[VIM] False: ext 1.0 alpha1 (feed-proxy.php) Remote File Disclosure

George A. Theall theall at tenablesecurity.com
Thu Apr 26 02:01:45 UTC 2007

On 04/25/07 21:19, Steven M. Christey wrote:

> For PHP anyway, it works like a charm on my Solaris box.
>     $feed = "http/../../../test.txt";
>     if($feed != '' && strpos($feed, 'http') === 0){
>        readfile($feed);
>     }
> (where test.txt is my default directory traversal test file, and the PHP
> app's location doesn't have an http subdirectory).

Hmmm, I didn't realize Solaris behaved this way.

> That said, I vaguely remember running across situations where a
> non-existent subdirectory would prevent an attack from working; maybe
> there are variations depending on whether realpath() is used or not?

I figured it was more of an OS feature; eg, try something like:

   ls foo/../../../../../    (*nix)
   dir foo\..\..\..\..\..\..\   (Windows)

from a directory not too far off root.

Btw, I just tried this on Solaris 10 -- it produced an error rather than 
a directory listing.

theall at tenablesecurity.com

More information about the VIM mailing list