Siegfried wrote: > if(!empty($chemin)) $chemin = stripslashes($chemin); > else $chemin = $depart; [..] > $chemintotal = $chemin; [..] > $handle = @opendir($chemintotal); > $file = @readdir($handle);
> This poor check doesn't secure anything as it doesn't check slashes, and > it's useless, BUT this isn't just a directory traversal as you can do > http://[target]/dir.php?chemin=/etc/ > and it works as well.. hi Siegfried, imho there is no check at all (and stripslashes() is called only to make the script work smooth with magic_quotes on environments) the error suppression shows the poor quality of this code also this code seems to relay on register_globals on.. anyway i found only one location mentioning this script and on the comment board there is a post dated 21/04/03 23:14 about $chemin security > je propose de mettre ces 2 ligne (à la ligne 12 de dir.php) > $chemin=ereg_replace ("..\/", "", $chemin); $chemin=ereg_replace > ("..\%2F", "", $chemin); normalement ca devrait bloquer les petits > malins :) http://www.phpscripts-fr.net/commentaires/commentaires_scripts.php?nom=933 so this bug is pretty old and the script seems to be unmaintained regards, ascii, http://www.ush.it ps: i haven't verified nor downloaded "ExplorerXP", but obviously i completely trust your code snippet : ) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
