php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #74782 Reflected XSS in .phar 404 page
Submitted: 2017-06-19 18:15 UTC Modified: 2018-01-16 09:06 UTC
From: passownz at gmail dot com Assigned: stas (profile)
Status: Closed Package: PHAR related
PHP Version: 5.6.30 OS:
Private report: No CVE-ID: 2018-5712
 [2017-06-19 18:15 UTC] passownz at gmail dot com
Description:
------------
Hi,

When creating a .phar file and configuring apache to handle phar files using php, when accessing invalid page the page name is reflected back to the user in the 404 response. this user input is not being sanitized and therefor it is vulnerable to a reflected XSS.

meaning, every site which configured to run .phar files using php is vulnerable.


Patches

74782patch (last revision 2018-10-22 05:52 UTC by 1246196870 at qq dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-06-19 21:24 UTC] stas@php.net
Could you provide some details about how Apache was configured, maybe Apache config directives, so we could be sure we're checking the same configuration?
 [2017-06-20 06:40 UTC] passownz at gmail dot com
I just added the (ar) file to the php5.6.conf file in the apache mods-enabled dir as follows:

<FilesMatch ".+\.ph(ar|p[3457]?|t|tml)$">
    SetHandler application/x-httpd-php
</FilesMatch>


Thanks.
 [2017-06-20 07:35 UTC] stas@php.net
Thank you, could you also provide a message that you are seeing in the response?
 [2017-06-20 07:35 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2017-06-20 07:58 UTC] passownz at gmail dot com
-Status: Feedback +Status: Open
 [2017-06-20 07:58 UTC] passownz at gmail dot com
REQUEST:
-----------------------

GET /myapp.phar/%3cscript%3ealert()%3c/script%3e HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1


RESPONSE:
--------------
HTTP/1.0 404 Not Found
Date: Tue, 20 Jun 2017 07:52:21 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Length: 138
Connection: close
Content-Type: text/html; charset=UTF-8

<html>
 <head>
  <title>File Not Found</title>
 </head>
 <body>
  <h1>404 - File /<script>alert()</script> Not Found</h1>
 </body>
</html>


The root cause of the vulnerability is when php generates .phar files it also adds a piece of code that handles the case where the requested file in the archive couldn't be found, as can be seen in the following code snippet:

$a = realpath(Extract_Phar::$temp . DIRECTORY_SEPARATOR . $pt);
if (!$a || strlen(dirname($a)) < strlen(Extract_Phar::$temp)) {
header('HTTP/1.0 404 Not Found');
echo "<html>\n <head>\n  <title>File Not Found<title>\n </head>\n <body>\n  <h1>404 - File ", $pt, " Not Found</h1>\n </body>\n</html>";
exit;
}

$pt variable contains the user's requested page, and as can be seen it is being echoed back as is in the 404 response.
 [2017-06-20 08:05 UTC] passownz at gmail dot com
Some more info, this is how i created the phar file:

<?php
$srcRoot = "~/myapp/src";
$buildRoot = "~/myapp/build";
 
$phar = new Phar($buildRoot . "/myapp.phar", 
	FilesystemIterator::CURRENT_AS_FILEINFO |     	FilesystemIterator::KEY_AS_FILENAME, "myapp.phar");
$phar["index.php"] = file_get_contents($srcRoot . "/index.php");
$phar["common.php"] = file_get_contents($srcRoot . "/common.php");
$phar->setStub($phar->createDefaultStub("index.php"));

copy($srcRoot . "/config.ini", $buildRoot . "/config.ini");
 [2017-07-01 19:51 UTC] passownz at gmail dot com
Hi, any news regarding this? thanks.
 [2017-07-02 20:32 UTC] stas@php.net
The fix is in security repo as 68ba96895d73a3e6fb0cbf004f2a62add9926737 and in https://gist.github.com/70d2f6bac8db576d6386bd79c1e6e081

Please verify.
 [2017-07-02 20:33 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2017-07-03 08:42 UTC] passownz at gmail dot com
Yes, i can confirm that the provided fix would solve the problem.
 [2017-07-03 08:44 UTC] passownz at gmail dot com
Are you going to issue a CVE identifier for this vulnerability? thanks.
 [2017-07-31 06:53 UTC] passownz at gmail dot com
Hi, any update?
 [2018-01-02 03:54 UTC] stas@php.net
-CVE-ID: +CVE-ID: needed
 [2018-01-02 04:27 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=73ca9b37731dd9690ffd9706333b17eaf90ea091
Log: Fix bug #74782: remove file name from output to avoid XSS
 [2018-01-02 04:27 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2018-01-02 05:25 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=73ca9b37731dd9690ffd9706333b17eaf90ea091
Log: Fix bug #74782: remove file name from output to avoid XSS
 [2018-01-02 06:32 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e1532dd868a5bc80c85dcbdfb537035978234499
Log: Fix bug #74782: remove file name from output to avoid XSS
 [2018-01-02 22:06 UTC] pollita@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c269b1042343881576d26d2f81875bd6940bc620
Log: Fix bug #74782: remove file name from output to avoid XSS
 [2018-01-03 02:03 UTC] pollita@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4e3f55c36272a5f29b50e1924b78e9db1b23f214
Log: Fix bug #74782: remove file name from output to avoid XSS
 [2018-01-16 09:06 UTC] kaplan@php.net
-CVE-ID: needed +CVE-ID: 2018-5712
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Wed Dec 12 17:01:26 2018 UTC