PHP :: Bug #46804 :: file related functions/constructs are vulnerable if path is based on user input

Bug #46804	file related functions/constructs are vulnerable if path is based on user input
Submitted:	2008-12-09 00:57 UTC	Modified:	2008-12-09 15:40 UTC
From:	deminy at deminy dot net	Assigned:
Status:	Not a bug	Package:	Filesystem function related
PHP Version:	5.2.8	OS:	Ubuntu
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	deminy at deminy dot net
New email:
PHP Version:		OS:

New Comment:

[2008-12-09 00:57 UTC] deminy at deminy dot net

Description:
------------
One of my web hosts was hacked some time ago. After checking access_log and made some research online, I think it was caused by a security bug in PHP, which may cause some PHP open source programs vulnerable.

If a PHP program include a file whose file name is based on user request data (e.g., "include($_REQUEST['lang'] . 'inc.php';"), and '/proc/self/environ' is (accidentally) readable by Apache user on Unix/Linux server, the server is probably vulnerable.

Posting related HTTP access log and sample code here may be a threaten to sites built on some PHP open source programs. Please send me an email to request details. Thanks.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-12-09 04:43 UTC] crrodriguez at opensuse dot org

There is extensive literature out there about this, please do your homework before opening bug reports.

ps: use allow_url_include=off to prevent this problem, which is fundamentally a problem in **your code**.

[2008-12-09 08:25 UTC] deminy at deminy dot net

'allow_url_include' has nothing to do with the bug I mentioned. The bug was not introduced because of including a URL using include/require constructs.

[2008-12-09 09:26 UTC] jani@php.net

Unfortunately obvious coding errors are not PHP bugs. Never ever trust any input without filtering it.

[2008-12-09 15:40 UTC] deminy at deminy dot net

The bug affects at least some existing open source programs, including one famous CMS/blog system I'm using (although the bug may exist only in some outdated plugins of the system). It could be a bug in PHP.

The basic hack technique was described here http://www.astalavista.com/index.php?section=docsys&cmd=details&id=53 . By using '....../proc/self/environ%00' instead of '......./proc/self/environ' as a value in $_REQUEST, the way mentioned in the article can be used hacking more open source programs, especially for those that include language files in this way: <?php include 'lang/' . $_lang . '.inc.php'; ?>, where $_lang is somehow based on user input or client browser environment.

Here is a piece of code describing how include() is not working as expected:
<?php
// '%00' causes anything after it would be discarded when the variable is used for generating file path
$_REQUEST['lang'] = '../../../../../../../../../../../../../..' . __FILE__ . '%00'. 'adafdasdfasdf';
$path = OS_PATH . 'templates/' . $_REQUEST['lang'] . '.inc.php';
$path = urldecode($path);

/**
  * 'path' actually points to this file (__FILE__).
  * 
  * If we set $_REQUEST['lang'] to sth like 
  * '../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00',
  * and put some injection code in $_SERVER['HTTP_USER_AGENT'] when making request to that
  * PHP open source program on a vulnerable server, we can gain extra permissions on that web server.
  */  
echo '<pre>' . htmlentities(file_get_contents($path)) . '</pre>';
?>

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Jul 04 11:01:37 2025 UTC