Friday, March 31, 2006
Directory transversal in a can.
Well, not really in a can, more in a bug, or two. I've always found directory transversal bugs to be fun, and that goes way back to when CGI (common gateway interface) was the way to go. now, you have PHP, and numerous other dynamic web structures. They usually suffer the same kind of bugs, simply because of programming error; it should be known by now that developers should use absolute urls, defined internally.
I've recently audited a few smaller projects that used str_replace to strip out "../" or even "./". The problem with that is that it is very much defeatable.
This isn't anything new. ¶ 3/31/2006 09:33:00 AM
I've recently audited a few smaller projects that used str_replace to strip out "../" or even "./". The problem with that is that it is very much defeatable.
vuln: str_replace("./","",$path);while
attack: "../..//../..//../..//etc/passwd"
result: "../../../etc/passwd"
vuln: str_replace("../","",$path);
attack: "../.../.././../.../.././../.../.././../.../.././../.../.././../.../.././etc/passwd"
result: "../../../../../../etc/passwd"
This isn't anything new. ¶ 3/31/2006 09:33:00 AM