The first time you sign into developerWorks, a profile is created for you. Select information in your profile (name, country/region, and company) is displayed to the public and will accompany any content you post. You may update your IBM account at any time.

All information submitted is secure.

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerworks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

All information submitted is secure.

My developerWorks:

My notifications:

Sign out

Select a language:

Improve web application security with jQuery Mobile

Learn how to secure your mobile applications

John Leitch, Application Security Consultant, Freelance

John Leitch is an independent application security consultant living in Grand Rapids, Michigan. Working primarily with web applications, he specializes in fuzz testing, dynamic analysis, and code review. Always on the hunt for bugs, he frequently releases vulnerability advisories.

Summary: Many web developers consider security a low priority. Security is frequently relegated to the end of the software development life cycle, as little more than an afterthought. Sometimes, software security is neglected entirely, resulting in applications rife with common vulnerabilities. Because such bugs might manifest only under conditions present during an attack, they can be hard to detect prior to such events without knowledge of how the exploitation process works. Using a web application built with jQuery Mobile, PHP, and MySQL, this tutorial shows how many types of vulnerabilities occur along with common methods of exploitation and, most importantly, their respective countermeasures.

Date: 03 May 2011
Level: Intermediate
PDF: A4 and Letter (462 KB | 29 pages)Get Adobe® Reader®

Activity: 66441 views
Comments:

File inclusion

There are two types of file inclusion: remote and local. As the name implies, this type of vulnerability allows an attacker to arbitrarily include a file. Whether the result is disclosure of the contents of the file or execution as code depends on the nature of the exploit. With PHP, remote file inclusion is generally not possible if allow_url_fopen is disabled in the php.ini file.

Exploitation

The language cookie in CMA is vulnerable to local file inclusion and, if the server is configured to allow opening URLs, remote file inclusion. By passing a series of traversal sequences along with a folder and file outside of the webroot followed by a null byte to terminate the string, arbitrary files can be included. Listing 23 shows a malicious request that includes the win.ini file.

Listing 23. A malicious request that attempts to retrieve the win.ini file of the server


GET http://localhost/cma/insecure/index.php HTTP/1.1
Host: localhost
Connection: keep-alive
Referer: http://localhost/cma/insecure/index.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.16 (KHTML,
  like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,
  image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: language=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows%2fwin.ini%00

Listing 24 shows the server's response.

Listing 24. The server's response showing a successful attack


HTTP/1.1 200 OK
Date: Sun, 20 Mar 2011 20:59:41 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l 
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Set-Cookie: PHPSESSID=39q2aarl86t01j697vrb6ekjf2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6142
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[MCI Extensions.BAK]
m2v=MPEGVideo
mod=MPEGVideo
[Trimmed]

Note that null byte poisoning of paths no longer works as of PHP 5.3.4. In some instances, though, it is not required, so do not consider this alone as a fix for file inclusion vulnerabilities.

Aside from disclosing arbitrary files, file inclusion can sometimes be used to trick the server into interpreting arbitrary file types (such as jpgs) as code.

Prevent file inclusion

If possible, avoid passing user input to any functions that read or include files. If this approach cannot be avoided, try taking a whitelist approach to validating data, as is done in Listing 25. If the number of valid values is too great for a whitelist, check for any traversal sequences or null bytes and reject (do not attempt to sanitize) the request. Ensure that the server appends the extension of the user-submitted filename.

Listing 25. Updated language selection code that blocks file inclusion attacks


$languages = array(    "en-us",    "en-ca");if (isset($_COOKIE['language']))
{    if (in_array($_COOKIE['language'], $languages)     
require_once($_COOKIE['language'] . ".php");
else
die("Invalid language.");}

Because the updated code allows only cookie values contained within the languages array, users can no longer exploit the language selection functionality to include arbitrary files.

While local file inclusion is a serious threat, the consequences of the attack described in the upcoming sections can be even more severe.

Comments