Directory Traversal Vulnerability

On Mon, 23 Feb 2004 20:54:36 GMT, Tim Tyler <ti*@tt1lock.org> wrote:

Today's: "Directory Traversal Vulnerability":

- http://secunia.com/advisories/10955/

More evidence tht PHP was hacked together rapidly without a great deal
of thought being given to security.

It's evidence that some script named 'phpNewsManager' was hacked together
rapidly without a great deal of thought being given to security. The same bug
can be implemented in many languages.

--
Andy Hassall <an**@andyh.co.uk> / Space: disk usage analysis tool
<http://www.andyh.co.uk> / <http://www.andyhsoftware.co.uk/space>

On 23-Feb-2004, Tim Tyler <ti*@tt1lock.org> wrote:

Today's: "Directory Traversal Vulnerability":

- http://secunia.com/advisories/10955/

More evidence tht PHP was hacked together rapidly without a great deal
of thought being given to security.

I suggest you attempt to learn the difference between PHP and an application
written in PHP before you embarrass yourself further.

--
Tom Thackrey
www.creative-light.com
tom (at) creative (dash) light (dot) com
do NOT send email to ja*********@willglen.net (it's reserved for spammers)

Tim Tyler wrote:

Today's: "Directory Traversal Vulnerability":

- http://secunia.com/advisories/10955/

More evidence tht PHP was hacked together rapidly without a great deal
of thought being given to security.

Are you serious? or lonely? If you're the former, read on - If you're
the latter, then buy a dog and take a walk...

Read the first two lines of the article you posted... It says

"G00db0y has reported a vulnerability in phpNewsManager, which can be
exploited by malicious people to gain knowledge of sensitive information."

Note where is says "vulnerability in phpNewsManager"

What part of the above do you not understand?

And... You say its "More evidence" ? Do you have some equally
compelling issues that you'd like to share with us? With evidence like
that, you ought to work for Mr Bush or Mr Blair...

"Reply Via Newsgroup" <re****************@please.com> wrote in message
news:15w_b.607738$ts4.470009@pd7tw3no...

Tim Tyler wrote:

Today's: "Directory Traversal Vulnerability":

- http://secunia.com/advisories/10955/

More evidence tht PHP was hacked together rapidly without a great deal
of thought being given to security.

Are you serious? or lonely? If you're the former, read on - If you're
the latter, then buy a dog and take a walk...

Read the first two lines of the article you posted... It says

"G00db0y has reported a vulnerability in phpNewsManager, which can be
exploited by malicious people to gain knowledge of sensitive information."

Note where is says "vulnerability in phpNewsManager"

What part of the above do you not understand?

And... You say its "More evidence" ? Do you have some equally
compelling issues that you'd like to share with us? With evidence like
that, you ought to work for Mr Bush or Mr Blair...

Are you saying the OP is a weapon of misdirection?
"8-P
--
Remove the blots from my address to reply

Reply Via Newsgroup wrote:

With evidence like
that, you ought to work for Mr Bush or Mr Blair...

....or are currently employed by Mr. Gates? ;)

--
Justin Koivisto - sp**@koivi.com
PHP POSTERS: Please use comp.lang.php for PHP related questions,
alt.php* groups are not recommended.
SEO Competition League: http://seo.koivi.com/

Well, it does show that PHP isn't idiot-proofed enough. ASP.Net probably
would have deemed that suspicious and threw an exception or something.

I think sometimes PHP gives programmers too much rope to hang themselves. A
more sensible setup would set open_basedir initially to the same directory
as the script, and let the programmer change it to something less
restrictive.

Uzytkownik "Andy Hassall" <an**@andyh.co.uk> napisal w wiadomosci
news:jm********************************@4ax.com...

On Mon, 23 Feb 2004 20:54:36 GMT, Tim Tyler <ti*@tt1lock.org> wrote:

Today's: "Directory Traversal Vulnerability":

- http://secunia.com/advisories/10955/

More evidence tht PHP was hacked together rapidly without a great deal
of thought being given to security.
It's evidence that some script named 'phpNewsManager' was hacked together
rapidly without a great deal of thought being given to security. The same

bug can be implemented in many languages.

--
Andy Hassall <an**@andyh.co.uk> / Space: disk usage analysis tool
<http://www.andyh.co.uk> / <http://www.andyhsoftware.co.uk/space>

Reply Via Newsgroup <re****************@please.com> wrote or quoted:

Tim Tyler wrote:

Today's: "Directory Traversal Vulnerability":

- http://secunia.com/advisories/10955/

More evidence tht PHP was hacked together rapidly without a great deal
of thought being given to security.

Are you serious? or lonely? If you're the former, read on - If you're
the latter, then buy a dog and take a walk...

Read the first two lines of the article you posted... It says

"G00db0y has reported a vulnerability in phpNewsManager, which can be
exploited by malicious people to gain knowledge of sensitive information."

Note where is says "vulnerability in phpNewsManager"

What part of the above do you not understand?

