PHP :: Bug #65414 :: Injection (A1) in .phar files magic .phar directory
php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #65414 Injection (A1) in .phar files magic .phar directory
Submitted: 2013-08-07 11:01 UTC Modified: 2018-02-02 02:46 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: hanskrentel at yahoo dot de Assigned: bishop (profile)
Status: Closed Package: PHAR related
PHP Version: 5.4.17 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
4 + 2 = ?
Subscribe to this entry?

 
 [2013-08-07 11:01 UTC] hanskrentel at yahoo dot de
Description:
------------
The checks to add files or strings as files to a .phar file into the magic .phar directory do not prevent creating files within that directory.

This is because those checks (at different places) do not check if the path is actually into that .phar directory or not.

The filename (pathname) is not normalized prior the access check.

This allows to easily circumvent the access control and create files therein.

I run over this while reviewing Bug #64931 and the workaround there is the exploit here (pre-fixing the filename (pathname)).

Test script:
---------------
<?php

$phar = new \Phar("foo.phar", 0, "foo.phar");

$phar->addFromString('/.phar/how-unicorns-shit_-_the-complete-guide.txt', "

     How Unicorns Shit
           ---
     The Complete Guide

It's all based on the color magic
of the rainbow. You know, even
unicorns just cook with water.

Just heat some water until it
boils and the steam gets up
into the sunlight. With some
luck you will see a rainbow.

Just try with the right amount of
steam and the right amount of
light and the right angle to
watch into.");

var_dump(file_get_contents('phar://' . __DIR__ . '/foo.phar/.phar/how-unicorns-shit_-_the-complete-guide.txt'));

Expected result:
----------------
Fatal error: Uncaught exception 'BadMethodCallException' with message 'Cannot create any files in magic ".phar" directory' 

Actual result:
--------------
string(383) "

     How Unicorns Shit
           ---
     The Complete Guide

It's all based on the color magic
of the rainbow. You know, even
unicorns just cook with water.

Just heat some water until it
boils and the steam gets up
into the sunlight. With some
luck you will see a rainbow.

Just try with the right amount of
steam and the right amount of
light and the right angle to
watch into."

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-10-30 22:07 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-10-30 22:07 UTC] stas@php.net
Doesn't look to me like a security issue.
 [2018-02-02 02:46 UTC] bishop@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: bishop
 [2018-02-08 09:34 UTC] krakjoe@php.net
Automatic comment on behalf of bishop.bettini@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d806d0315f96806ff79fcb87e22adfe7a5ca3cf9
Log: Fixed bug #65414
 [2018-02-08 09:34 UTC] krakjoe@php.net
-Status: Verified +Status: Closed
 [2018-02-08 09:34 UTC] krakjoe@php.net
Automatic comment on behalf of bishop.bettini@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4765ba7dc3fbae657288ae1095f111a136746cde
Log: Fixed bug #65414
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Sun Aug 19 23:01:25 2018 UTC