php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #76129 fix for CVE-2018-5712 may not be complete
Submitted: 2018-03-21 16:53 UTC Modified: 2018-04-29 20:47 UTC
From: scorneli at redhat dot com Assigned: stas (profile)
Status: Closed Package: PHAR related
PHP Version: 7.1.15 OS: Fedora 27 (but probably global)
Private report: No CVE-ID: 2018-10547
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
10 + 47 = ?
Subscribe to this entry?

 
 [2018-03-21 16:53 UTC] scorneli at redhat dot com
Description:
------------
I've tested the fix for CVE-2018-5712 (http://git.php.net/?p=php-src.git;a=commit;h=4e3f55c36272a5f29b50e1924b78e9db1b23f214) and it does not appear to be sufficient for me.

The "phar_do_404()" function in ext/phar/phar_object.c also returns parts of the request unfiltered, leading to another XSS vector. I've tested this with Fedora 27's php-7.1.15 version. I've not tested a new vanilla upstream version to verify that it's affected, but I've checked the upstream git sources and they appear to be affected.

The "phar_do_403()" function shares similar code, so I've proactively changed that, too. Not tested, though.

I've attached a patch that I've used to test my theory.

I'm not sure if you guys are already aware of this issue, but I've not communicated this to any 3rd parties yet. I've also not requested a CVE ID yet.

Given that this can be easily figured by anyone testing CVE-2018-5712, I don't think that this needs any special embargo. However, if you want to embargo this, do you have a rough timeline when this would be OK for you to make public?

Thanks,

Stefan Cornelius / Red Hat Product Security

Test script:
---------------
I'm not doing anything out of the ordinary, really. Fedora 27 with default httpd/php config. The phar is a bare minimum phar package only printing phpinfo(). Although the phar file was build with a php version containing the original fix (4e3f55c36272a5f29b50e1924b78e9db1b23f214), I still can reproduce the XSS.

Expected result:
----------------
No XSS

Actual result:
--------------
XSS

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-03-21 16:57 UTC] scorneli at redhat dot com
I'm having problems attaching the patch (restricts my access, although I'm the reporter).

Maybe this will do as a workaround:
diff -pur php-7.1.15/ext/phar/phar_object.c php-7.1.15_patch/ext/phar/phar_object.c
--- php-7.1.15/ext/phar/phar_object.c	2018-02-28 12:19:23.000000000 +0100
+++ php-7.1.15_patch/ext/phar/phar_object.c	2018-03-21 16:59:02.846809270 +0100
@@ -307,9 +307,7 @@ static void phar_do_403(char *entry, int
 	ctr.line = "HTTP/1.0 403 Access Denied";
 	sapi_header_op(SAPI_HEADER_REPLACE, &ctr);
 	sapi_send_headers();
-	PHPWRITE("<html>\n <head>\n  <title>Access Denied</title>\n </head>\n <body>\n  <h1>403 - File ", sizeof("<html>\n <head>\n  <title>Access Denied</title>\n </head>\n <body>\n  <h1>403 - File ") - 1);
-	PHPWRITE(entry, entry_len);
-	PHPWRITE(" Access Denied</h1>\n </body>\n</html>", sizeof(" Access Denied</h1>\n </body>\n</html>") - 1);
+	PHPWRITE("<html>\n <head>\n  <title>Access Denied</title>\n </head>\n <body>\n  <h1>403 - File Access Denied</h1>\n </body>\n</html>", sizeof("<html>\n <head>\n  <title>Access Denied</title>\n </head>\n <body>\n  <h1>403 - File Access Denied</h1>\n </body>\n</html>") - 1);
 }
 /* }}} */
 
@@ -332,9 +330,7 @@ static void phar_do_404(phar_archive_dat
 	ctr.line = "HTTP/1.0 404 Not Found";
 	sapi_header_op(SAPI_HEADER_REPLACE, &ctr);
 	sapi_send_headers();
-	PHPWRITE("<html>\n <head>\n  <title>File Not Found</title>\n </head>\n <body>\n  <h1>404 - File ", sizeof("<html>\n <head>\n  <title>File Not Found</title>\n </head>\n <body>\n  <h1>404 - File ") - 1);
-	PHPWRITE(entry, entry_len);
-	PHPWRITE(" Not Found</h1>\n </body>\n</html>",  sizeof(" Not Found</h1>\n </body>\n</html>") - 1);
+	PHPWRITE("<html>\n <head>\n  <title>File Not Found</title>\n </head>\n <body>\n  <h1>404 - File Not Found</h1>\n </body>\n</html>", sizeof("<html>\n <head>\n  <title>File Not Found</title>\n </head>\n <body>\n  <h1>404 - File Not Found</h1>\n </body>\n</html>") - 1);
 }
 /* }}} */
 [2018-03-28 04:39 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2018-03-28 04:39 UTC] stas@php.net
Fix published in security repo as 4b7328615e1e51ba3ea79293bfd611ef7fa041fd and in https://gist.github.com/smalyshev/1e8e838c45653bb556f68af829d913ee. Please verify.
 [2018-04-03 23:34 UTC] scorneli at redhat dot com
Hi,

Are you going to get a CVE for this?
 [2018-04-04 00:01 UTC] stas@php.net
I don't think it needs separate CVE - it's the same issue, just in different place.
 [2018-04-04 14:10 UTC] scorneli at redhat dot com
There have been new PHP versions and some downstream projects released updates fixing CVE-2018-5712 already. This additional fix can't have the same CVE without possibly leading to confusion.

I can also get a CVE ID for this, just let me know. I just want to avoid dupes/race condition when requesting the ID from MITRE.

Additionally, I've tested the patch and it seems to work for me.
 [2018-04-23 20:40 UTC] stas@php.net
-CVE-ID: +CVE-ID: needed
 [2018-04-23 20:41 UTC] stas@php.net
OK I guess we can request a CVE and ask to link it to the previous one (not sure how they do it)
 [2018-04-24 05:12 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2018-04-24 05:12 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2018-04-29 20:47 UTC] kaplan@php.net
-CVE-ID: needed +CVE-ID: 2018-10547
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Sat Nov 17 00:01:26 2018 UTC