ALBERT

Description: File download vulnerability, which exposes web servers' local filesystem to the public, is among the most serious security threats in the web. Exploiting this vulnerability will cause disastrous consequences such as, but not limited to, system intrusion, database intrusion and even the leakage of massive confidential documents. Although the file download vulnerability has been known in the literature for a long time, a comprehensive study of its exploitability in the wild is still lacked. In this paper, we survey the landscape of file download vulnerabilities across different countries and domains, and more importantly, examines their exploitability from a hacker's perspective. We have successfully revealed the weak protection of this vulnerability in today's web, as well as confirmed its wide exploitability. To demonstrate the serious consequences, we present two real-world intrusion case studies. One is a system intrusion against a Chinese government website, and the other is a database intrusion targeted to a Chinese industrial service. Our intrusion cases have been confirmed as severe security events by CNCERT (an official security agency in China). At the end, we explore the root cause of this weak protection by analyzing the perils and pitfalls of existing defending solutions, and thereby propose a new enhancement. The basic idea is to deploy a mandatory access control mechanism in the server-side script engine kernel, so as to isolate the files managed by the web server from the local filesystem. We have implemented security-enhanced PHP (i.e. SEPHP), a prototype of our new solution by modifying the source code of PHP5 script engine, and also evaluated the performance overhead induced by SEPHP in a real-world web setting.