Application Security

RIPS Scanner v-0.54 – Local File Include (LFI)

Hi there, 

For those using the RIPS scanner [1] to help the analysis of vulnerabilities on PHP code, pay attention not to leave it running on your network or available to the internet, where anyone can access it. 



In a very brief static code analysis of RIPS we found two “Local File Include” (LFI) vulnerabilities as listed below:


1. LFI at “rips/windows/code.php” – it lacks sanitization of the “file” parameter.

 102    $file = $_GET['file'];
 103    $marklines = explode(',', $_GET['lines']);
 104 
 105         
 106    if(!empty($file))
 107    {
 108            $lines = file($file);
 109                 
 110            // place line numbers in extra table for more elegant copy/paste without line numbers
 111            echo '<tr><td><table>';
 112            for($i=1, $max=count($lines); $i<=$max;$i++)
 113                    echo "<tr><td class="linenrcolumn"><span class="linenr">$i</span><A id='".($i+2).''></A></td></tr>';
 114            echo '</table></td><td id="codeonly"><table id="codetable" width="100%">';
 115                 
 116            $in_comment = false;
 117            for($i=0; $i<$max; $i++)
 118            {                             
 119                    $in_comment = highlightline($lines[$i], $i+1, $marklines, $in_comment);
 120            }
 121    }



2. LFI at “rips/windows/function.php” –  it lacks sanitization of the “file” parameter.

    
 58    $file = $_GET['file'];
 59    $start = (int)$_GET['start'];
 60    $end = (int)$_GET['end'];
 61 
 62    if(!empty($file))
 63    {
 64            $lines = file($file);
 65           
 66            if( isset($lines[$start]) && isset($lines[$end]) )
 67            {
 68                    for($i=$start; $i<=$end; $i++)
 69                    {
 70                            echo highlightline($lines[$i], $i);
 71                    }
 72            }

 
RIPS also found the vulnerabilities in itself:
 


For example:

 


Someone else may have found this flaw before, since RIPS hasn’t been updated in a while. And could be using it to access sensitive data from unsuspecting users.


A note left on the project website is as follows:


NOTE: RIPS 0.5 development is abandoned. A complete rewrite is in development and used as an academic prototype but it is not publicly available yet. More information about the new version can be found is this paper.


[1] http://rips-scanner.sourceforge.net/

UPDATE:
As mentioned before, someone could have found this glitch and it really happened, as can be seen in the link below:

http://sourceforge.net/p/rips-scanner/bugs/12/

 
Thanks Reiners.
Originalmente postado no Blog da Conviso Application Security – Siga-nos no Twitter @conviso Google+
About author

Articles

A team of professionals, highly connected on news, techniques and information about application security
Related posts
Application Security

AppSec in the process of digital transformation

Another episode of AppSec to Go is on the air. The third episode of Conviso’s podcast…
Read more
Application Security

IAM and CI/CD security

We already know that some IT paradigms must be rethought when we look at the world of cloud…
Read more
Application SecurityInfrastructure

How to increase the security of your container

In our first article – Is your container really secure? on security of containers, we…
Read more

Deixe um comentário