush or Mr Blair...[/color]

The fact that PHP's notion of "fine grained permissions" basically boils
down to:

* Safe mode;
* Not safe mode;

....is also pretty damning, IMO.

You ought to be able to choose to run different scripts in different
sorts of sandbox with different sorts of security constraints.

....and remember "register_globa ls"? As someone else said:

``However, note that PHP doesn't have a particularly good security
vulnerability track record (e.g., register_global s, a file upload
problem, and a format string problem in the error reporting library); I
believe that security issues were not considered sufficiently in early
editions of PHP.''

- http://www.dwheeler.com/secure-progr...HOWTO/php.html
--
__________
|im |yler http://timtyler.org/ tim@tt1lock.org Remove lock to reply.

Re: Directory Traversal Vulnerability

Justin Koivisto <spam@koivi.com > wrote or quoted:[color=blue]
> Reply Via Newsgroup wrote:[/color]
[color=blue][color=green]
> > With evidence like that, you ought to work for Mr Bush or Mr Blair...[/color]
>
> ...or are currently employed by Mr. Gates? ;)[/color]

Do you reckon Bill would still hire me? After I wrote:

``Microsoft have now clocked up over a hundred years worth of brimstone
and damnation on my hate-o-meter - a feat I am unlikely to forget in a
hurry.

Currently, they show few signs of turning back from their path to
damnation.

I'll probably treat them the way the old testament recommends:
no respite until the seventh son of the seventh son.'' [usenet, 1999]

....and...

``I don't think I've ever characterised my attitude towards
Microsoft as "blind hate".

I'm not Microsoft's biggest fan - but to me this seems to be a
rational position in the light of their crappy products,
shoddy business ethics, and generally soulless and tasteless
approach to software.'' [usenet, 2002];

....?
--
__________
|im |yler http://timtyler.org/ tim@tt1lock.org Remove lock to reply.

Re: Directory Traversal Vulnerability

[top-post fixed]
"Chung Leong" <chernyshevsky@ hotmail.com> wrote in message news:<BPydnfNFh eTFSKfdRVn-sw@comcast.com> ...[color=blue]
> Uzytkownik "Andy Hassall" <andy@andyh.co. uk> napisal w wiadomosci
> news:jmrk30lehp vfc5jj5pui467mh lpkppcif6@4ax.c om...[color=green]
> > On Mon, 23 Feb 2004 20:54:36 GMT, Tim Tyler <tim@tt1lock.or g> wrote:
> >[color=darkred]
> > >Today's: "Directory Traversal Vulnerability":
> > >
> > > - http://secunia.com/advisories/10955/
> > >
> > >More evidence tht PHP was hacked together rapidly without a great deal
> > >of thought being given to security.[/color]
> >
> > It's evidence that some script named 'phpNewsManager ' was hacked together
> > rapidly without a great deal of thought being given to security. The same[/color]
> bug[color=green]
> > can be implemented in many languages.[/color][/color]
[color=blue]
> Well, it does show that PHP isn't idiot-proofed enough. ASP.Net probably
> would have deemed that suspicious and threw an exception or something.[/color]

http://[victim]/functions.php?clang=../../../[existing_file]

This is what they claim as vulnerability in the application. So, you
expect that PHP should throw some exceptions in this case??

--
"Success is not what you achieve, but it is what you die for"
If you live in USA, please support John Edwards.
Email: rrjanbiah-at-Y!com

Re: Directory Traversal Vulnerability


On 24-Feb-2004, ng4rrjanbiah@re diffmail.com (R. Rajesh Jeba Anbiah) wrote:
[color=blue]
> [top-post fixed]
> "Chung Leong" <chernyshevsky@ hotmail.com> wrote in message
> news:<BPydnfNFh eTFSKfdRVn-sw@comcast.com> ...[color=green]
> > Uzytkownik "Andy Hassall" <andy@andyh.co. uk> napisal w wiadomosci
> > news:jmrk30lehp vfc5jj5pui467mh lpkppcif6@4ax.c om...[color=darkred]
> > > On Mon, 23 Feb 2004 20:54:36 GMT, Tim Tyler <tim@tt1lock.or g> wrote:
> > >
> > > >Today's: "Directory Traversal Vulnerability":
> > > >
> > > > - http://secunia.com/advisories/10955/
> > > >
> > > >More evidence tht PHP was hacked together rapidly without a great
> > > >deal
> > > >of thought being given to security.
> > >
> > > It's evidence that some script named 'phpNewsManager ' was hacked
> > > together
> > > rapidly without a great deal of thought being given to security. The
> > > same[/color]
> > bug[color=darkred]
> > > can be implemented in many languages.[/color][/color]
>[color=green]
> > Well, it does show that PHP isn't idiot-proofed enough. ASP.Net probably
> > would have deemed that suspicious and threw an exception or something.[/color]
>
> http://[victim]/functions.php?clang=../../../[existing_file]
>
> This is what they claim as vulnerability in the application. So, you
> expect that PHP should throw some exceptions in this case??[/color]

Bad design can cause errors which don't throw exceptions in PHP or ASP.Net
or Java or C++ or <insert your favorite language here>.

