By mattm on

I got this from webhost:

Hello,

We have been reported the following problem:

> http://www.mydomain.com/system/files?file=images/../../../../../../../et...
>
> returns this:
> ASCII File: images-..-..-..-..-..-..-..-etc-hosts
>
> # Do not remove the following line, or various programs
> # that require network functionality will fail.
> 127.0.0.1 localhost
> 209.59.190.2 adonis.site5.com adonis

Please fix this as soon as possible as your script can be exposing sensitive information to malicious parties. Thank you for your prompt attention to this matter.

I have no idea where the problem lies, and how to fix it. I haven't seen this URL anywhere on my site.

Comments

mattm’s picture

mattm commented

I edited my domain name above btw.

Brian@brianpuccio.net’s picture

Brian@brianpuccio.net commented

I have a site that makes use of the image module and tried to view the /etc/hosts file in the same manner in which your webhost did and got a 404 error on the site. I tried a few other files such as /etc/passwd and was unable to view the file contents. I am running Drupal 4.6.1 if that matters.

Emiliano’s picture

Emiliano commented

Same here: page not found. I'm using Drupal 4.5.x.

Actually, this folder "system" *doesn't even exist*!

I think this is not related to Drupal.

Emiliano.

vwX’s picture

vwX commented 
function file_create_url($path) {
  if (strpos($path, variable_get('file_directory_path', 'files')) !== false) {
    $path = trim(substr($path, strlen(variable_get('file_directory_path', 'files'))), '\\/');
  }
  switch (variable_get('file_downloads', FILE_DOWNLOADS_PUBLIC)) {
    case FILE_DOWNLOADS_PUBLIC:
      return $GLOBALS['base_url'] .'/'. variable_get('file_directory_path', 'files') .'/'. str_replace('\\', '/', $path);
    case FILE_DOWNLOADS_PRIVATE:
      return url('system/files', 'file='. $path);
  }
}

Notice the last return line.

Tested on 4.5 with and without register globals set and cannot reproduce. Perhaps this persons host is misconfigured.

Have fun and check my Drupal Profile: http://drupal.org/user/519

Emiliano’s picture

Emiliano commented

Hummm... ok, I got it.

I don't have this "system" folder because I always set file download as public.

Thanks,

Emiliano
http://www.novayork.com

Brian@brianpuccio.net’s picture

Brian@brianpuccio.net commented

I agree, I do believe this is a misconfiguration. If the OP could let us know the config, it might help.

mattm’s picture

mattm commented

What exactly do you need to know?

I have my downloads set to private.
My drupal version is 4.6 with the latest security fix applied to the user module

vwX’s picture

vwX commented

Is you .htaccess default? What are the settings on your configuration. Web server, OS, PHP version are good starts.

Have fun and check my Drupal Profile: http://drupal.org/user/519

mattm’s picture

mattm commented

Webhost info: http://209.59.190.2/
Server Hardware Specifications
Processors: Dual Pentium 4 Xeon 2.8 GHz w/ 1 MB cache & HyperThreading Technology
Memory: Minimum of 2 GB DDR ECC
Disk Drives: 2 x 200 GB SATA - 7,200 RPM 8 MB Cache
Connectivity: 2 x 10/100/1000 Intel Network Interface Cards
Operating system CentOS 4 Linux using the 2.6 kernel (enhanced by Site5 through custom security and performance modifications)
Webserver software: Apache 1.3.x
PHP version: 4.3.x (latest stable release)
MySQL version: 4.0.x
More details: Click http://metis.site5.com/info.php to see the output of phpinfo().

My htaccess file is the default one with some settings to prevent sessids in the urls.
Contents of htaccess file:

#
# Apache/PHP/Drupal settings:
#

# Protect files and directories from prying eyes.
<Files ~ "(\.(inc|module|pl|sh|sql|theme|engine|xtmpl)|Entries|Repositories|Root|scripts|updates)$">
  Order deny,allow
  Deny from all
</Files>

# Set some options.
Options -Indexes
Options +FollowSymLinks

# Customized error messages.
ErrorDocument 404 /index.php

# Set the default handler.
DirectoryIndex index.php

# Override PHP settings. More exist in sites/default/settings.php, but
# the following cannot be changed at runtime. The first IfModule is
# for Apache 1.3, the second for Apache 2.
<IfModule mod_php4.c>
  php_value magic_quotes_gpc                0
  php_value register_globals                0
  php_value session.auto_start              0
  php_value session.use_trans_sid           0
php_value session.use_only_cookies          1
</IfModule>

<IfModule sapi_apache2.c>
  php_value magic_quotes_gpc                0
  php_value register_globals                0
  php_value session.auto_start              0
  php_value session.use_trans_sid           0
php_value session.use_only_cookies          1
</IfModule>

# Reduce the time dynamically generated pages are cache-able.
<IfModule mod_expires.c>
  ExpiresByType text/html A1
</IfModule>

# Various rewrite rules.
<IfModule mod_rewrite.c>
  RewriteEngine on

  # Modify the RewriteBase if you are using Drupal in a subdirectory and
  # the rewrite rules are not working properly.
  #RewriteBase /drupal

  # Rewrite old-style URLs of the form 'node.php?id=x'.
  #RewriteCond %{REQUEST_FILENAME} !-f
  #RewriteCond %{REQUEST_FILENAME} !-d
  #RewriteCond %{QUERY_STRING} ^id=([^&]+)$
  #RewriteRule node.php index.php?q=node/view/%1 [L]

  # Rewrite old-style URLs of the form 'module.php?mod=x'.
  #RewriteCond %{REQUEST_FILENAME} !-f
  #RewriteCond %{REQUEST_FILENAME} !-d
  #RewriteCond %{QUERY_STRING} ^mod=([^&]+)$
  #RewriteRule module.php index.php?q=%1 [L]

  # Rewrite current-style URLs of the form 'index.php?q=x'.
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
</IfModule>

# $Id: .htaccess,v 1.66 2005/03/20 19:15:00 dries Exp $

<Files 403.shtml>
order allow,deny
allow from all
</Files>
vwX’s picture

vwX commented

Did you create the files directory in your document root? Which modules do you have installed and enabled? Which drupal version btw.

What I have found is that if you do not have a files directory and you have set drupal to handle file downloads that the file_exists function returns true for ?file=image/../../.. type entries. Without a files directory file_create_path returns the value of $_GET['file'] umodified. With a files directory it prepends files to the path.

Even when I move my files directory my drupal install doesn't give me the /etc/hosts file so I'm wondering which extra module that has a file_download hook is. Until then try creating a files directory if you don't have one.

Have fun and check my Drupal Profile: http://drupal.org/user/519

killes@www.drop.org’s picture

killes@www.drop.org commented

There was a bug in the flexinode module that was fixed several weeks ago.
--
Drupal services
My Drupal services

--
Drupal services
My Drupal services

walkah’s picture

walkah commented

first off, this would be a file.inc issue not an image.module .

probably more important than your server config - what version of drupal are you running? please upgrade to 4.6.1 if you have not done so already.

--
James Walker :: http://walkah.net/