Bug Type: Insecure Caching caused Local File Inclusion from down directories
Script Url: http://hhvm.com/
Buggy File: Cached.php
Status : Fixed
Detailed WriteUp: Hey all 🙂 , Back in April i reported a code bug in facebook HHVM package. It was fixed lately by HHVM Team. If you have no idea what is HHVM then you can follow this link : http://hhvm.com
So following are details : Below is the extracted package of hhvm.
[pastacode lang=”markup” manual=”http%3A%2F%2Flocalhost%3A1337%2Fhhvm%2Fcached.php%3Ff%3Dstyles%252Ftheme-base.css%0A” message=”” highlight=”” provider=”manual”/]
But it doesnt restrict to load only js and css files. Here is code that load file passed in GET parameter “f” .
Now lets try loading some local php file.
[pastacode lang=”markup” manual=”http%3A%2F%2Flocalhost%3A1337%2Fhhvm%2Fcached.php%3Ff%3Dsearch.php%0A” message=”” highlight=”” provider=”manual”/]
In this way we can access the source of any php files that are down the directory, Up directory wont work due to the protection in the code , so we cant access any etc/passwd etc.
This bug is fixed now .
Thanks for reading 🙂