exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

PHP 5.3 preg_match() Path Disclosure

PHP 5.3 preg_match() Path Disclosure
Posted Sep 29, 2009
Authored by David "Aesthetico" Vieira-Kurz | Site majorsecurity.de

PHP versions 5.3 and below suffer from a preg_match() related full path disclosure vulnerability.

tags | advisory, php
SHA-256 | 110571519c8b75cd916edb69f611cef30e2fd5a456fc1a9922580caa97fe25a7

PHP 5.3 preg_match() Path Disclosure

Change Mirror Download
[MajorSecurity Advisory #57]PHP <=5.3 - preg_match() full path disclosure

Details
=======
Product: PHP <=5.3
Security-Risk: moderated
Remote-Exploit: yes
Vendor-URL: http://www.php.net/
Vendor-Status: informed
Advisory-Status: published

Credits
============
Discovered by: David Vieira-Kurz
http://www.majorsecurity.info

Affected Products:
----------------------------
PHP 5.3 and prior
PHP 5.2.11 and prior

Original Advisory:
============
http://www.majorsecurity.info/index_2.php?major_rls=major_rls57

Introduction
============
"PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML."
- from php.net

More Details
============
1. Full Path Disclosure
-----------------------------------
There is a full path disclosure vulnerability concerning the
preg_match() php function which allow attackers to
gather the real path of the server side script.

The preg_match() PHP function takes strings as parameters and will raise
warnings when values that are passed are arrays rather then strings.
To get the path of the current script, you simply need to pass the
arguments as arrays rather then expected strings
and then simply read the warning message generated by PHP to see the
error including the full path of the current running script.

Proof of concept:
http://localhost/cms/modules/system/admin.php?fct=users&op[]=

Warning: preg_match() expects parameter 2 to be string, array given in
/htdocs/cms/include/common.php on line 105

Solution
================
I would NOT recommend to just react by "security through obscurity" and
turn off the error messages, error reporting etc.
This is not a solution because there are a lot of users that are having
a shared hosting server where they aren't able to manipulate
the "php.ini" configuration file - even ini_set() is forbidden on some
shared hoster servers.
So they still would have the full path disclosure there.

Workaround
================
I would recommend to meticulously go through the code forcing PHP to
cast the data to the desired type, in this case the (string) casts
to eliminate the Notice or Warning messages.

Example:
<?PHP
if(isset($_GET['page'])) {
if (is_array($page = $_GET['page'])) {

$casted = (string)$page;
} else {
$page = htmlspecialchars($_GET['page'],ENT_QUOTES,'UTF-8');
validate_alpha($page);
}
}
function validate_alpha($page) {
return preg_match("/^[A-Za-z0-9_-]+$/ ", $page);
} ?>

Vendor communication
================
The PHP Developer team has been informed that there is this vulnerability.

MajorSecurity
================
MajorSecurity is a German penetrationtesting and security research
company which focuses on web application security. We offer professional
penetrationtestings, security audits,
source code reviews and reliable proof of concepts.
You will find more Information about MajorSecurity at
http://www.majorsecurity.info/
Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    8 Files
  • 29
    Sep 29th
    14 Files
  • 30
    Sep 30th
    19 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close