Bypassing PHP PathInfo

Posted: February 23, 2011 by Hacking & Relax in Skill

The pathinfo() built-in PHP function is often used by programmers to identify the types of files being specified in URLs. Pathinfo will do simple parsing of path and filenames and present an array of useful attributes such as the base name of the file specified or the file extension of the file specified. The following example is provided from the website:

$path_parts = pathinfo('/www/htdocs/index.html');

echo $path_parts['dirname'], "\n";
echo $path_parts['basename'], "\n";
echo $path_parts['extension'], "\n";
echo $path_parts['filename'], "\n"; // since PHP 5.2.0

Which produces the output:


As you can see this is very useful for identifying the types of files that are being requested. However, in many cases developers will use this information as authoritative, relying in pathinfo() to report accurately. Pathinfo’s parsing can be easily bypassed by using the age old trick of appending extra dots and extensions to the filename.

Consider the following example. In the web directory we have two files – test.php and index.php. Test.php contains the following code:

$file = pathinfo($_GET['file']);
if (file_exists($file['basename'])) echo 'Found this file';
else echo 'Could not find this file';

If we call the URL ‘test.php?file=index.jpg’ we get the handy output ‘Could not find this file’ and if we call ‘test.php?file=index.php’ we get ‘Found this file.’ Now, if we were to modify this code to check for valid image file extensions we might end up with something like:

$file = pathinfo($_GET['file']);
if ($file['extension'] == '.jpg') echo 'Valid image file!  ';
if (file_exists($file['basename'])) echo 'Found this file';
else echo 'Could not find this file';

And then we call ‘test.php?file=index.php.jpg’ we understandably see ‘Valid image file! Could not find this file.’ So this could be used to screen out extension overloading.

However, if we append a null byte in our URL by requesting the URL ‘test.php?file=index.php%00.jpg’ we can easily evade the filter checking, resulting in the output ‘Valid image file! Found this file.’ This can be an extremely dangerous vulnerability because a developer using code of this style might think they have successfully limited files they are including to only files with image extensions when in fact attackers can bypass the filter and cause arbitrary file inclusion.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s