-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hardened-PHP Project www.hardened-php.net -= Security Advisory =- Advisory: Yawp/YaWiki Remote URL Include Vulnerability Release Date: 2005/07/12 Last Modified: 2005/07/12 Author: Stefan Esser [sesser@hardened-php.net] Application: Yawp <= 1.0.6 Severity: A global variable can be overwritten which leads to a remote URL include vulnerability under some conditions Risk: Critical Vendor Status: Vendor has released an updated version References: http://www.hardened-php.net/advisory-102005.php Overview: Quote from http://phpyawp.com/yawiki/ "Yawp is Yet Another Web Programming foundation for PHP applications. It is one of the easiest "frameworks" you will ever see for PHP (even though it's not really a framework). Yawp attempts to enhance your own style of programming, not impose a programming method on you." A very quick glimpse on the source of Yawp showed that the default way to use this library is vulnerable to a remote URL inclusion vulnerability when running under PHP5, with register_globals and allow_url_fopen turned on. One of the applications that use Yawp in this unsafe way is YaWiki from the same author. Details: When the Yawp library is started it can be called with a path to a config file. When this config file is omitted it defaults to a config file in document root. This behaviour can be overwritten by setting the global variable _Yawp['conf_path']. When register_globals is turned on, it is possible to set this variable f.e. through the URL to an arbitrary config file. There is a check with file_exists() and therefore it is not possible to put a remote URL into this for PHP4. However, with PHP5 stat() support was added to the FTP URL wrapper and therefore it is possible to exploit this on PHP5 servers by setting the variable to a config file lying on any FTP server. Within this config file it is possible to specify f.e. what PHP files should be included when the framework is started. Because this include is not protected by anything it is possible to include any remote URL (unless your server runs our Hardening-Patch) or any file reachable by the webserver. Proof of Concept: The Hardened-PHP Project is not going to release an exploit for this vulnerability to the public. Disclosure Timeline: 12. July 2005 - Vendor contacted 12. July 2005 - Vendor releases bugfixed version 12. July 2005 - Public disclosure Recommendation: We strongly recommend to upgrade to the vendor supplied new version Yawp 1.1.0 http://phpyawp.com/Yawp-1.1.0.tgz GPG-Key: http://www.hardened-php.net/hardened-php-signature-key.asc pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1 Copyright 2005 Stefan Esser. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQFC1BCiRDkUzAqGSqERApOzAJ9vtPhLO/oQWspZrVIg3+jps5Y3ZgCgkMZ9 NsWhok/j+txFCBFwvrXMx34= =enNp -----END PGP SIGNATURE-----