-view-php-3a-2f-2ffilter-2fread-3dconvert.base64 Encode-2fresource-3d-2froot-2f.aws-2fcredentials -

Security Incident Report

• php:// is a PHP wrapper that allows access to various I/O streams.
• The 3A, 2F, etc., sequences are URL-encoded characters (: = 3A, / = 2F). Decoded, the path is: php://filter/read=convert.base64-encode/resource=/root/.aws/credentials.

Understanding the Mysterious URL: view.php?filter=read&convert=base64 encode&resource=/root/.aws/credentials

1. Disable Dangerous Wrappers: In the php.ini configuration file, the allow_url_fopen and allow_url_include directives can be disabled to prevent the use of remote and potentially dangerous stream wrappers.
2. Sanitize User Input: Never trust user input. If a file path is expected, validate the input strictly. For example, use basename() to strip path information or use a whitelist of allowed files.
3. Use a Whitelist: Instead of allowing users to specify a file path directly, implement a mapping where an ID corresponds to a specific file on the server.

   AWS Access Key IDs

   This is a well-known file on Unix/Linux systems. When the AWS CLI, SDK, or tools like boto3 are configured for the root user (or any user with high privileges), this file stores plaintext and Secret Access Keys .

   is a Local File Inclusion (LFI) attack designed to exfiltrate AWS credentials by using PHP stream filters to base64-encode sensitive files [1]. This attack enables unauthorized access to AWS Access Key IDs and Secret Access Keys, potentially leading to full cloud environment compromise, and should be mitigated by disabling allow_url_include Security Incident Report

   • Burp Suite – Intruder with payloads for PHP filters.
   • ffuf – Fuzzing for LFI.
   • LFISuite – Automates extraction via filters.

   Step 1: Ensure Access and Validation