Can using a raw $_GET to fetch a file be insecure?

Question

As a webmaster, I need to identify at risk scripts.

I always write php code that filter user input. I Never trust user input, choose which characters are valid (vs dissallowing some), use php native filtering function (filter_input) or use lib/frameworks utilities.

Today, I was searching for security flaws in downloaded modules and found this code :

if (isset($_GET['css_file_name'])) {        
    $cssFileName = _PS_MODULE_DIR_ . DS . "xxxx" . DS . "css" . DS . $_GET['css_file_name'] . ".css";
    echo file_get_contents($cssFileName);
 }
 echo "";

I think that's insecure, it does not respect the basic rule Never trust user input. So I decided to prove it, I tried to add DEL ascii chars to remove the .css and be able to find any file (a php file with credentials for example) but I did not succeed.

So my question is : is this code really so insecure ? Is it possible to grab a php file with it (can you demonstrate it ?)

Answer 1

Possible attack: The null byte poisoning of the function file_get_contents can reveal or include the contents of incorrect files:

$ ls
file.php  nullbyte.php
$ cat file.php 
I am the contents.
$ cat nullbyte.php 
<?php
$input = "file.php\0.jpg";
echo file_get_contents($input);
echo "\n";
?>
$ php nullbyte.php 
I am the contents.

This information is only relevant for older (unsupported) versions of PHP.

Null byte poisoning has been fixed in PHP 5.3.4 (which it's self is already an old and unsupported PHP version): https://bugs.php.net/bug.php?id=39863.

Possible fix for older PHP versions:

<?php
    $clean = str_replace(chr(0), '', $input);
?>

However, the attacker is able to list all possible CSS files of the whole file system in your example, it's possible to break out of the web root.