.comment-link {margin-left:.6em;}
Xavier's Security Post
Friday, March 31, 2006
  Directory transversal in a can.
Well, not really in a can, more in a bug, or two. I've always found directory transversal bugs to be fun, and that goes way back to when CGI (common gateway interface) was the way to go. now, you have PHP, and numerous other dynamic web structures. They usually suffer the same kind of bugs, simply because of programming error; it should be known by now that developers should use absolute urls, defined internally.

I've recently audited a few smaller projects that used str_replace to strip out "../" or even "./". The problem with that is that it is very much defeatable.
vuln: str_replace("./","",$path);
attack: "../..//../..//../..//etc/passwd"
result: "../../../etc/passwd"
while
vuln: str_replace("../","",$path);
attack: "../.../.././../.../.././../.../.././../.../.././../.../.././../.../.././etc/passwd"
result: "../../../../../../etc/passwd"


This isn't anything new.
 
Comments: Post a Comment

Links to this post:

Create a Link



<< Home
This public blog will be a place for me to output any Security findings, both technological and physical, that I have come about. I will post Security advisories I was apart of, and also other interesting bits of knowledge. email: xavier [at] tigerteam.se

RECENT RELEASES
Rocks Clusters <=4.1 mount-loop local root
Rocks Clusters <=4.1 umount-loop local root
TSEAD-200606-6 - Rocks Clusters <=4.1 local root
xorgmodroot.py - Xorg-server 1.0 / <=X11R6.9.0-7.0 local root
TSEAD-200509-5 - Multiple Netscape.com vulnerabilities.
TSEAD-200512-3 - Multiple vulnerabilities in KISBG <=v5.1.1
fsigk_exp.py - FSIGK for Linux <=2.10-431 local root
TSEAD-200510-4 - FSIGK for Linux <=2.10-431 advisory
ritk.php - remote inclusion pentest tool
owm_exp.py - openwebmail <=2.51+ local root
perliodebug_exp.py - perlIO_debug 5.8.* local root
bankfix.py - bank card number lookup tool
TSEAD-200412-2 - AOL XSS/file read vuln
TSEAD-200412-1 - AOL redir vuln

ARCHIVES
September 2005 / October 2005 / November 2005 / December 2005 / March 2006 / April 2006 / May 2006 / June 2006 / July 2006 / September 2006 / October 2006 /