Attack Vector: Log Files

9 Oct 2010

I've had this on my mind for a long time, however I've finally felt like writing it up. How many times have you seen the bad code below?

<?php
include('pages/'.$_GET['page'].'.php');  //insecure code
?>

Any sane sysadmin will turn off allow_url_fopen to help mitigate remote file injection attacks. So your stuck with local file injection instead. However most servers are configured to allow the web server user to read log files as well.
Log files look like (on Apache):

1.1.1.1- - [24/Aug/2010:05:19:38 -0700] "GET /j.php HTTP/1.1" 200 503 "http://www.example.com/" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 (.NET CLR 3.5.30729)"
1.1.1.1- - [24/Aug/2010:05:19:39 -0700] "GET /j.php HTTP/1.1" 200 513 "<?php phpinfo(); ?>"

So if you can inject code in the log file by a custom user-agent, a simple http://www.example.com/?page=../../logs/example.com/http/access.log request will let you include the log file with contains the code.