As a webmaster, I need to identify at risk scripts.
I always write php code that filter user input. I Never trust user input, choose which characters are valid (vs dissallowing some), use php native filtering function (filter_input
) or use lib/frameworks utilities.
Today, I was searching for security flaws in downloaded modules and found this code :
if (isset($_GET['css_file_name'])) {
$cssFileName = _PS_MODULE_DIR_ . DS . "xxxx" . DS . "css" . DS . $_GET['css_file_name'] . ".css";
echo file_get_contents($cssFileName);
}
echo "";
I think that's insecure, it does not respect the basic rule Never trust user input.
So I decided to prove it, I tried to add DEL ascii chars to remove the .css
and be able to find any file (a php file with credentials for example) but I did not succeed.
So my question is : is this code really so insecure ? Is it possible to grab a php file with it (can you demonstrate it ?)
Possible attack: The null byte poisoning of the function file_get_contents
can reveal or include the contents of incorrect files:
$ ls
file.php nullbyte.php
$ cat file.php
I am the contents.
$ cat nullbyte.php
<?php
$input = "file.php\0.jpg";
echo file_get_contents($input);
echo "\n";
?>
$ php nullbyte.php
I am the contents.
This information is only relevant for older (unsupported) versions of PHP.
Null byte poisoning has been fixed in PHP 5.3.4 (which it's self is already an old and unsupported PHP version): https://bugs.php.net/bug.php?id=39863.
Possible fix for older PHP versions:
<?php
$clean = str_replace(chr(0), '', $input);
?>
However, the attacker is able to list all possible CSS files of the whole file system in your example, it's possible to break out of the web root.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With