search

VincentGoyal / brokencrystals

A Broken Application - Very Vulnerable!
MIT License
0 stars 0 forks source link

Github 1 #53

Open armorcodegithubapp[bot] opened 4 months ago

armorcodegithubapp[bot] commented 4 months ago

Category: Dangerous File Inclusion
Sub Category: null
Instance Id: 0B52892043263519AFAF794356786CFF
Accuracy: 4.0
Impact: 4.0
RemediationEffort: 3.0
Probability: 4.0
Scan Type: Static
Abstract: The file db.php passes an unvalidated filename to a dynamic include statement on line 6. Allowing unvalidated user input to control files that are included dynamically in PHP can lead to malicious code execution. Allowing unvalidated user input to control files that are included dynamically in PHP can lead to malicious code execution.
Trace Details:
onlinetests/app/classes/db.php:6 - Read $_ENV['TOP_ROOT']
Source Snippet:
onlinetests/app/classes/db.php:3

    public function connect() {
        // require the connection file
        //$server = 'www.sonypictures.com';
        require_once($_ENV['TOP_ROOT'] . '/dbconn/qw-sp-mydb-jeop.php');

        $dbName = DB_NAME;


Sink Snippet:
onlinetests/app/classes/db.php:3

    public function connect() {
        // require the connection file
        //$server = 'www.sonypictures.com';
        require_once($_ENV['TOP_ROOT'] . '/dbconn/qw-sp-mydb-jeop.php');

        $dbName = DB_NAME;


Explanation:Many modern web scripting languages enable code re-use and modularization through the ability to include additional source files within one encapsulating file. This ability is often used to apply a standard look and feel to an application (templating), share functions without the need for compiled code, or break the code into smaller more manageable files. Included files are interpreted as part of the parent file and executed in the same manner. File inclusion vulnerabilities occur when the path of the included file is controlled by unvalidated user input.

Even though the data in this case is a number, it is unvalidated and thus still considered malicious, hence the vulnerability is still reported but with reduced priority values.

File inclusion vulnerabilities are one of the most prolific and severe vulnerabilities in PHP applications. Prior to PHP 4.2.0, PHP installations shipped with the register_globals option enabled by default, which permits attackers to easily overwrite internal server variables. Although disabling register_globals can limit a program's exposure to file inclusion vulnerabilities, these problems still occur in modern PHP applications.

Example 1: The following code includes a file under the application defined $server_root in a template. 

...
<?php include($server_root . '/myapp_header.php'); ?$gt;
...

If register_globals is set to on, an attacker can overwrite the $server_root value by supplying $server_root as a request parameter, thereby taking partial-control of the dynamic include statement.

Example 2: The following code takes a user specified template name and includes it in the PHP page to be rendered. 

...
<?php include($_GET['headername']); ?$gt;
...

In Example 2, an attacker can take complete control of the dynamic include statement by supplying a malicious value for headername that causes the program to include a file from an external site.

If the attacker specifies a valid file to a dynamic include statement, the contents of that file will be passed to the PHP interpreter. In the case of a plain text file, such as /etc/shadow, the file might be rendered as part of the HTML output. Worse, if the attacker can specify a path to a remote site controlled by the attacker, then the dynamic include statement will execute arbitrary malicious code supplied by the attacker.

File Path: onlinetests/app/classes/db.php:6

Mitigation: Disable the register_globals option by including the following line in php.ini:

register_globals = 'off'

Do not allow unvalidated user input to control paths used in dynamic include statements. Instead, a level of indirection should be introduced: create a list of legitimate files for inclusion, and only allow users to select from the list. With this approach,the user can not directly specify a file from the filesystem. Example 2 could be improved to map user input to a key that selects the desired template, as follows:

<?php
    $templates = array('main.php' => 1, 'blue.php' => 2, 'red.php' => 3);
?$gt;
...
<?php include($templates[$_GET['headername']]); ?$gt;

...

Finding Id : 532026777

armorcodegithubapp[bot] commented 4 months ago

Finding [532026777] status changed to Confirmed Note:
by vincent.goyal@armorcode.io via ArmorCode Platform