From: deminy at deminy dot net Operating system: Ubuntu PHP version: 5.2.8 PHP Bug Type: Filesystem function related Bug description: file related functions/constructs are vulnerable if path is based on user input
Description: ------------ One of my web hosts was hacked some time ago. After checking access_log and made some research online, I think it was caused by a security bug in PHP, which may cause some PHP open source programs vulnerable. If a PHP program include a file whose file name is based on user request data (e.g., "include($_REQUEST['lang'] . 'inc.php';"), and '/proc/self/environ' is (accidentally) readable by Apache user on Unix/Linux server, the server is probably vulnerable. Posting related HTTP access log and sample code here may be a threaten to sites built on some PHP open source programs. Please send me an email to request details. Thanks. -- Edit bug report at http://bugs.php.net/?id=46804&edit=1 -- Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=46804&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=46804&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=46804&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=46804&r=fixedcvs Fixed in CVS and need be documented: http://bugs.php.net/fix.php?id=46804&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=46804&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=46804&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=46804&r=needscript Try newer version: http://bugs.php.net/fix.php?id=46804&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=46804&r=support Expected behavior: http://bugs.php.net/fix.php?id=46804&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=46804&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=46804&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=46804&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=46804&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=46804&r=dst IIS Stability: http://bugs.php.net/fix.php?id=46804&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=46804&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=46804&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=46804&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=46804&r=mysqlcfg