3

We have a simple php file that captures emails. It drops these emails into a csv file (which is not executable by php). We recently had someone who managed to hack our site and this seemed like one of the entry points, but I don't see how it's possible. Here's the script:

$fh = fopen('cap.csv', 'a+');
fwrite($fh, "\r".$_GET['email']);
fclose($fh);

Pretty basic right? Is there anyway you can think of to exploit this?

AstroCB
  • 12,337
  • 20
  • 57
  • 73
Jeremy
  • 437
  • 3
  • 16
  • May depend on what you are doing with your csv files. – KingCrunch Jun 14 '11 at 13:03
  • Do you use the contents of `cap.csv` anywhere else? – Alin Purcaru Jun 14 '11 at 13:03
  • 3
    How are the e-mails used later on? You never sanitize the input which means anything is possible on read. – Andrew White Jun 14 '11 at 13:03
  • Where is the file located, in a directory accessible from the Web? What is done with the data after it is written to this file? – AJ. Jun 14 '11 at 13:04
  • The CSV files are downloaded manually later on and added to an Excel file. They are never parsed by any other scripts. Also the file does not have read access from the web, but does sit in the web directory. The only access on the file is group write. – Jeremy Jun 14 '11 at 13:05
  • 1
    I can't see a way to use this specific part to gain access to any other part of the site. Interested to see whether anyone comes up with something - otherwise, the problem will be in what is *done* with the data later on – Pekka Jun 14 '11 at 13:05

4 Answers4

3

Yes, but probably not what you are looking for.

The only things I could do are:

  1. Add anything to your file, append only.
  2. (optional/bonus) Open the file directly if you haven't secured it and steal all e-mail addresses.

It won't allow me to execute anything, or gain access to anything though. (Unless you process it and cause an leak somewhere else). But still - make this secure!

Wesley van Opdorp
  • 14,888
  • 4
  • 41
  • 59
  • Okay that's what I was thinking. We just had a guy that was absolutely positive that was the hole and besides annoyance of dumping whatever data they wanted into that file I didn't see any other issues with it. – Jeremy Jun 14 '11 at 13:12
2

The code you have shown us can only be used to put anything in the csv file (I assume you don't verify/validate the $_GET['email'] variable), but you can't inject and execute PHP code that way.

Maybe you have a script that works on the csv file which got exploited.

cweiske
  • 30,033
  • 14
  • 133
  • 194
1

The only thing I can think of right now for the given code is a NullByte attack vector (though I'm not sure they work in current versions of PHP anymore or even apply to your code). Since you are using $_GET, any attack via the eMail param should be visible in your server's log files.

Check your Log files for any suspicious email strings, e.g. something like

http://example.com?email=foo\0somethingmalicious

and similar things.

Gordon
  • 312,688
  • 75
  • 539
  • 559
0

The code you posted suggests that you do not much sanitization on the input data. So it's likely that you have similar issues in other parts of the software.

Next to that even if you don't execute the csv file within your application, it is possible to inject PHP code therein.

So if there is another hole in the application that does not properly check input data and that could be exploited to include files on the server and then include that csv file in question, remote code execution is possible.

hakre
  • 193,403
  • 52
  • 435
  • 836