I don’t want to speak about the LFI (local file inclusion) or RFI (remote file inclusion) which we have a lot of articles about them.
I just want to tell you about some simple facts ;)
I have read a lot of source codes of web applications till now.
And, I think one of the most important logical vulnerabilities is incorrect using of “include” techniques.
I want to explain this by some examples:
———– Begin Example1 ———–
Example1. (ASP, PHP, JSP, ?)
Assume that we have:
1. Admin.asp ->(Secured) which includes Check.asp, Header.asp, Main.asp
2. Check.asp -> Check admin session
3. Header.asp -> is for showing the top menu
4. Main.asp -> is for showing the administrator’s main page
So, if I execute Index.asp, I will execute all 3 other files which I mentioned too.
Question: What will happen if I point to the Main.asp or Header.asp directly without using the Index.asp?
Answer: If Main.asp or Header.asp does not include Check.asp, attacker can see the admin page without having the administrator credential!
Result: I see a lot of web application which had this problem!
Now assume that Check.asp is something like this:
———– Begin Check.asp ———–
some lines of codes blah blah blah
<%
‘ Get an input from the user
1 Input_CurrentFolder = Request(“currentFolder”)
2 ‘ in order to get the root directory we must set an admin session
3 session(“admin”)=true
4 directory = GetDirectory(Input_CurrentFolder)
‘Terminate admin session for the security!
5 session(“admin”)=false
%>
some lines of codes blah blah blah
———– End Check.asp ———–
I want to speak about the session. What do you think about these codes? Is there any security problem?
Question1: How can a user keep session(“admin”)=true for him/herself?
Answer1: In order to do that, user needs to stop execution on line 4!
Question2: Now, how can a user stop execution on line 4?
Answer2: User must stop running the program on line 4. So, he/she must create an error on that line! So, actually it depends on some factors. And, I want to show you 2 of them which the first one is related to subject of this article.
1- First situation: Check.asp does not contain “GetDirectory” function and this function is in Header.asp. Now if attacker point directly to the Check.asp, he/she can get the admin session! Because the program will be crashed on line 4!
2- Another situation: the “GetDirectory” function must not work with each “Input_CurrentFolder”. In other words, “GetDirectory” function must crash because of some value of “Input_CurrentFolder”.
Note: we must not have something like “On error resume next” which force the program to continue.
Result: I think this vulnerability is not a strange one; However, it is not very common. I had seen this vulnerability in some programs such as the old version of “hosting controller”!
———– End Example1 ———–
———– Begin Example2 ———–
Example2. (PHP, ?)
This is not new example but it is related to this subject.
Assume that we have:
1. SessionControl.php ->(Secured) which control the user’s session
2. EditContent.php -> by using this file, administrator can edit the website’s pages
3. AdminContent.php -> (Secured) which includes SessionControl.php and EditContent.php.
And assume that EditContent.php is something like this:
———– Begin EditContent.php ———–
<?
if (!isset($_SESSION['Level'])) exit();
if ($_SESSION['Level']==’admin’)
{
some lines of codes only for admin blah blah blah
}
?>
———– End EditContent.php ———–
You can easily see that EditContent.php is insecure because there is not any session_start() in it and everyone can set $_SESSION['Level']. Just like this: http://[something]/EditContent.php?_SESSION[Level]=admin
Note: php global variables must be on.
———– End Example2 ———–
So, you saw that the catastrophic vulnerability can easily create by the bad usage of “include” techniques.
Twitter
LinkedIn
thnx for ur explaination…