SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   PHP Vendors:   PHP Group
PHP Input Validation Hole in phpinfo() in Processing Stacked Array Contents Lets Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1015130
SecurityTracker URL:  http://securitytracker.com/id/1015130
CVE Reference:   CVE-2005-3388   (Links to External Site)
Updated:  Nov 10 2005
Original Entry Date:  Nov 1 2005
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4 - 4.4.0, 5 - 5.0.5
Description:   A vulnerability was reported in PHP in phpinfo(). A remote user can conduct cross-site scripting attacks.

The phpinfo() function does not properly validate user-supplied input. A remote user can create a specially crafted URL containing a stacked array assignment that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the PHP software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The original advisory is available at:

http://www.hardened-php.net/advisory_182005.77.html

Stefan Esser of the Hardened-PHP Project reported this vulnerabilities.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the PHP software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a fixed version (4.4.1), available at:

http://www.php.net/downloads.php#v4

No solution was available at the time of this entry for PHP 5.

Vendor URL:  www.php.net/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Nov 10 2005 (Red Hat Issues Fix) PHP Input Validation Hole in phpinfo() in Processing Stacked Array Contents Lets Remote Users Conduct Cross-Site Scripting Attacks
Red Hat has released a fix for Red Hat Enterprise Linux 2.1.
Nov 11 2005 (Red Hat Issues Fix) PHP Input Validation Hole in phpinfo() in Processing Stacked Array Contents Lets Remote Users Conduct Cross-Site Scripting Attacks
Red Hat has released a fix for Red Hat Enterprise Linux 3 and 4.



 Source Message Contents

Subject:  [Full-disclosure] Advisory 18/2005: PHP Cross Site Scripting (XSS)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                        Hardened-PHP Project
                        www.hardened-php.net

                      -= Security  Advisory =-


     Advisory: PHP Cross Site Scripting (XSS) Vulnerability in phpinfo()
 Release Date: 2005/10/31
Last Modified: 2005/10/31
       Author: Stefan Esser [sesser@hardened-php.net]

  Application: PHP4 <= 4.4.0
               PHP5 <= 5.0.5
     Severity: A Cross Site Scripting (XSS) Vulnerability in phpinfo()
               could f.e. lead to cookie data exposure if an info
               script is left on a production server.
         Risk: Low
Vendor Status: Vendor has released a bugfixed PHP 4 version
   References: http://www.hardened-php.net/advisory_182005.77.html


Overview:

   PHP is a widely-used general-purpose scripting language that is
   especially suited for Web development and can be embedded into HTML.

   During the development of the Hardening-Patch which adds security 
   hardening features to the PHP codebase, several vulnerabilities 
   within PHP were discovered. This advisory describes one of these 
   flaws concerning a weakness in the phpinfo() function, which allows
   Cross Site Scripting (XSS).


Details:
   
   The phpinfo() function outputs a large amount of information about 
   the current state of PHP. This includes information about PHP 
   compilation options and extensions, the PHP version, server 
   information and environment (if compiled as a module), the PHP 
   environment, OS version information, paths, master and local 
   values of configuration options and request variables, HTTP 
   headers, and the PHP License.
   
   Because phpinfo() leaks a lot of information to the viewer it is
   not recommended to leave a script executing phpinfo() on a 
   production server. However in reality phpinfo() scripts are left
   open on a lot of servers. While this is already bad enough, there
   is also a problem when request variables of a certain form are
   displayed. With a properly crafted URL, that contains a stacked
   array assignment it is f.e. possible to inject HTML code into the 
   output of phpinfo(), which could result in the leakage of domain 
   cookies (f.e. session identifiers).


Proof of Concept:

   The Hardened-PHP project is not going to release exploits for any
   of these vulnerabilities to the public.


Recommendation:

   It is strongly recommended to never leave phpinfo() scripts on
   production servers, additionally it is recommended to upgrade to 
   the new PHP-Releases as soon as possible, because it also fixes 
   a few vulnerabilities, that are rated critical. Finally we always 
   recommend to run PHP with the Hardening-Patch applied.


GPG-Key:

   http://www.hardened-php.net/hardened-php-signature-key.asc

   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1


Copyright 2005 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFDZhz7RDkUzAqGSqERAt9xAJ9n80d64fyNFyeWWwEVnsHfuyjE8wCeNgx3
OhyWy37m+0oH/xv6yIcNaCs=
=X39u
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC