4

Wondering if there was a possible attack vector still around for LFI attacks that remove the file extension. Obviously the null byte was fixed in previous PHP versions and no longer works, along with file truncation.

To clarify, is there a method of reading /etc/passwd with this code in PHP 5.4.4+ assuming worst case server side settings. 

include( $_GET['page'] . '.php' );
Michał Perłakowski
  • 175
  • 1
  • 12
Peleus
  • 3,827
  • 2
  • 18
  • 20

1 Answers1

5

I don't think this will allow someone to directly include /etc/passwd, but there's still a lot of trouble to be had from this. An attacker might be able to:

  • Trigger a DoS by including the file itself. (Since you're using include, not include_once, it'll recursively keep including the same file.)
  • Include arbitrary scripts on your system, such as copies of phpinfo, leaking sensitive information.
  • Include arbitrary code if they're able to upload files with user-defined extensions.

Please note that if you have allow_url_include=1 in your php.ini, you're opening up for a remote file inclusion vulnerability.

A better approach is whitelisting your pages, or at least using something like basename() or realpath() + dirname() to prevent directory traversal attacks.

David
  • 15,814
  • 3
  • 48
  • 73