Last week I shared a weird behavior of FreeBSD on sla.ckers.org about a directory listing with PHP file functions and Apache.
The following 3 PHP codes will output a garbled directory listing of the current directory:
view sourceprint?
1 echo file_get_contents("./");
2 $a=file("./");print_r($a);
3 readfile("./");
While those file functions should only return content of a valid file, its possible to get a directory listing under FreeBSD. So exploiting a vulnerable script like the following becomes far more easy for an attacker, because he does not have to know the names of the files he can retrieve.
I guess it has something to do with the weird BSD file system, but I dont know yet. At least this does not work on any other platforms like ubuntu or windows (I havent checked OpenBSD yet). If someone knows more about this strange dirlist please leave a comment.
Read the whole story complete with source code at http://websec.wordpress.com/2009/11/28/freebsd-directory-listing-with-php-file-functions/
