Facebook HHVM Insecure File Caching via cached.php

Bug Type: Insecure Caching caused Local File Inclusion from down directories
Script Url: http://hhvm.com/
Buggy File: Cached.php
Status : Fixed

Detailed WriteUp: Hey all 🙂 , Back in April i reported a code bug in facebook HHVM package. It was fixed lately by HHVM Team. If you have no idea what is HHVM then you can follow this link : http://hhvm.com
So following are details : Below is the extracted package of hhvm.

Cached.php file is used to cache javascript and css files . Example:

[pastacode lang=”markup” manual=”http%3A%2F%2Flocalhost%3A1337%2Fhhvm%2Fcached.php%3Ff%3Dstyles%252Ftheme-base.css%0A” message=”” highlight=”” provider=”manual”/]

But it doesnt restrict to load only js and css files. Here is code that load file passed in GET parameter “f” .

Now lets try loading some local php file.

[pastacode lang=”markup” manual=”http%3A%2F%2Flocalhost%3A1337%2Fhhvm%2Fcached.php%3Ff%3Dsearch.php%0A” message=”” highlight=”” provider=”manual”/]

In this way we can access the source of any php files that are down the directory, Up directory wont work due to the protection in the code , so we cant access any etc/passwd etc.
Facebook replies

This bug is fixed now .
Thanks for reading 🙂

(Visited 6 times, 1 visits today)

Leave A Comment

Your email address will not be published. Required fields are marked *