what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

14070612.txt

14070612.txt
Posted Jun 13, 2007
Authored by DarkFig | Site acid-root.new.fr

The PHP parse_str() function suffers from an arbitrary variable overwrite issue.

tags | advisory, arbitrary, php
SHA-256 | 0d9ad5e9250b7849f116c5dd0fc42cd6cb2b7fd428f5102e4b0e44f2ec808162

14070612.txt

Change Mirror Download
       Title:    PHP parse_str() arbitrary variable overwrite
Vendor: http://www.php.net/
Advisory: http://www.acid-root.new.fr/advisories/14070612.txt
Author: DarkFig < gmdarkfig (at) gmail (dot) com >
Written on: 2007/06/12
Released on: 2007/06/12
Risk level: Medium / High



[I].BACKGROUND

[Quote from php.net] PHP is a popular open-source programming
language used primarily for developing server-side applications
and dynamic web content, and more recently, other software. The
name is a recursive acronym for "PHP: Hypertext Preprocessor".
This is actually a retronym; see history of PHP.[/quote]

While I was coding the new version of phpsploitclass, I was
reading the manual of parse_url(), then I saw the parse_str()
function. I decided to see how it works. During some test that
I did, I discovered a vulnerability which can be exploited to
overwrite some variables.



[II].MANUAL

void parse_str ( string $str [, array &$arr] )

Parses str as if it were the query string passed via a URL and
sets variables in the current scope. If the second parameter arr
is present, variables are stored in this variable as array
elements instead.

Note: Support for the optional second parameter was added in
PHP 4.0.3.

Note: To get the current QUERY_STRING, you may use the variable
$_SERVER['QUERY_STRING']. Also, you may want to read the section
on variables from outside of PHP.

Note: The magic_quotes_gpc setting affects the output of this
function, as parse_str() uses the same mechanism that PHP uses
to populate the $_GET, $_POST, etc. variables.



[III].SOURCE CODE

--- ./ext/standard/string.c ---
4025. /*
4025. {{{ proto void parse_str(string encoded_string [, array result])
4026. Parses GET/POST/COOKIE data and sets global variables
4026. */
4027. PHP_FUNCTION(parse_str)
4028. {
4029. zval **arg;
4030. zval **arrayArg;
4031. zval *sarg;
4032. char *res = NULL;
4033. int argCount;
4034.
4035. argCount = ZEND_NUM_ARGS();
4036. if (argCount < 1 ||
4036. argCount > 2 ||
4036. zend_get_parameters_ex(argCount,&arg,&arrayArg) == FAILURE)
4036. {
####. /* Not enough or too many args */
4037. WRONG_PARAM_COUNT;
4038. }
4039.
4040. convert_to_string_ex(arg);
4041. sarg = *arg;
4042. if (Z_STRVAL_P(sarg) && *Z_STRVAL_P(sarg)) {
4043. res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg));
4043.
####. /* Allocate Z_STRLEN_P(sarg)+1 bytes of memory and copy
####. Z_STRLEN_P(sarg) bytes from Z_STRVAL_P(sarg) to the
####. newly allocated block */
4044. }
4045.
####. /* parse_str(argv1) */
4046. if (argCount == 1)
4046. {
4047. zval tmp;
4048. Z_ARRVAL(tmp) = EG(active_symbol_table);
4049.
####. /* The problem is here, there is no conditions before setting
####. the variable. If a variable already exists, it will overwrite it */
4049.
4050. sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC);
4051. }
####. /* parse_str(argv1,argv2) */
4051. else
4051. {
4052. /* Clear out the array that was passed in. */
4053. zval_dtor(*arrayArg);
4054. array_init(*arrayArg);
4055.
4056. sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC);
4057. }
4058. }



[IV].EXPLANATIONS

As you can see in the manual, the user who want to use this
function is not prevented against overwriting. That's why I
think that overwriting is not wanted, they forgot to check it.
Simple proof of concept:

<?php

# ?var=new
###########
$var = 'init'; #
parse_str($_SERVER['QUERY_STRING']); #
print $var; # new

# ?array[]=new # Array
############## # (
$array = array('init'); # [0] => init
parse_str($_SERVER['QUERY_STRING']); # [1] => new
print_r($array); # )

# ?array=new
############ # Array
$array = array('init'); # (
parse_str($_SERVER['QUERY_STRING'],$array); # [array] => new
print_r($array); # )

?>

This type of vulnerability can open a door to many vulnerabilities,
that's why it's difficult to define the risk level. Unlike extract()
there is no option such as EXTR_SKIP which will define what to do
if there is a collision. So if you want to secure your code, don't
use this function. I didn't contacted the php team but maybe they
will release a fix for this vulnerability.



[V].GREETZ

benjilenoob, ddx39, lorenzo, romano, shaka, sparah.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    0 Files
  • 7
    Mar 7th
    0 Files
  • 8
    Mar 8th
    0 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    0 Files
  • 14
    Mar 14th
    0 Files
  • 15
    Mar 15th
    0 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close