php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #72771 ftps:// wrapper is vulnerable to protocol downgrade attack
Submitted: 2016-08-06 19:19 UTC Modified: 2016-08-17 05:53 UTC
From: vhu at iki dot fi Assigned: stas
Status: Closed Package: Streams related
PHP Version: 5.6.24 OS: All
Private report: No CVE-ID:
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
15 + 11 = ?
Subscribe to this entry?

 
 [2016-08-06 19:19 UTC] vhu at iki dot fi
Description:
------------
ftps:// opendir wrapper seems to be vulnerable to protocol downgrade attack.

When user requests ftps:// connection, php_ftp_fopen_connect() in ext/standard/ftp_fopen_wrapper.c first attempts to use AUTH TLS followed by attempt to use AUTH SSL if that follows. If FTP server, or attacker, responds with status codes other than 234 for AUTH TLS and 334 for AUTH SSL, wrapper will silently downgrade the connection to regular FTP. Relevant code:

    if (use_ssl)    {

        /* send the AUTH TLS request name */
        php_stream_write_string(stream, "AUTH TLS\r\n");

        /* get the response */
        result = GET_FTP_RESULT(stream);
        if (result != 234) {
            /* AUTH TLS not supported try AUTH SSL */
            php_stream_write_string(stream, "AUTH SSL\r\n");

            /* get the response */
            result = GET_FTP_RESULT(stream);
            if (result != 334) {
                use_ssl = 0;
            } else {


Test script:
---------------
Execute against server that doesn't support ftps.

$dir=opendir('ftps://ftp.funet.fi/');
var_dump($dir);

Expected result:
----------------
bool(false)

TCP session between the client and server:

S: 220---------- Welcome to Pure-FTPd ----------
C: AUTH TLS
S: 500 This security scheme is not implemented
C: AUTH SSL
S: 500 This security scheme is not implemented

(connection terminated)

Actual result:
--------------
resource(%d) of type (stream)

TCP session between the client and server:

S: 220---------- Welcome to Pure-FTPd ----------
C: AUTH TLS
S: 500 This security scheme is not implemented
C: AUTH SSL
S: 500 This security scheme is not implemented
C: USER test
S: 331-Welcome to the FUNET anonymous ftp archive
C: PASS test
S: 230 Any password will work


Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-07 11:12 UTC] vhu at iki dot fi
Unfortunately can't add patch to private bug, so here it is as a comment: 


diff --git a/ext/standard/ftp_fopen_wrapper.c b/ext/standard/ftp_fopen_wrapper.c
index bfb1631..5bffa47 100644
--- a/ext/standard/ftp_fopen_wrapper.c
+++ b/ext/standard/ftp_fopen_wrapper.c
@@ -188,7 +188,8 @@ static php_stream *php_ftp_fopen_connect(php_stream_wrapper *wrapper, const char
                        /* get the response */
                        result = GET_FTP_RESULT(stream);
                        if (result != 334) {
-                               use_ssl = 0;
+                               php_stream_wrapper_log_error(wrapper, options TSRMLS_CC, "Server doesn't support FTPS.");
+                               goto connect_errexit;
                        } else {
                                /* we must reuse the old SSL session id */
                                /* if we talk to an old ftpd-ssl */
 [2016-08-07 23:19 UTC] stas@php.net
-PHP Version: master-Git-2016-08-06 (Git) +PHP Version: 5.6.24 -Assigned To: +Assigned To: stas
 [2016-08-07 23:19 UTC] stas@php.net
Fix added to security repo as f9c2edb4dbc01a817989b70ca7726f177bb1a103
 [2016-08-08 09:19 UTC] vhu at iki dot fi
-Summary: ftps:// opendir wrapper is vulnerable to protocol downgrade attack +Summary: ftps:// wrapper is vulnerable to protocol downgrade attack
 [2016-08-08 09:19 UTC] vhu at iki dot fi
This vulnerability and patch aren't only affecting opendir but ftps:// wrapper as whole.
 [2016-08-09 08:58 UTC] vhu at iki dot fi
To my great disappointment, ftp:// wrapper documentation (http://php.net/manual/en/wrappers.ftp.php) does state this:

"If the server does not support SSL, then the connection falls back to regular unencrypted ftp."

In other words, working as intended even though this is like SSH falling back to telnet without notifying user.
 [2016-08-13 20:41 UTC] stas@php.net
-Assigned To: stas +Assigned To: sesser
 [2016-08-13 20:41 UTC] stas@php.net
It's documented but I'm not sure it's a good idea. Assigning to original code author for more feedback.
 [2016-08-13 21:04 UTC] stas@php.net
-Assigned To: sesser +Assigned To: stas
 [2016-08-13 21:04 UTC] stas@php.net
sesser's comments indicate he agrees with making it fail when no SSL available too. The documented way looks like remnant of the epoch where SSL was rare (ah, older, innocent times when doors had no locks and telnet accounts had no passwords...)
 [2016-08-17 05:57 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e018ff094f8505ea77f881ba11176e3ad0b4863e
Log: Fix bug #72771: ftps:// opendir wrapper is vulnerable to protocol downgrade attack
 [2016-08-17 05:57 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-08-17 08:23 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e018ff094f8505ea77f881ba11176e3ad0b4863e
Log: Fix bug #72771: ftps:// opendir wrapper is vulnerable to protocol downgrade attack
 [2016-08-17 08:23 UTC] stas@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e5b0952be2d7c93bdf491d99f50a14df46c30cd2
Log: Fix bug #72771: ftps:// opendir wrapper is vulnerable to protocol downgrade attack
 [2016-08-17 09:15 UTC] laruence@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e018ff094f8505ea77f881ba11176e3ad0b4863e
Log: Fix bug #72771: ftps:// opendir wrapper is vulnerable to protocol downgrade attack
 [2016-08-17 09:15 UTC] laruence@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e5b0952be2d7c93bdf491d99f50a14df46c30cd2
Log: Fix bug #72771: ftps:// opendir wrapper is vulnerable to protocol downgrade attack
 [2016-08-17 12:04 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4dd455c6d28064f3d56ec2c928c37ff3ac6f38b8
Log: Fix bug #72771: ftps:// opendir wrapper is vulnerable to protocol downgrade attack
 [2016-08-18 11:15 UTC] tyrael@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7d5ca3b28d3c8f8cae6cd874740f18fd3eb5100e
Log: Fix bug #72771: ftps:// opendir wrapper is vulnerable to protocol downgrade attack
 [2016-10-17 10:09 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e018ff094f8505ea77f881ba11176e3ad0b4863e
Log: Fix bug #72771: ftps:// opendir wrapper is vulnerable to protocol downgrade attack
 [2016-10-17 10:09 UTC] bwoebi@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e5b0952be2d7c93bdf491d99f50a14df46c30cd2
Log: Fix bug #72771: ftps:// opendir wrapper is vulnerable to protocol downgrade attack
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC