Home → Suggestions →

Path traversal ideas

• Edit

user021

15 Aug, 2013 07:22 AM

I think we have to do some changes on this module still, so ill mark a few points:

- try to include files and look for error messages (since no file_inclusion module exist ..we gotta do it here, this valuable info could lead to shell on PHP / abusing tempfiles and phpinfo() , see http://insecurety.net/?p=687 )

- as we try to cover more ground, more and more requests are sent, thus some users might get boring because scan is taking too long or even worse, kill the server, add depth level control, like one default level that will look for error messages from included files, if no error message is found then only send a few path traversal requests (yes i know this can't cover all but speed come with a price) but if an error message is found from included files, then send 99% or even all payload because then we will have a much higher change to get some results. and one more level that will send all payloads no matter if error is found or not, so the users who desire to do a long comprehensive scan do it.

-maybe would also worth detecting if PHP allow_url_fopen is enabled and PHP allow_url_include

1. Support Staff 1 Posted by Tasos Laskos on 15 Aug, 2013 04:12 PM

   

   I agree with the first point but I'm not sure that the last two are worth having because:

   • Error messages are commonly disabled, doesn't make sense to rely on them as a first indicator before running the path_traversal one.
   • Different modules use different techniques and log different kinds of issues, file_inclusion and path_traversal aren't the same thing and one shouldn't affect another. If a user is satisfied with just having error messages be enough, he can only enable file_inclusion and not path_traversal.
   • I'm opposed to the depth idea, as the amount of modules (and the coverage they provide) grows, so will the amount of requests. If you're worried about the server you can adjust the maximum HTTP request concurrency. If you're worried about speed and in order to get that speed you compromise coverage then what's the point of scanning?
   • Edit

2. Support Staff 2 Posted by Tasos Laskos on 15 Aug, 2013 04:17 PM

   

   Btw, the last one about detecting allow_url_fopen or allow_url_include will be facilitated by the storage of the errors from the error-based file_inclusion module so no need for any extra there.

   • Edit

3. 3 Posted by user021 on 15 Aug, 2013 04:22 PM

   

   So i guess afterall, you decided to add the new module 'file_inclusion', that's good news.

   • Edit

4. Support Staff 4 Posted by Tasos Laskos on 15 Aug, 2013 04:24 PM

   

   I said I'd do it a few weeks ago, just didn't get around to it yet. Will try to add it in the next few days.

   • Edit

5. Tasos Laskos closed this discussion on 15 Aug, 2013 04:24 PM.

6. Tasos Laskos re-opened this discussion on 15 Aug, 2013 04:28 PM

7. Support Staff 5 Posted by Tasos Laskos on 15 Aug, 2013 04:28 PM

   

   GH issue here: https://github.com/Arachni/arachni/issues/380

   • Edit

8. Tasos Laskos closed this discussion on 15 Aug, 2013 04:31 PM.