Just a small note that platform bugs are a poor excuse to sloppy coding like Juan mentioned.
Allowing unfiltered web user input for use in path names is always a bad idea. Filtering out path delimiters would already be a huge improvement. Nice find by the way. Regards, Chris. On Thu, Jul 8, 2010 at 1:37 PM, Juan Galiana <[email protected]> wrote: > This "feature" is useful to exploit path traversal in windows > environments through web applications. > > In this case (I saw it plenty of times): > > <?php require_once("help/help_".$_GET['lang'] .".php"); ?> > > > You can exploit it in windows with this PoC: > > http://server/file.php?a=/../../../../../../boot.ini%00 > > > because help/help_/../../../../../../boot.ini exists for windows and > the non-existing help_ directory is not breaking the instruction. > > > Otherwise, in linux is not possible to perform this kind of attacks > due we can't reference non-existing directories > > $ ls -l noexist/../ > ls: cannot access noexist/../: No such file or directory > > > An attack like http://server/file.php?a=/../../../../../../etc/passwd%00 > won't work > > Good approach! > > Best Regards, > > On Thu, Jul 8, 2010 at 10:13 AM, Vipul Agarwal <[email protected]> > wrote: > > First, the bug seems to be useless but you deployed it cleverly in the > > PoC. It could be something rare but makes web apps on Windows > > vulnerable with some exceptions. > > > > Nice work! > > > > On Thu, Jul 8, 2010 at 1:08 PM, Sagar Belure <[email protected]> > wrote: > >> On Wed, Jul 7, 2010 at 10:54 AM, BlackHawk <[email protected]> > wrote: > >>> Hi list, i recently discovered a very small Windows XP bug, kind of > >>> useless alone but that could be usefull in some scenarios. > >>> > >>> Explanation: > >>> > >>> when you try to access a non existing directory though shell command > >>> "cd", XP returns an error (obviously), but if you cd to a non-existing > >>> & move one directory up, you'll not get any error. > >>> > >>> Example: > >>> --- > >>> C:\>cd ./somerandomchars <-- Will give an error > >>> Impossibile trovare il percorso specificato. > >>> > >>> C:\>cd ./somerandomchars/../ <-- Everything is ok > >>> > >>> C:\> > >>> --- > >>> > >>> PoC on how to make this thing usefull: > >>> > http://www.scribd.com/doc/28080332/Podcast-Generator-1-3-Arbitrary-File-Download-Windows > >>> > >>> Hope this could be useful for you in some way.. > >>> > >>> -- > >>> BlackHawk - [email protected] > >>> > >>> Sent with Gmail > >>> > >>> _______________________________________________ > >>> Full-Disclosure - We believe in it. > >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >>> Hosted and sponsored by Secunia - http://secunia.com/ > >>> > >> > >> Never seen this before. > >> But, it's very obvious, as you are 'changing directory'(cd > >> thisdoesntexist/) to a non existing folder and then getting out of > >> it(../). > >> > >> But, there is difference with evaluation/calculation in windows and > linux. > >> Here is how... > >> > >> On Windows Box... > >> > >> C:\>cd thisdoesntexist/ > >> The system cannot find the path specified. > >> > >> C:\>cd thisdoesntexist/../ > >> > >> C:\>cd thisdoesntexist/thisonetoo/../ > >> The system cannot find the path specified. > >> > >> C:\>cd thisdoesntexist/thisonetoo/../../ > >> > >> C:\> > >> > >> > >> On Linux box... > >> > >> o...@ubuntubox:~$ cd thisdoesntexist/ > >> -bash: cd: thisdoesntexist: No such file or directory > >> o...@ubuntubox:~$ cd thisdoesntexist/../ > >> -bash: cd: thisdoesntexist/../: No such file or directory > >> o...@ubuntubox:~$ > >> > >> > >> -- > >> Thanks, > >> Sagar Belure > >> Security Analyst > >> Secfence Technologies > >> www.secfence.com > >> > >> _______________________________________________ > >> Full-Disclosure - We believe in it. > >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >> Hosted and sponsored by Secunia - http://secunia.com/ > >> > > > > > > > > -- > > Thanks and Regards, > > Vipul Agarwal > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