In this case, the error would probably not have caused an exception in
ASP.Net either.

Nothing is idiot proof. The idiots are too good at what they do.

--
Tom Thackrey

tom (at) creative (dash) light (dot) com
do NOT send email to jamesbutler@wil lglen.net (it's reserved for spammers)

Re: Directory Traversal Vulnerability


Uzytkownik "R. Rajesh Jeba Anbiah" <ng4rrjanbiah@r ediffmail.com> napisal w
wiadomosci news:abc4d8b8.0 402242130.2ab0f 41a@posting.goo gle.com...[color=blue][color=green]
> > Well, it does show that PHP isn't idiot-proofed enough. ASP.Net probably
> > would have deemed that suspicious and threw an exception or something.[/color]
>
> http://[victim]/functions.php?clang=../../../[existing_file]
>
> This is what they claim as vulnerability in the application. So, you
> expect that PHP should throw some exceptions in this case??[/color]

Well, my opinion is that, by default, PHP should restrict all file access,
until you've specified base paths where file read/write are permitted.

Or at least, have the file functions by default reject paths like
/var/temp/../../etc/something. I don't see them occuring frequently under
normal circumstances. Remote include should be off by default too.

Re: Directory Traversal Vulnerability


Uzytkownik "Tom Thackrey" <use.signature@ nospam.com> napisal w wiadomosci
news:8FY_b.2378 $HM3.816@newssv r27.news.prodig y.com...[color=blue]
> Bad design can cause errors which don't throw exceptions in PHP or ASP.Net
> or Java or C++ or <insert your favorite language here>.[/color]

I haven't seen the code, so I can't say whether it's bad design or what.
Looks more like a simple implementation mistake to me.
[color=blue]
> In this case, the error would probably not have caused an exception in
> ASP.Net either.[/color]

You're right, it doesn't. Rather surprising since it throws an exception
when you enter something as harmless as "<i>".
[color=blue]
> Nothing is idiot proof. The idiots are too good at what they do.[/color]

Bad programming happens. As things are in PHP, a single slip-up and you fall
off the cliff. Some safty railing would be good.

Re: Directory Traversal Vulnerability

> Or at least, have the file functions by default reject paths like[color=blue]
> /var/temp/../../etc/something.[/color]

It depends of how your webhost configured it imho.

Re: Directory Traversal Vulnerability

R. Rajesh Jeba Anbiah <ng4rrjanbiah@r ediffmail.com> wrote or quoted:[color=blue]
> "Chung Leong" <chernyshevsky@ hotmail.com> wrote in message news:<BPydnfNFh eTFSKfdRVn-sw@comcast.com> ...[color=green]
> > Uzytkownik "Andy Hassall" <andy@andyh.co. uk> napisal w wiadomosci[color=darkred]
> > > On Mon, 23 Feb 2004 20:54:36 GMT, Tim Tyler <tim@tt1lock.or g> wrote:[/color][/color][/color]
[color=blue][color=green][color=darkred]
> > > >Today's: "Directory Traversal Vulnerability":
> > > >
> > > > - http://secunia.com/advisories/10955/
> > > >
> > > >More evidence tht PHP was hacked together rapidly without a great deal
> > > >of thought being given to security.[/color][/color][/color]

[...]
[color=blue][color=green]
> > Well, it does show that PHP isn't idiot-proofed enough. ASP.Net probably
> > would have deemed that suspicious and threw an exception or something.[/color]
>
> http://[victim]/functions.php?clang=../../../[existing_file]
>
> This is what they claim as vulnerability in the application. So, you
> expect that PHP should throw some exceptions in this case??[/color]

Most definitely:

Web scripting languages should restrict access to files on the web site
that is serving them by default - and under *no* circumstances should they
allow access the system's password file.
--
__________
|im |yler http://timtyler.org/ tim@tt1lock.org Remove lock to reply.