From:             deminy at deminy dot net
Operating system: Ubuntu
PHP version:      5.2.8
PHP Bug Type:     Filesystem function related
Bug description:  file related functions/constructs are vulnerable if path is 
based on user input

Description:
------------
One of my web hosts was hacked some time ago. After checking access_log
and made some research online, I think it was caused by a security bug in
PHP, which may cause some PHP open source programs vulnerable.

If a PHP program include a file whose file name is based on user request
data (e.g., "include($_REQUEST['lang'] . 'inc.php';"), and
'/proc/self/environ' is (accidentally) readable by Apache user on
Unix/Linux server, the server is probably vulnerable.

Posting related HTTP access log and sample code here may be a threaten to
sites built on some PHP open source programs. Please send me an email to
request details. Thanks.


-- 
Edit bug report at http://bugs.php.net/?id=46804&edit=1
-- 
Try a CVS snapshot (PHP 5.2):        
http://bugs.php.net/fix.php?id=46804&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):        
http://bugs.php.net/fix.php?id=46804&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):        
http://bugs.php.net/fix.php?id=46804&r=trysnapshot60
Fixed in CVS:                        
http://bugs.php.net/fix.php?id=46804&r=fixedcvs
Fixed in CVS and need be documented: 
http://bugs.php.net/fix.php?id=46804&r=needdocs
Fixed in release:                    
http://bugs.php.net/fix.php?id=46804&r=alreadyfixed
Need backtrace:                      
http://bugs.php.net/fix.php?id=46804&r=needtrace
Need Reproduce Script:               
http://bugs.php.net/fix.php?id=46804&r=needscript
Try newer version:                   
http://bugs.php.net/fix.php?id=46804&r=oldversion
Not developer issue:                 
http://bugs.php.net/fix.php?id=46804&r=support
Expected behavior:                   
http://bugs.php.net/fix.php?id=46804&r=notwrong
Not enough info:                     
http://bugs.php.net/fix.php?id=46804&r=notenoughinfo
Submitted twice:                     
http://bugs.php.net/fix.php?id=46804&r=submittedtwice
register_globals:                    
http://bugs.php.net/fix.php?id=46804&r=globals
PHP 4 support discontinued:          http://bugs.php.net/fix.php?id=46804&r=php4
Daylight Savings:                    http://bugs.php.net/fix.php?id=46804&r=dst
IIS Stability:                       
http://bugs.php.net/fix.php?id=46804&r=isapi
Install GNU Sed:                     
http://bugs.php.net/fix.php?id=46804&r=gnused
Floating point limitations:          
http://bugs.php.net/fix.php?id=46804&r=float
No Zend Extensions:                  
http://bugs.php.net/fix.php?id=46804&r=nozend
MySQL Configuration Error:           
http://bugs.php.net/fix.php?id=46804&r=mysqlcfg

Reply via email to