smbfs and apache+php source code disclosure

2007.12.22
Risk: Low
Local: No
Remote: Yes
CWE: CWE-200


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

Because of different filename handling in Posix and Windows there is an issue with resolving filenames with a backslash "\" character appended on a windows share. Consider you have a windows share mounted on a linux box with a php script on it - let's say info.php. Executing find info.php and find info.php\\ results with the same file - info.php (same with cat info.php\\). When using this share to serve PHP scripts with apache (from a linux box) you can use it to display php script content directly to your browser. In apache, scripts are mapped to engines using the AddType directive with file extension specified. Text files with extensions not handled by any AddType are considered as plain text. When visiting http://linuxbox/winshare/info.php - you get you script executed. When visiting http://linuxbox/winshare/info.php\ or http://linuxbox/winshare/info.php%5C - you get your script content displayed, revealing any details like database passwords etc. The reason is obvious, smbfs finds file info.php\, but apache doesn't have the extension php\ mapped to php engine. The same should apply to perl scripts with mod_perl. I don't know if this is something new, maybe it is some configuration mistake. I have just confirmed it on a freshly installed debian etch box with all security updates applied using default settings of apache and smbfs. Regards Maciej


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top