HTTP Source Streaming.

Okay, this isn't new but I never got to the point to actually talk about this here. While HTTP source streaming is a very basic concept, I noticed that not everyone noticed it's principle and that some programmers still don't understand security. In certain cases programmers need to stream a file to the screen. The problem arises when programmers are streaming hardcoded files to the screen instead of stored file pointers. The URI is not designed to correlate files, it's meant for the basic scheme and it's optional query string parameters. This is actually one of the first techniques I learned, back in the days that I started to learn about webapplication vulnerabilities. For once it gave me full root access to a very famous switch manufacturer from which I wanted to obtain information. Thing is, after all these years I am still stunned that it still works on so many websites, and my reason to re-hash it.

A simple explanation:

www.example.com/download.php?file=newsletter.PDF

Now that is bad, and likely vulnerable to HTTP source streaming in the following way:

www.example.com/download.php?file=download.php
www.example.com/download.php?file=config.php
www.example.com/download.php?file=../etc/passwd%00

And that usually streams the source of the file to the screen. This way it is very easy to obtain it's source and all the files that contain credentials, like database or ftp settings. Easy stuff, but dangerous. So if you are bored go try it out. It's easy to find all the vulnerable sites in a multitude of different Google dorks, one of them can look like this:

http://www.google.com/search?q=allinurl:download.php?file=
http://www.google.com/search?q=allinurl:download.php?file= .pdf

Which gives us at least about 250.000 potential victims, pretty sad eh?

http://monitory.eactive.pl/download.php?p=download.php

A sample link from the first 20 search results, and we still wonder why so many servers get hacked. We could easily aggregate around 10K of zombies this way in a weekend. But we don't, that is the difference.