TUCoPS :: Web :: PHP :: b06-2216.htm

90% of programs made in PHP5 and prior Full Path Disclosure vuln.
90% of programs made in PHP5 and prior Full Path Disclosure vuln.
90% of programs made in PHP5 and prior Full Path Disclosure vuln.



:Introduction:=0D
=0D
Normally one of the last steps when accessing to a web-server is to find the url where the web is installed (more common in RFD).=0D
=0D
This may be a hard step, if the RPD is the only bug in that server, but PHP programs have functions that unexpectedly can return lots of errors.=0D
=0D
**** ATTENTION ****=0D
This is a design Error made by the programmers of the affected php programms, PHP language by it is safe.=0D
*******************=0D
=0D
Normally a Full Path Disclosure is not dangerous, but in this case the 90% of the programs written in PHP are vulnerable.=0D
=0D
This is a list of 21 tested programs, in their last release at 13/05/06, 19 are vulnerable:=0D
=0D
-paFileDB    -    Affected=0D
-PhpWiki     -    Affected (GET Data)=0D
-CuteNews    -    Affected (GET Data)=0D
-SMF         -    Affected (GET POST & COOKIE)=0D
-phpBB       -    Not Affected=0D
-phpNuke     -    Affected=0D
-myBB        -    Affected (POST Data)=0D
-phpMyAdmin  -    Affected=0D
-PHProxy     -    Affected (Cookie & Post Data)=0D
-phpSurveyor -    Affected=0D
-vBulletin   -    Affected (POST Data)=0D
-PunBB       -    Affected (POST Data)=0D
-XMB         -    Affected (just some files)=0D
-IPB         -    Not Affected (some cases)=0D
-Quick Forum -    Affected=0D
-FreeScene   -    Affected (POST Data)=0D
-EBB         -    Affected (just some files)=0D
-tinyBB      -    Affected (no filters xD)=0D
-SciELO      -    Affected (GET Data)=0D
-XOOPS       -    Affected (POST Data)=0D
-SquirrelMail-    Affected=0D
=0D
The design-error AMAZINGLY USED is when you parse an Array into a function that spect a STRING.=0D
=0D
The mainly bug in PHP found was:=0D
PHPSESSID *or equivalent* equal to a null-array.=0D
=0D
when calling the function session_start(); will return an error like:=0D
=0D
Warning: session_start(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in /%path%/test.php on line 3=0D
=0D
** NOTE **=0D
This error also appears when calling with no value (that also bypass filters).=0D
=0D
This will also bypass all cleaning functions as:=0D
=0D
-htmlentities=0D
-urlencode=0D
-etc..=0D
=0D
returning "specting T_STRING" error.=0D
=0D
:Solution:=0D
=0D
The only way to detect is to add to your filter the condition is_array().=0D
=0D
Also, you have to clean with this all parameters incoming from $_REQUEST(cookie,get and post)=0D
=0D
:Other Solution:=0D
=0D
Disabling all errors and warnings in php.ini=0D
=0D
:Dangereous?:=0D
=0D
No, but a Path Disclosure can reveal sensitive information.=0D
=0D
:Impact:=0D
=0D
The path may contain the username of the account, includes file and path, version of software, drive were web is installed, etc..=0D
=0D
:Note:=0D
=0D
I repeat. THIS IS NOT DANGEROUS, its only an aditional help you are giving to hackers that already have access to your server.=0D
=0D
:Research made by:=0D
sirdarckcat =0D
=0D
elhacker.net

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH