|
Brought to you by:
Suppliers of:
|
|
|
| |
PHP is a feature heavy web scripting language that has become widely popular. One of its many features is easy handling of file uploads from remote browsers. This functionality is very commonly used, particularly in photo gallery, auction and webmail style applications.
The way that PHP handles file uploads makes it simple to trick PHP applications into working on arbitrary files local to the server rather than files uploaded by the user. This will generally lead to a remote attacker being able to read any file on the server that can be read by the user the web server is running as, typically 'nobody'. |
| |
Credit:
The information has been provided by Secure Reality Advisories.
|
| |
Impact:
This file disclosure will often lead to disclosure of PHP code, leading to disclosure of database authentication data, which may lead to machine compromise.
Explanation:
When files are uploaded to a PHP script, PHP receives the file, gives it a random name and places it into a configured temporary directory. The PHP script is given information about the file that was uploaded in the form of 4 global variables. Presuming the file field in the form was called 'hello', the 4 variables would be:
$hello = Name of temporary file (e.g '/tmp/ASHDjkjbs')
$hello_name = Name of file when it was on the remote computer (e.g 'c:\hello.tmp)
$hello_type = Mime type of file (e.g 'text/plain')
$hello_size = Size of uploaded file (e.g 2000 bytes)
The temporary file is automatically deleted at the end of the execution of the script so the PHP script usually needs to move it somewhere else. For example, it might copy the file into a blob in a MySQL database.
The problem is actually in the way PHP behaves by default. Unless deliberately configured otherwise (via register_globals = Off in php.ini) the values specified in form fields upon submission are automatically declared by their form name as global variables inside the PHP script.
If you had a form with an input field like
<INPUT TYPE="hidden" NAME="test" VALUE="12">
When the PHP script is called to handle the form input, the global variable $test is set. The problem is simple; cluttering the global namespace with user-defined input destabilizes the environment that it is almost impossible to write in it securely.
Using the fact mentioned above, we can create the four variables $hell, $hello_name, $hello_type, $hello_size ourselves using form input like the following
<INPUT TYPE="hidden" NAME="hello" VALUE="/etc/passwd">
<INPUT TYPE="hidden" NAME="hello_name" VALUE="c:\scary.txt">
<INPUT TYPE="hidden" NAME="hello_type" VALUE="text/plain">
<INPUT TYPE="hidden" NAME="hello_size" VALUE="2000">
This should lead the PHP script working on the passwd file, usually resulting in it being disclosed to the attacker.
|
|
|
|
|
