exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

PHP 5.3 preg_match() Path Disclosure

PHP 5.3 preg_match() Path Disclosure
Posted Sep 29, 2009
Authored by David "Aesthetico" Vieira-Kurz | Site majorsecurity.de

PHP versions 5.3 and below suffer from a preg_match() related full path disclosure vulnerability.

tags | advisory, php
SHA-256 | 110571519c8b75cd916edb69f611cef30e2fd5a456fc1a9922580caa97fe25a7

PHP 5.3 preg_match() Path Disclosure

Change Mirror Download
[MajorSecurity Advisory #57]PHP <=5.3 - preg_match() full path disclosure

Details
=======
Product: PHP <=5.3
Security-Risk: moderated
Remote-Exploit: yes
Vendor-URL: http://www.php.net/
Vendor-Status: informed
Advisory-Status: published

Credits
============
Discovered by: David Vieira-Kurz
http://www.majorsecurity.info

Affected Products:
----------------------------
PHP 5.3 and prior
PHP 5.2.11 and prior

Original Advisory:
============
http://www.majorsecurity.info/index_2.php?major_rls=major_rls57

Introduction
============
"PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML."
- from php.net

More Details
============
1. Full Path Disclosure
-----------------------------------
There is a full path disclosure vulnerability concerning the
preg_match() php function which allow attackers to
gather the real path of the server side script.

The preg_match() PHP function takes strings as parameters and will raise
warnings when values that are passed are arrays rather then strings.
To get the path of the current script, you simply need to pass the
arguments as arrays rather then expected strings
and then simply read the warning message generated by PHP to see the
error including the full path of the current running script.

Proof of concept:
http://localhost/cms/modules/system/admin.php?fct=users&op[]=

Warning: preg_match() expects parameter 2 to be string, array given in
/htdocs/cms/include/common.php on line 105

Solution
================
I would NOT recommend to just react by "security through obscurity" and
turn off the error messages, error reporting etc.
This is not a solution because there are a lot of users that are having
a shared hosting server where they aren't able to manipulate
the "php.ini" configuration file - even ini_set() is forbidden on some
shared hoster servers.
So they still would have the full path disclosure there.

Workaround
================
I would recommend to meticulously go through the code forcing PHP to
cast the data to the desired type, in this case the (string) casts
to eliminate the Notice or Warning messages.

Example:
<?PHP
if(isset($_GET['page'])) {
if (is_array($page = $_GET['page'])) {

$casted = (string)$page;
} else {
$page = htmlspecialchars($_GET['page'],ENT_QUOTES,'UTF-8');
validate_alpha($page);
}
}
function validate_alpha($page) {
return preg_match("/^[A-Za-z0-9_-]+$/ ", $page);
} ?>

Vendor communication
================
The PHP Developer team has been informed that there is this vulnerability.

MajorSecurity
================
MajorSecurity is a German penetrationtesting and security research
company which focuses on web application security. We offer professional
penetrationtestings, security audits,
source code reviews and reliable proof of concepts.
You will find more Information about MajorSecurity at
http://www.majorsecurity.info/
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close