PHP :: Bug #46804 :: file related functions/constructs are vulnerable if path is based on user input

Bug #46804	file related functions/constructs are vulnerable if path is based on user input
Submitted:	2008-12-09 00:57 UTC	Modified:	2008-12-09 15:40 UTC
From:	deminy at deminy dot net	Assigned:
Status:	Not a bug	Package:	Filesystem function related
PHP Version:	5.2.8	OS:	Ubuntu
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2008-12-09 00:57 UTC] deminy at deminy dot net

Description:
------------
One of my web hosts was hacked some time ago. After checking access_log and made some research online, I think it was caused by a security bug in PHP, which may cause some PHP open source programs vulnerable.

If a PHP program include a file whose file name is based on user request data (e.g., "include($_REQUEST['lang'] . 'inc.php';"), and '/proc/self/environ' is (accidentally) readable by Apache user on Unix/Linux server, the server is probably vulnerable.

Posting related HTTP access log and sample code here may be a threaten to sites built on some PHP open source programs. Please send me an email to request details. Thanks.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-12-09 04:43 UTC] crrodriguez at opensuse dot org

There is extensive literature out there about this, please do your homework before opening bug reports.

ps: use allow_url_include=off to prevent this problem, which is fundamentally a problem in **your code**.

[2008-12-09 08:25 UTC] deminy at deminy dot net

'allow_url_include' has nothing to do with the bug I mentioned. The bug was not introduced because of including a URL using include/require constructs.

[2008-12-09 09:26 UTC] jani@php.net

Unfortunately obvious coding errors are not PHP bugs. Never ever trust any input without filtering it.

[2008-12-09 15:40 UTC] deminy at deminy dot net

The bug affects at least some existing open source programs, including one famous CMS/blog system I'm using (although the bug may exist only in some outdated plugins of the system). It could be a bug in PHP.

The basic hack technique was described here http://www.astalavista.com/index.php?section=docsys&cmd=details&id=53 . By using '....../proc/self/environ%00' instead of '......./proc/self/environ' as a value in $_REQUEST, the way mentioned in the article can be used hacking more open source programs, especially for those that include language files in this way: <?php include 'lang/' . $_lang . '.inc.php'; ?>, where $_lang is somehow based on user input or client browser environment.

Here is a piece of code describing how include() is not working as expected:
<?php
// '%00' causes anything after it would be discarded when the variable is used for generating file path
$_REQUEST['lang'] = '../../../../../../../../../../../../../..' . __FILE__ . '%00'. 'adafdasdfasdf';
$path = OS_PATH . 'templates/' . $_REQUEST['lang'] . '.inc.php';
$path = urldecode($path);

/**
  * 'path' actually points to this file (__FILE__).
  * 
  * If we set $_REQUEST['lang'] to sth like 
  * '../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00',
  * and put some injection code in $_SERVER['HTTP_USER_AGENT'] when making request to that
  * PHP open source program on a vulnerable server, we can gain extra permissions on that web server.
  */  
echo '<pre>' . htmlentities(file_get_contents($path)) . '</pre>';
?>

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Wed May 15 10:01:31 2024 UTC