Path traversal ideas

user021's Avatar

user021

15 Aug, 2013 07:22 AM

I think we have to do some changes on this module still, so ill mark a few points:

- try to include files and look for error messages (since no file_inclusion module exist ..we gotta do it here, this valuable info could lead to shell on PHP / abusing tempfiles and phpinfo() , see http://insecurety.net/?p=687 )

- as we try to cover more ground, more and more requests are sent, thus some users might get boring because scan is taking too long or even worse, kill the server, add depth level control, like one default level that will look for error messages from included files, if no error message is found then only send a few path traversal requests (yes i know this can't cover all but speed come with a price) but if an error message is found from included files, then send 99% or even all payload because then we will have a much higher change to get some results. and one more level that will send all payloads no matter if error is found or not, so the users who desire to do a long comprehensive scan do it.

-maybe would also worth detecting if PHP allow_url_fopen is enabled and PHP allow_url_include

  1. Support Staff 1 Posted by Tasos Laskos on 15 Aug, 2013 04:12 PM

    Tasos Laskos's Avatar

    I agree with the first point but I'm not sure that the last two are worth having because:

    • Error messages are commonly disabled, doesn't make sense to rely on them as a first indicator before running the path_traversal one.
    • Different modules use different techniques and log different kinds of issues, file_inclusion and path_traversal aren't the same thing and one shouldn't affect another. If a user is satisfied with just having error messages be enough, he can only enable file_inclusion and not path_traversal.
    • I'm opposed to the depth idea, as the amount of modules (and the coverage they provide) grows, so will the amount of requests. If you're worried about the server you can adjust the maximum HTTP request concurrency. If you're worried about speed and in order to get that speed you compromise coverage then what's the point of scanning?
  2. Support Staff 2 Posted by Tasos Laskos on 15 Aug, 2013 04:17 PM

    Tasos Laskos's Avatar

    Btw, the last one about detecting allow_url_fopen or allow_url_include will be facilitated by the storage of the errors from the error-based file_inclusion module so no need for any extra there.

  3. 3 Posted by user021 on 15 Aug, 2013 04:22 PM

    user021's Avatar

    So i guess afterall, you decided to add the new module 'file_inclusion', that's good news.

  4. Support Staff 4 Posted by Tasos Laskos on 15 Aug, 2013 04:24 PM

    Tasos Laskos's Avatar

    I said I'd do it a few weeks ago, just didn't get around to it yet. Will try to add it in the next few days.

  5. Tasos Laskos closed this discussion on 15 Aug, 2013 04:24 PM.

  6. Tasos Laskos re-opened this discussion on 15 Aug, 2013 04:28 PM

  7. Support Staff 5 Posted by Tasos Laskos on 15 Aug, 2013 04:28 PM

    Tasos Laskos's Avatar
  8. Tasos Laskos closed this discussion on 15 Aug, 2013 04:31 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac