exploit the possibilities

phpMeta.txt

phpMeta.txt
Posted Dec 30, 2004
Authored by Daniel Fabian

PHP version 4.3.9 is vulnerable to meta character attacks. The bug could enable an attacker to read arbitrary files from the filesystem of a webserver that hosts PHP scripts. In addition PHP versions 4.3.6 until 4.3.9 as well as PHP versions 5.0.0 until 5.0.2 contain a bug that enables an attacker to manipulate the file name of uploaded files to perform directory traversal.

tags | advisory, arbitrary, php
MD5 | 74b268a99f4a6aaefbb8d9e621614730

phpMeta.txt

Change Mirror Download
-------------------------------------------------------------------------
| PHP Input Validation Vulnerabilities |
-------------------------------------------------------------------------

Date: 12-16-2004
Author: Daniel Fabian
Product: PHP
Vendor: PHP (http://www.php.net)
Vendor-Status: vendor contacted
Vendor-Patches: patched versions have been released

~~~~~~~~
Synopsis
~~~~~~~~~~~~~~~~~~~~~~~~

PHP version 4.3.9 is vulnerable to meta character attacks. The bug could
enable an attacker to read arbitrary files from the filesystem of a
webserver that hosts PHP scripts.

In addition PHP versions 4.3.6 until 4.3.9 as well as PHP versions 5.0.0
until 5.0.2 contain a bug that enables an attacker to manipulate the file
name of uploaded files to perform directory traversal.

While both vulnerabilities exist in windows and unix platform versions of
PHP, they can only be successfully exploited on windows systems.


~~~~~~~~
Vendor Status
~~~~~~~~~~~~~~~~~~~~~~~~

The vendor has been timely informed and has released patched versions of
the software (PHP 4.3.10/PHP 5.0.3). Those can be downloaded from
http://www.php.net


~~~~~~~~
Vulnerabilities
~~~~~~~~~~~~~~~~~~~~~~~~


addslashes() Vulnerability:
---------------------------

Scope:
PHP version 4.3.9 contains a bug in the function addslashes().
addslashes() can be used to sanitize userinput and render it thus
impossible for an attacker to influence scripts by injection meta
characters. In the default configuration, magic_quotes_gpc is set to "On"
which automagically performs addslashes() on every input value. However
because of a bug, the NULL byte is not correctly encoded by addslashes,
enabling an attacker to read arbitrary files from the file system, if user
input is used within include() or require() directives.

Details:
Addslashes should turn a NULL byte (will be written as %00 in this
advisory) into the string "\0" (backslash zero). In version 4.3.9 the
NULL byte is encoded as "\%00" (backslash null byte). Everything after
the NULL byte is ignored in include and require directives so that an
attacker can truncate the name of the file that is included in the PHP
script. The last character however will always be the backslash. As in
Windows the backslash is the path delimitor, this does not matter - the
file named before the backslash is still loaded.


Example:

Consider the following PHP script:

<?
$whatever = addslashes($_REQUEST['whatever']);
include("/path/to/program/" . $whatever . "/header.htm");
?>

A malicious attacker might open the following URL, disclosing the
boot.ini file:

http://localhost/phpscript.php?whatever=../../../../boot.ini%00

The trailing backslash from the escaped \%00 does for some reason not seem
to be of concern to include().



Upload Path Traversion Vulnerability:
-------------------------------------

Scope:
PHP automatically sanitizes the file name of uploaded files removing
everything before the last slash or backslash. This is done in order to
prevent path traversal attacks with uploaded files. However if an attacker
uploads a file containing a single quote and the attacked web server has
magic_quotes turned on (which is default configuration) or performs an
addslashes() directive on the name of the uploaded file, the quote is
prefixed with a backslash. This occurs after PHP checks for backslashes in
the filename. As the backslash is the path delimitor in windows, this
behavior enables an attacker to traverse the path by one directory level.

Example:
If a file with the name "..'file.ext" is uploaded, PHP turns the name to
"..\'file.ext" and the file is uploaded to the directory below of where
the PHP script copies it.


~~~~~~~~
Counter Measures
~~~~~~~~~~~~~~~~~~~~~~~~

Upgrade to PHP version 4.3.10, respectively 5.0.3.


~~~~~~~~
Timeline
~~~~~~~~~~~~~~~~~~~~~~~~

Oct. 08: Notified vendor of addslashes vulnerability
Oct. 14: Vendor reply
Nov. 02: Notified vendor of upload vulnerability
Nov. 04: Vendor reply
Nov. 20: Problems fixed in CVS
Dec. 14: Release of patched versions 4.3.10/5.0.3


EOF Daniel Fabian / @2004
d.fabian at sec-consult dot com

~~~~~~~~
Contact
~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

Büro Wien
Blindengasse 3
A-1080 Wien
Austria

Tel.: +43 / 1 / 409 0307 - 570
Fax.: +43 / 1 / 409 0307 - 590
Mail: office at sec-consult dot com
http://www.sec-consult.com



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    15 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    6 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close