php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #65414 Injection (A1) in .phar files magic .phar directory
Submitted: 2013-08-07 11:01 UTC Modified: 2018-02-02 02:46 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: hanskrentel at yahoo dot de Assigned: bishop (profile)
Status: Closed Package: PHAR related
PHP Version: 5.4.17 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: hanskrentel at yahoo dot de
New email:
PHP Version: OS:

 

 [2013-08-07 11:01 UTC] hanskrentel at yahoo dot de 
Description:
------------
The checks to add files or strings as files to a .phar file into the magic .phar directory do not prevent creating files within that directory.

This is because those checks (at different places) do not check if the path is actually into that .phar directory or not.

The filename (pathname) is not normalized prior the access check.

This allows to easily circumvent the access control and create files therein.

I run over this while reviewing Bug #64931 and the workaround there is the exploit here (pre-fixing the filename (pathname)).

Test script:
---------------
<?php

$phar = new \Phar("foo.phar", 0, "foo.phar");

$phar->addFromString('/.phar/how-unicorns-shit_-_the-complete-guide.txt', "

     How Unicorns Shit
           ---
     The Complete Guide

It's all based on the color magic
of the rainbow. You know, even
unicorns just cook with water.

Just heat some water until it
boils and the steam gets up
into the sunlight. With some
luck you will see a rainbow.

Just try with the right amount of
steam and the right amount of
light and the right angle to
watch into.");

var_dump(file_get_contents('phar://' . __DIR__ . '/foo.phar/.phar/how-unicorns-shit_-_the-complete-guide.txt'));

Expected result:
----------------
Fatal error: Uncaught exception 'BadMethodCallException' with message 'Cannot create any files in magic ".phar" directory' 

Actual result:
--------------
string(383) "

     How Unicorns Shit
           ---
     The Complete Guide

It's all based on the color magic
of the rainbow. You know, even
unicorns just cook with water.

Just heat some water until it
boils and the steam gets up
into the sunlight. With some
luck you will see a rainbow.

Just try with the right amount of
steam and the right amount of
light and the right angle to
watch into."

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-08-07 11:02 UTC] hanskrentel at yahoo dot de 
Related To: Bug #64931
 [2016-10-30 22:07 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-10-30 22:07 UTC] stas@php.net 
Doesn't look to me like a security issue.
 [2018-02-02 02:46 UTC] bishop@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: bishop
 [2018-02-08 09:34 UTC] krakjoe@php.net 
Automatic comment on behalf of bishop.bettini@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d806d0315f96806ff79fcb87e22adfe7a5ca3cf9
Log: Fixed bug #65414
 [2018-02-08 09:34 UTC] krakjoe@php.net
-Status: Verified +Status: Closed
 [2018-02-08 09:34 UTC] krakjoe@php.net 
Automatic comment on behalf of bishop.bettini@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4765ba7dc3fbae657288ae1095f111a136746cde
Log: Fixed bug #65414
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved. 		Last updated: Thu Oct 18 17:01:26 2018 UTC