[WEB SECURITY] AT&T exposes /etc/passwd , bad php

Matt Parsons mparsons1980 at gmail.com
Mon Jul 27 20:03:00 EDT 2009


I wonder if AT&T did a security review of this application.  If you had one
of the leading vendor tools you could have done a source code analysis of
the code in php and prevent this from happening.   In the future, companies
like AT&T should consider reviewing their PHP code from both a white box and
black box.  At a minimum, I would consider making sure there was proper
permissions on that file.   Personally, I would have written the application
in a language that is a bit more secure like .NET or Java.   

 

Matt

 

 

Matt Parsons, CISSP

315-559-3588 Blackberry

817-238-3325 Home office 

mparsons1980 at gmail.com

www.parsonsisconsulting.com 

 

CISSP_logo

 

From: Kevin Stewart [mailto:kevin.g.stewart at gmail.com] 
Sent: Monday, July 27, 2009 6:21 PM
To: Michael Condon
Cc: Shane Forsythe; websecurity at webappsec.org
Subject: Re: [WEB SECURITY] AT&T exposes /etc/passwd , bad php

 

By the way, the AT&T url breaks semantics by allowing a write condition in a
GET request. Not that leaving an open ended "page=" in a form post would
have been any better...

Kevin S.

On Mon, Jul 27, 2009 at 7:19 PM, Kevin Stewart <kevin.g.stewart at gmail.com>
wrote:

It is semantically correct to use a GET (and querystring) when the request
will not write or change data. 

(see: http://www.w3.org/2001/tag/doc/whenToUseGet.html).

At a minimum though, you cannot bookmark POST requests and their responses
are usually not cached - two very important performance and usability
considerations.

Kevin S.





On Mon, Jul 27, 2009 at 4:11 PM, Michael Condon
<admin at singulartechnologysolutions.com> wrote:

Can anyone convince me (or anyone else) why I should ever use a QUERY_STRING
in a URL?


-----Original Message-----
From: Shane Forsythe [mailto:shane.forsythe at fau.edu]
Sent: Monday, July 27, 2009 1:09 PM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] AT&T exposes /etc/passwd , bad php

In an amazing example of how not to do file operations with php.  AT&T
has the following URL

http://www.research.att.com/areas/visualization/papers_videos/subpage.php?pa
ge=

You can add ANY file to the end and will happily retrieve for you,
though I'd suggest not actually testing it out
(some examples that were vurnable)
../../../../proc/cpuinfo
/etc/passwd

It appears they have taken page offload and our now aware of it, but if
you follow the comments here, it was active for a good portion and
thoroughly combed over
http://www.reddit.com/r/programming/comments/94z5w/att_exposes_etcpasswd_bad
<http://www.reddit.com/r/programming/comments/94z5w/att_exposes_etcpasswd_ba
d%0A_php/> 
_php/


This seems to be an escalating of AT&T event regarding 4chan






----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA





-- 
Kevin G. Stewart




-- 
Kevin G. Stewart

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090727/a3f6dd63/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 2509 bytes
Desc: not available
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090727/a3f6dd63/attachment.jpg>


More information about the websecurity mailing list