SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   PHP Vendors:   PHP Group
PHP Bug Lets Remote Users Overwrite the $GLOBALS Array
SecurityTracker Alert ID:  1015129
SecurityTracker URL:  http://securitytracker.com/id/1015129
CVE Reference:   CVE-2005-3390   (Links to External Site)
Updated:  Nov 10 2005
Original Entry Date:  Nov 1 2005
Impact:   Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4 - 4.4.0, 5 - 5.0.5
Description:   A vulnerability was reported in Php. A remote user may be able to overwrite variables to potentially execute arbitrary code on the target system.

A remote user can send a multipart/form-data POST request containing a fileupload field with the name 'GLOBALS' to cause the $GLOBALS array to be overwritten. In some situations, this may allow a remote user to execute arbitrary PHP code on the target system. The specific impact depends on the PHP applications.

Additional information is available in a paper at:

http://www.hardened-php.net/globals-problem

Stefan Esser of the Hardened-PHP Project reported this vulnerabilities.

The original advisory is available at:

http://www.hardened-php.net/advisory_202005.79.html

Impact:   A remote user may be able to overwrite variables to potentially execute arbitrary code on the target system.
Solution:   The vendor has issued a fixed version (4.4.1), available at:

http://www.php.net/downloads.php#v4

No solution was available at the time of this entry for PHP 5.

Vendor URL:  www.php.net/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Nov 10 2005 (Red Hat Issues Fix) PHP Bug Lets Remote Users Overwrite the $GLOBALS Array
Red Hat has released a fix for Red Hat Enterprise Linux 2.1.
Nov 11 2005 (Red Hat Issues Fix) PHP Bug Lets Remote Users Overwrite the $GLOBALS Array
Red Hat has released a fix for Red Hat Enterprise Linux 3 and 4.



 Source Message Contents

Subject:  Advisory 20/2005: PHP File-Upload $GLOBALS Overwrite Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                        Hardened-PHP Project
                        www.hardened-php.net

                      -= Security  Advisory =-


     Advisory: PHP File-Upload $GLOBALS Overwrite Vulnerability
 Release Date: 2005/10/31
Last Modified: 2005/10/31
       Author: Stefan Esser [sesser@hardened-php.net]

  Application: PHP4 <= 4.4.0
               PHP5 <= 5.0.5
     Severity: $GLOBALS overwrite can lead to unexpected behaviour
               of PHP applications, which can lead to execution of
               remote PHP code in many situations
         Risk: Critical
Vendor Status: Vendor has released a bugfixed PHP 4 version
   References: http://www.hardened-php.net/advisory_202005.79.html
               http://www.hardened-php.net/globals-problem


Overview:

   PHP is a widely-used general-purpose scripting language that is
   especially suited for Web development and can be embedded into HTML.

   During the development of the Hardening-Patch which adds security 
   hardening features to the PHP codebase, several vulnerabilities 
   within PHP were discovered. This advisory describes one of these 
   flaws concerning a weakness in the file upload code, that allows
   overwriting the GLOBALS array when register_globals is turned on.
   Overwriting this array can lead to unexpected security holes in
   code assumed secure.

   This vulnerability has consequences for a lot of PHP applications
   f.e. everything based on PEAR.php and vBulletin. And can lead to
   remote PHP code execution.
   
   For a detailed explanation of the $GLOBALS overwrite problem, have
   a look at the following article which describes it in more detail:
   
   http://www.hardened-php.net/globals-problem


Details:

   In PHP 4.3.11 some code was added to disallow overwriting the
   $GLOBALS array when register_globals is turned on. Unfortunately
   there was a hole in this protection. The introduced code did only
   affect the globalisation of the GET, POST and COOKIE variables.
   However it was overseen, that the rfc1867 file upload code within
   PHP also registers global variables, which can be used by an
   attacker to overwrite the $GLOBALS array by simply sending a
   multipart/form-data POST request containing a fileupload field
   with the name 'GLOBALS'.
   
   Until now it was not realised, how dangerous the problem is. This 
   is also one of the reasons why all PHP <= 4.3.10 packages shipped 
   with various distributions are still vulnerable to the normal 
   $GLOBALS overwrite, which was fixed in PHP 4.3.11.
   
   Describing the impact of $GLOBALS overwrite vulnerabilities and
   why it does not only affect installations, where register_globals
   is turned on, why it allows remote code execution in a lot of
   PHP applications and why this is also a threat for applications
   that allow local file includes and are running in a SAFE_MODE or
   open_basedir environment is out of the scope of this advisory.
   
   The interested reader is advised to read the following article, 
   that describes this "new" bugclass a bit more detailed, with 
   examples.
   
   http://www.hardened-php.net/globals-problem
   
   Finally it should be noted that users of our Hardening-Patch for
   PHP are not affected if they run the at least version from 
   September.


Proof of Concept:

   The Hardened-PHP project is not going to release exploits for any
   of these vulnerabilities to the public.


Recommendation:

   It is strongly recommended to upgrade to the new PHP-Releases as
   soon as possible, because the GLOBALS problem is very dangerous
   to a lot of PHP applications in the wild. Especially because
   writing a worm that f.e. uses this problem to exploit everything
   based on PEAR.php is very simple. Additionally we always recommend 
   to run PHP with the Hardening-Patch applied, especially because
   it offers even more protection against $GLOBALS overwrites than
   the default PHP.


GPG-Key:

   http://www.hardened-php.net/hardened-php-signature-key.asc

   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1


Copyright 2005 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFDZh0fRDkUzAqGSqERAo5yAJ0fNc8IZKgAdhGf7VkuzcubwN0+2ACfWK8K
IZXWzIMzQMf2DEc2ktRgOHQ=
=X87Q
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC