[WEB SECURITY] Scanning internal Lan using PHP remote file opening.

[Stefano Di Paola <stefano.dipaola@xxxxxxxx>]

--=-TDZ0Lc8p+HPX2+UXOY+G
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Hi all,


Abstract:
-----
Even if some website is still vulnerable to remote file inclusion (RFI),
this is becoming a quite rare scenery.
Nonetheless, much more often it happens that some of the php functions
allowing http or ftp protocol wrappers are exposed to user control.
A perfect example for this tecnique is a fully controlled getsizeimage()
function with allow_url_fopen.=20
No RFI, no data returned, it could be just used for DoS.

<?
getimagesize($_GET['image']);
...
?>

Obviously there's no RFI, and until yesterday probably nobody would care
about check,inspect or exploit it. This article explains that some kind
of attack could still be accomplished:

Lan scanning and Drive by Pharming with error matching or time analisys.
------

PermaLink:
http://www.wisec.it/sectou.php?id=3D46d592056b008

Francesco `ascii` Ongaro's POC:
http://www.ush.it/2007/08/29/scanning-dmz-hosts-with-remote-file-opening/

Comments are, as usual, appreciated.

Regards,
Stefano

--=20
...oOOo...oOOo....
Stefano Di Paola
CTO at Minded Security
http://www.mindedsecurity.com

Owasp Italy R&D Director

Web: www.wisec.it
..................

--=-TDZ0Lc8p+HPX2+UXOY+G
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Questa =?ISO-8859-1?Q?=E8?= una parte del messaggio
	firmata digitalmente

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQBG1wZHfSCEH5yFF2MRAmg/AJ9ozaEWr4eMtMt8jGm3O9YGqJoczQCeNq2w
sENBlvL/qhISr+E22pp4dlQ=
=IeNr
-----END PGP SIGNATURE-----

--=-TDZ0Lc8p+HPX2+UXOY+G--