domingo, 1 de março de 2015

[Code Review] RIPS Scanner v-0.54 - Local File Include (LFI)

           No comments   
Hi there, 

For those using the RIPS scanner [1] to help the analysis of vulnerabilities on PHP code, pay attention not to leave it running on your network or available to the internet, where anyone can access it. 

In a very brief static code analysis of RIPS we found two "Local File Include" (LFI) vulnerabilities as listed below:



1. LFI at "rips/windows/code.php" - it lacks sanitization of the "file" parameter. 
 102    $file = $_GET['file'];
 103    $marklines = explode(',', $_GET['lines']);
 104 
 105         
 106    if(!empty($file))
 107    {
 108            $lines = file($file);
 109                 
 110            // place line numbers in extra table for more elegant copy/paste without line numbers
 111            echo '<tr><td><table>';
 112            for($i=1, $max=count($lines); $i<=$max;$i++)
 113                    echo "<tr><td class=\"linenrcolumn\"><span class=\"linenr\">$i</span><A id='".($i+2).'\'></A></td></tr>';
 114            echo '</table></td><td id="codeonly"><table id="codetable" width="100%">';
 115                 
 116            $in_comment = false;
 117            for($i=0; $i<$max; $i++)
 118            {                             
 119                    $in_comment = highlightline($lines[$i], $i+1, $marklines, $in_comment);
 120            }
 121    }

2. LFI at "rips/windows/function.php" -  it lacks sanitization of the "file" parameter.
    
 58    $file = $_GET['file'];
 59    $start = (int)$_GET['start'];
 60    $end = (int)$_GET['end'];
 61 
 62    if(!empty($file))
 63    {
 64            $lines = file($file);
 65           
 66            if( isset($lines[$start]) && isset($lines[$end]) )
 67            {
 68                    for($i=$start; $i<=$end; $i++)
 69                    {
 70                            echo highlightline($lines[$i], $i);
 71                    }
 72            }

RIPS also found the vulnerabilities in itself:


For example:


Someone else may have found this flaw before, since RIPS hasn't been updated in a while. And could be using it to access sensitive data from unsuspecting users.

A note left on the project website is as follows:

 NOTE: RIPS 0.5 development is abandoned. A complete rewrite is in development and used as an academic prototype but it is not publicly available yet. More information about the new version can be found is this paper.

[1] http://rips-scanner.sourceforge.net/
UPDATE:
As mentioned before, someone could have found this glitch and it really happened, as can be seen in the link below:

 http://sourceforge.net/p/rips-scanner/bugs/12/

Thanks Reiners.

Posted previously in http://blog.conviso.com.br/2014/07/rips-scanner-v-054-local-file-include.html by the same author. 

Share This:    Facebook Twitter Google+ Stumble Digg

0 comentários:

Postar um comentário

To get the latest update of me and my works

>> <<