Suas aplicações são seguras?

Conheça a Conviso!

RIPS Scanner v-0.54 – Local File Include (LFI)

Hi there, 

For those using the RIPS scanner [1] to help the analysis of vulnerabilities on PHP code, pay attention not to leave it running on your network or available to the internet, where anyone can access it. 



In a very brief static code analysis of RIPS we found two “Local File Include” (LFI) vulnerabilities as listed below:


1. LFI at “rips/windows/code.php” – it lacks sanitization of the “file” parameter.

 102    $file = $_GET['file'];
 103    $marklines = explode(',', $_GET['lines']);
 104 
 105         
 106    if(!empty($file))
 107    {
 108            $lines = file($file);
 109                 
 110            // place line numbers in extra table for more elegant copy/paste without line numbers
 111            echo '<tr><td><table>';
 112            for($i=1, $max=count($lines); $i<=$max;$i++)
 113                    echo "<tr><td class="linenrcolumn"><span class="linenr">$i</span><A id='".($i+2).''></A></td></tr>';
 114            echo '</table></td><td id="codeonly"><table id="codetable" width="100%">';
 115                 
 116            $in_comment = false;
 117            for($i=0; $i<$max; $i++)
 118            {                             
 119                    $in_comment = highlightline($lines[$i], $i+1, $marklines, $in_comment);
 120            }
 121    }



2. LFI at “rips/windows/function.php” –  it lacks sanitization of the “file” parameter.

    
 58    $file = $_GET['file'];
 59    $start = (int)$_GET['start'];
 60    $end = (int)$_GET['end'];
 61 
 62    if(!empty($file))
 63    {
 64            $lines = file($file);
 65           
 66            if( isset($lines[$start]) && isset($lines[$end]) )
 67            {
 68                    for($i=$start; $i<=$end; $i++)
 69                    {
 70                            echo highlightline($lines[$i], $i);
 71                    }
 72            }

 
RIPS also found the vulnerabilities in itself:
 


For example:

 


Someone else may have found this flaw before, since RIPS hasn’t been updated in a while. And could be using it to access sensitive data from unsuspecting users.


A note left on the project website is as follows:


NOTE: RIPS 0.5 development is abandoned. A complete rewrite is in development and used as an academic prototype but it is not publicly available yet. More information about the new version can be found is this paper.


[1] http://rips-scanner.sourceforge.net/

UPDATE:
As mentioned before, someone could have found this glitch and it really happened, as can be seen in the link below:

http://sourceforge.net/p/rips-scanner/bugs/12/

 
Thanks Reiners.
Originalmente postado no Blog da Conviso Application Security – Siga-nos no Twitter @conviso Google+

Tags

Deixe um comentário

topo
%d blogueiros gostam disto: