php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #65414 Injection (A1) in .phar files magic .phar directory
Submitted: 2013-08-07 11:01 UTC Modified: 2018-02-02 02:46 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: hanskrentel at yahoo dot de Assigned: bishop (profile)
Status: Closed Package: PHAR related
PHP Version: 5.4.17 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: hanskrentel at yahoo dot de
New email:
PHP Version: OS:

 

 [2013-08-07 11:01 UTC] hanskrentel at yahoo dot de
Description:
------------
The checks to add files or strings as files to a .phar file into the magic .phar directory do not prevent creating files within that directory.

This is because those checks (at different places) do not check if the path is actually into that .phar directory or not.

The filename (pathname) is not normalized prior the access check.

This allows to easily circumvent the access control and create files therein.

I run over this while reviewing Bug #64931 and the workaround there is the exploit here (pre-fixing the filename (pathname)).

Test script:
---------------
<?php

$phar = new \Phar("foo.phar", 0, "foo.phar");

$phar->addFromString('/.phar/how-unicorns-shit_-_the-complete-guide.txt', "

     How Unicorns Shit
           ---
     The Complete Guide

It's all based on the color magic
of the rainbow. You know, even
unicorns just cook with water.

Just heat some water until it
boils and the steam gets up
into the sunlight. With some
luck you will see a rainbow.

Just try with the right amount of
steam and the right amount of
light and the right angle to
watch into.");

var_dump(file_get_contents('phar://' . __DIR__ . '/foo.phar/.phar/how-unicorns-shit_-_the-complete-guide.txt'));

Expected result:
----------------
Fatal error: Uncaught exception 'BadMethodCallException' with message 'Cannot create any files in magic ".phar" directory' 

Actual result:
--------------
string(383) "

     How Unicorns Shit
           ---
     The Complete Guide

It's all based on the color magic
of the rainbow. You know, even
unicorns just cook with water.

Just heat some water until it
boils and the steam gets up
into the sunlight. With some
luck you will see a rainbow.

Just try with the right amount of
steam and the right amount of
light and the right angle to
watch into."

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-10-30 22:07 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-10-30 22:07 UTC] stas@php.net
Doesn't look to me like a security issue.
 [2018-02-02 02:46 UTC] bishop@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: bishop
 [2018-02-08 09:34 UTC] krakjoe@php.net
Automatic comment on behalf of bishop.bettini@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d806d0315f96806ff79fcb87e22adfe7a5ca3cf9
Log: Fixed bug #65414
 [2018-02-08 09:34 UTC] krakjoe@php.net
-Status: Verified +Status: Closed
 [2018-02-08 09:34 UTC] krakjoe@php.net
Automatic comment on behalf of bishop.bettini@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4765ba7dc3fbae657288ae1095f111a136746cde
Log: Fixed bug #65414
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Nov 23 09:01:28 2024 UTC