PHP Multiple Vulnerabilities

-------------------------------------------------------------------------

| PHP Multiple Vulnerabilities |

-------------------------------------------------------------------------

Date: 12-16-2004

Author: Daniel Fabian

Product: PHP

Vendor: PHP (http://www.php.net)

Vendor-Status: vendor contacted

Vendor-Patches: patched versions have been released

~~~~~~~~

Synopsis

~~~~~~~~~~~~~~~~~~~~~~~~

PHP version 4.3.9 is vulnerable to meta character attacks. The bug could

enable an attacker to read arbitrary files from the filesystem of a

webserver that hosts PHP scripts.

In addition PHP versions 4.3.6 until 4.3.9 as well as PHP versions 5.0.0

until 5.0.2 contain a bug that enables an attacker to manipulate the file

name of uploaded files to perform directory traversal.

While both vulnerabilities exist in windows and unix platform versions of

PHP, they can only be successfully exploited on windows systems.

 

~~~~~~~~

Vendor Status

~~~~~~~~~~~~~~~~~~~~~~~~

The vendor has been timely informed and has released patched versions of

the software (PHP 4.3.10/PHP 5.0.3). Those can be downloaded from

www.php.net

 

~~~~~~~~

Vulnerabilities

~~~~~~~~~~~~~~~~~~~~~~~~

 

addslashes() Vulnerability:

---------------------------

Scope:

PHP version 4.3.9 contains a bug in the function addslashes().

addslashes() can be used to sanitize userinput and render it thus

impossible for an attacker to influence scripts by injection meta

characters. In the default configuration, magic_quotes_gpc is set to "On"

which automagically performs addslashes() on every input value. However

because of a bug, the NULL byte is not correctly encoded by addslashes,

enabling an attacker to read arbitrary files from the file system, if user

input is used within include() or require() directives.

Details:

Addslashes should turn a NULL byte (will be written as %00 in this

advisory) into the string "\0" (backslash zero). In version 4.3.9 the

NULL byte is encoded as "\%00" (backslash null byte). Everything after

the NULL byte is ignored in include and require directives so that an

attacker can truncate the name of the file that is included in the PHP

script. The last character however will always be the backslash. As in

Windows the backslash is the path delimitor, this does not matter - the

file named before the backslash is still loaded.

 

Example:

Consider the following PHP script:

<?
$whatever = addslashes($_REQUEST['whatever']);
include("/path/to/program/" . $whatever . "/header.htm");
?>

A malicious attacker might open the following URL, disclosing the

boot.ini file:

http:// localhost/phpscript.php?whatever=../../../../boot.ini%00

The trailing backslash from the escaped \%00 does for some reason not seem

to be of concern to include().

 

Upload Path Traversion Vulnerability:

-------------------------------------

Scope:

PHP automatically sanitizes the file name of uploaded files removing

everything before the last slash or backslash. This is done in order to

prevent path traversal attacks with uploaded files. However if an attacker

uploads a file containing a single quote and the attacked web server has

magic_quotes turned on (which is default configuration) or performs an

addslashes() directive on the name of the uploaded file, the quote is

prefixed with a backslash. This occurs after PHP checks for backslashes in

the filename. As the backslash is the path delimitor in windows, this

behavior enables an attacker to traverse the path by one directory level.

Example:

If a file with the name "..'file.ext" is uploaded, PHP turns the name to

"..\'file.ext" and the file is uploaded to the directory below of where

the PHP script copies it.

 

~~~~~~~~

Counter Measures

~~~~~~~~~~~~~~~~~~~~~~~~

Upgrade to PHP version 4.3.10, respectively 5.0.3.

 

~~~~~~~~

Timeline

~~~~~~~~~~~~~~~~~~~~~~~~

Oct. 08: Notified vendor of addslashes vulnerability

Oct. 14: Vendor reply

Nov. 02: Notified vendor of upload vulnerability

Nov. 04: Vendor reply

Nov. 20: Problems fixed in CVS

Dec. 14: Release of patched versions 4.3.10/5.0.3

 

EOF Daniel Fabian / @2004

d.fabian at sec-consult dot com

~~~~~~~~

Contact

~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

Büro Wien

Blindengasse 3

A-1080 Wien

Austria

Tel.: +43 / 1 / 409 0307 - 570

Fax.: +43 / 1 / 409 0307 - 590

Mail: office at sec-consult dot com

www.sec-consult.com