Title :PHP and JSP Trailing Slash Exposure Author : Paul Brereton E-Mail : brereton_paulat_private Risk : High Summary : When making pages in PHP or JSP, many programmers keep include files in the same directory as the file calling them. Programmers can then include the file without having to code in the paths to the include file. This would allow an attacker to reveal the true path directory used by the server or reveal the content of the JSP file accessed. Details : Example: A programmer would have 2 files. The first would be: ShowData.php: <? include('database.php'); ?> And the second file would obviously be called database.php with the code requred to connect to the database. When a user calls http://someserver/ShowData.php the base path to database.php is stored in the server variable as http://someserver/ and so the include will load http://someserver/database.php. However, if you add a trailing slash to the request (i.e. http://someserver/ShowData.php/) the base path will be set to http://someserver/ShowData.php, causing the include statement to try to load http://someserver/ShowData.php/database.php. Because the include file is not found, an error is thrown back to the user, that will include the full path to the include file that was not found. 2nd Example: JSP files work in the same way, with many pages throwing exceptions and showing their true path. But even more serious, it has been found that many JSP pages, when submitted with a trailing slash (such as form logins that redirect to the same page to check the login details) will reveal the source code of the JSP (that usually contain sensitive information). Solution: Use hard coded directory paths in the 'include' statements you use (same goes for the 'require' statements).
This archive was generated by hypermail 2b30 : Fri Feb 08 2002 - 16:00:18 PST