|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2018-03-21 16:53 UTC] scorneli at redhat dot com
Description: ------------ I've tested the fix for CVE-2018-5712 (http://git.php.net/?p=php-src.git;a=commit;h=4e3f55c36272a5f29b50e1924b78e9db1b23f214) and it does not appear to be sufficient for me. The "phar_do_404()" function in ext/phar/phar_object.c also returns parts of the request unfiltered, leading to another XSS vector. I've tested this with Fedora 27's php-7.1.15 version. I've not tested a new vanilla upstream version to verify that it's affected, but I've checked the upstream git sources and they appear to be affected. The "phar_do_403()" function shares similar code, so I've proactively changed that, too. Not tested, though. I've attached a patch that I've used to test my theory. I'm not sure if you guys are already aware of this issue, but I've not communicated this to any 3rd parties yet. I've also not requested a CVE ID yet. Given that this can be easily figured by anyone testing CVE-2018-5712, I don't think that this needs any special embargo. However, if you want to embargo this, do you have a rough timeline when this would be OK for you to make public? Thanks, Stefan Cornelius / Red Hat Product Security Test script: --------------- I'm not doing anything out of the ordinary, really. Fedora 27 with default httpd/php config. The phar is a bare minimum phar package only printing phpinfo(). Although the phar file was build with a php version containing the original fix (4e3f55c36272a5f29b50e1924b78e9db1b23f214), I still can reproduce the XSS. Expected result: ---------------- No XSS Actual result: -------------- XSS PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 08:01:29 2024 UTC |
I'm having problems attaching the patch (restricts my access, although I'm the reporter). Maybe this will do as a workaround: diff -pur php-7.1.15/ext/phar/phar_object.c php-7.1.15_patch/ext/phar/phar_object.c --- php-7.1.15/ext/phar/phar_object.c 2018-02-28 12:19:23.000000000 +0100 +++ php-7.1.15_patch/ext/phar/phar_object.c 2018-03-21 16:59:02.846809270 +0100 @@ -307,9 +307,7 @@ static void phar_do_403(char *entry, int ctr.line = "HTTP/1.0 403 Access Denied"; sapi_header_op(SAPI_HEADER_REPLACE, &ctr); sapi_send_headers(); - PHPWRITE("<html>\n <head>\n <title>Access Denied</title>\n </head>\n <body>\n <h1>403 - File ", sizeof("<html>\n <head>\n <title>Access Denied</title>\n </head>\n <body>\n <h1>403 - File ") - 1); - PHPWRITE(entry, entry_len); - PHPWRITE(" Access Denied</h1>\n </body>\n</html>", sizeof(" Access Denied</h1>\n </body>\n</html>") - 1); + PHPWRITE("<html>\n <head>\n <title>Access Denied</title>\n </head>\n <body>\n <h1>403 - File Access Denied</h1>\n </body>\n</html>", sizeof("<html>\n <head>\n <title>Access Denied</title>\n </head>\n <body>\n <h1>403 - File Access Denied</h1>\n </body>\n</html>") - 1); } /* }}} */ @@ -332,9 +330,7 @@ static void phar_do_404(phar_archive_dat ctr.line = "HTTP/1.0 404 Not Found"; sapi_header_op(SAPI_HEADER_REPLACE, &ctr); sapi_send_headers(); - PHPWRITE("<html>\n <head>\n <title>File Not Found</title>\n </head>\n <body>\n <h1>404 - File ", sizeof("<html>\n <head>\n <title>File Not Found</title>\n </head>\n <body>\n <h1>404 - File ") - 1); - PHPWRITE(entry, entry_len); - PHPWRITE(" Not Found</h1>\n </body>\n</html>", sizeof(" Not Found</h1>\n </body>\n</html>") - 1); + PHPWRITE("<html>\n <head>\n <title>File Not Found</title>\n </head>\n <body>\n <h1>404 - File Not Found</h1>\n </body>\n</html>", sizeof("<html>\n <head>\n <title>File Not Found</title>\n </head>\n <body>\n <h1>404 - File Not Found</h1>\n </body>\n</html>") - 1); } /* }}} */