I don't recommend trying to patronise me - you'll only wind up
making yourself look stupid.
And... You say its "More evidence" ? Do you have some equally
compelling issues that you'd like to share with us? With evidence like
that, you ought to work for Mr Bush or Mr Blair...

The fact that PHP's notion of "fine grained permissions" basically boils
down to:

* Safe mode;
* Not safe mode;

....is also pretty damning, IMO.

You ought to be able to choose to run different scripts in different
sorts of sandbox with different sorts of security constraints.

....and remember "register_globals"? As someone else said:

``However, note that PHP doesn't have a particularly good security
vulnerability track record (e.g., register_globals, a file upload
problem, and a format string problem in the error reporting library); I
believe that security issues were not considered sufficiently in early
editions of PHP.''

- http://www.dwheeler.com/secure-progr...HOWTO/php.html
--
__________
|im |yler http://timtyler.org/ ti*@tt1lock.org Remove lock to reply.

Justin Koivisto <sp**@koivi.com> wrote or quoted:

Reply Via Newsgroup wrote:

With evidence like that, you ought to work for Mr Bush or Mr Blair...

...or are currently employed by Mr. Gates? ;)

Do you reckon Bill would still hire me? After I wrote:

``Microsoft have now clocked up over a hundred years worth of brimstone
and damnation on my hate-o-meter - a feat I am unlikely to forget in a
hurry.

Currently, they show few signs of turning back from their path to
damnation.

I'll probably treat them the way the old testament recommends:
no respite until the seventh son of the seventh son.'' [usenet, 1999]

....and...

``I don't think I've ever characterised my attitude towards
Microsoft as "blind hate".

I'm not Microsoft's biggest fan - but to me this seems to be a
rational position in the light of their crappy products,
shoddy business ethics, and generally soulless and tasteless
approach to software.'' [usenet, 2002];

....?
--
__________
|im |yler http://timtyler.org/ ti*@tt1lock.org Remove lock to reply.

[top-post fixed]
"Chung Leong" <ch***********@hotmail.com> wrote in message news:<BP********************@comcast.com>...

Uzytkownik "Andy Hassall" <an**@andyh.co.uk> napisal w wiadomosci
news:jm********************************@4ax.com...

On Mon, 23 Feb 2004 20:54:36 GMT, Tim Tyler <ti*@tt1lock.org> wrote:

Today's: "Directory Traversal Vulnerability":

- http://secunia.com/advisories/10955/

More evidence tht PHP was hacked together rapidly without a great deal
of thought being given to security.
It's evidence that some script named 'phpNewsManager' was hacked together
rapidly without a great deal of thought being given to security. The same

bug

can be implemented in many languages.

Well, it does show that PHP isn't idiot-proofed enough. ASP.Net probably
would have deemed that suspicious and threw an exception or something.

http://[victim]/functions.php?clang=../../../[existing_file]

This is what they claim as vulnerability in the application. So, you
expect that PHP should throw some exceptions in this case??

--
"Success is not what you achieve, but it is what you die for"
If you live in USA, please support John Edwards.
Email: rrjanbiah-at-Y!com

On 24-Feb-2004, ng**********@rediffmail.com (R. Rajesh Jeba Anbiah) wrote:

[top-post fixed]
"Chung Leong" <ch***********@hotmail.com> wrote in message
news:<BP********************@comcast.com>...

Uzytkownik "Andy Hassall" <an**@andyh.co.uk> napisal w wiadomosci
news:jm********************************@4ax.com...

On Mon, 23 Feb 2004 20:54:36 GMT, Tim Tyler <ti*@tt1lock.org> wrote:

>Today's: "Directory Traversal Vulnerability":
>
> - http://secunia.com/advisories/10955/
>
>More evidence tht PHP was hacked together rapidly without a great
>deal
>of thought being given to security.

It's evidence that some script named 'phpNewsManager' was hacked
together
rapidly without a great deal of thought being given to security. The
same

bug

can be implemented in many languages.

Well, it does show that PHP isn't idiot-proofed enough. ASP.Net probably
would have deemed that suspicious and threw an exception or something.

http://[victim]/functions.php?clang=../../../[existing_file]

This is what they claim as vulnerability in the application. So, you
expect that PHP should throw some exceptions in this case??

Bad design can cause errors which don't throw exceptions in PHP or ASP.Net
or Java or C++ or <insert your favorite language here>.

In this case, the error would probably not have caused an exception in
ASP.Net either.

Nothing is idiot proof. The idiots are too good at what they do.

--
Tom Thackrey
www.creative-light.com
tom (at) creative (dash) light (dot) com
do NOT send email to ja*********@willglen.net (it's reserved for spammers)

Uzytkownik "R. Rajesh Jeba Anbiah" <ng**********@rediffmail.com> napisal w
wiadomosci news:ab**************************@posting.google.c om...

Well, it does show that PHP isn't idiot-proofed enough. ASP.Net probably
would have deemed that suspicious and threw an exception or something.

http://[victim]/functions.php?clang=../../../[existing_file]

This is what they claim as vulnerability in the application. So, you
expect that PHP should throw some exceptions in this case??

Well, my opinion is that, by default, PHP should restrict all file access,
until you've specified base paths where file read/write are permitted.

Or at least, have the file functions by default reject paths like
/var/temp/../../etc/something. I don't see them occuring frequently under
normal circumstances. Remote include should be off by default too.

Uzytkownik "Tom Thackrey" <us***********@nospam.com> napisal w wiadomosci
news:8F****************@newssvr27.news.prodigy.com ...

Bad design can cause errors which don't throw exceptions in PHP or ASP.Net
or Java or C++ or <insert your favorite language here>.
I haven't seen the code, so I can't say whether it's bad design or what.
Looks more like a simple implementation mistake to me.
In this case, the error would probably not have caused an exception in
ASP.Net either.
You're right, it doesn't. Rather surprising since it throws an exception
when you enter something as harmless as "<i>".
Nothing is idiot proof. The idiots are too good at what they do.

Bad programming happens. As things are in PHP, a single slip-up and you fall
off the cliff. Some safty railing would be good.

> Or at least, have the file functions by default reject paths like

/var/temp/../../etc/something.

It depends of how your webhost configured it imho.

R. Rajesh Jeba Anbiah <ng**********@rediffmail.com> wrote or quoted:

"Chung Leong" <ch***********@hotmail.com> wrote in message news:<BP********************@comcast.com>...

Uzytkownik "Andy Hassall" <an**@andyh.co.uk> napisal w wiadomosci

On Mon, 23 Feb 2004 20:54:36 GMT, Tim Tyler <ti*@tt1lock.org> wrote: >Today's: "Directory Traversal Vulnerability":
>
> - http://secunia.com/advisories/10955/
>
>More evidence tht PHP was hacked together rapidly without a great deal
>of thought being given to security.

[...]
Well, it does show that PHP isn't idiot-proofed enough. ASP.Net probably
would have deemed that suspicious and threw an exception or something.

http://[victim]/functions.php?clang=../../../[existing_file]

This is what they claim as vulnerability in the application. So, you
expect that PHP should throw some exceptions in this case??

Most definitely:

Web scripting languages should restrict access to files on the web site
that is serving them by default - and under *no* circumstances should they
allow access the system's password file.
--
__________
|im |yler http://timtyler.org/ ti*@tt1lock.org Remove lock to reply.

Tim Tyler <ti*@tt1lock.org> wrote in message news:<Ht********@bath.ac.uk>...

R. Rajesh Jeba Anbiah <ng**********@rediffmail.com> wrote or quoted:

"Chung Leong" <ch***********@hotmail.com> wrote in message news:<BP********************@comcast.com>...

Uzytkownik "Andy Hassall" <an**@andyh.co.uk> napisal w wiadomosci
> On Mon, 23 Feb 2004 20:54:36 GMT, Tim Tyler <ti*@tt1lock.org> wrote: >Today's: "Directory Traversal Vulnerability":
> >
> > - http://secunia.com/advisories/10955/
> >
> >More evidence tht PHP was hacked together rapidly without a great deal
> >of thought being given to security.
[...]
Well, it does show that PHP isn't idiot-proofed enough. ASP.Net probably
would have deemed that suspicious and threw an exception or something.

http://[victim]/functions.php?clang=../../../[existing_file]

This is what they claim as vulnerability in the application. So, you
expect that PHP should throw some exceptions in this case??

Most definitely:

Web scripting languages should restrict access to files on the web site
that is serving them by default - and under *no* circumstances should they
allow access the system's password file.

This argument is completely silly, IMHO; but YMMV.

For me, it sounds like a DOS programmer complaining C for allowing:
system("format c:");

--
"Success is not what you achieve, but it is what you die for"
If you live in USA, please support John Edwards.
Email: rrjanbiah-at-Y!com

R. Rajesh Jeba Anbiah <ng**********@rediffmail.com> wrote or quoted:

Tim Tyler <ti*@tt1lock.org> wrote in message news:<Ht********@bath.ac.uk>...

R. Rajesh Jeba Anbiah <ng**********@rediffmail.com> wrote or quoted:

http://[victim]/functions.php?clang=../../../[existing_file]

This is what they claim as vulnerability in the application. So, you
expect that PHP should throw some exceptions in this case??

Most definitely:

Web scripting languages should restrict access to files on the web site
that is serving them by default - and under *no* circumstances should they
allow access the system's password file.

This argument is completely silly, IMHO; but YMMV.

For me, it sounds like a DOS programmer complaining C for allowing:
system("format c:");

That sort of security hazzard is one of the reasons people ditched C
in droves in favour of Java - which offers features such as sandboxes
and graduated access permissions, which - if employed - make attacks
carrying this sort of payload impossible.
--
__________
|im |yler http://timtyler.org/ ti*@tt1lock.org Remove lock to reply.