ID: 46804 User updated by: deminy at deminy dot net Reported By: deminy at deminy dot net Status: Bogus Bug Type: Filesystem function related Operating System: Ubuntu PHP Version: 5.2.8 New Comment:
The bug affects at least some existing open source programs, including one famous CMS/blog system I'm using (although the bug may exist only in some outdated plugins of the system). It could be a bug in PHP. The basic hack technique was described here http://www.astalavista.com/index.php?section=docsys&cmd=details&id=53 . By using '....../proc/self/environ%00' instead of '......./proc/self/environ' as a value in $_REQUEST, the way mentioned in the article can be used hacking more open source programs, especially for those that include language files in this way: <?php include 'lang/' . $_lang . '.inc.php'; ?>, where $_lang is somehow based on user input or client browser environment. Here is a piece of code describing how include() is not working as expected: <?php // '%00' causes anything after it would be discarded when the variable is used for generating file path $_REQUEST['lang'] = '../../../../../../../../../../../../../..' . __FILE__ . '%00'. 'adafdasdfasdf'; $path = OS_PATH . 'templates/' . $_REQUEST['lang'] . '.inc.php'; $path = urldecode($path); /** * 'path' actually points to this file (__FILE__). * * If we set $_REQUEST['lang'] to sth like * '../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00', * and put some injection code in $_SERVER['HTTP_USER_AGENT'] when making request to that * PHP open source program on a vulnerable server, we can gain extra permissions on that web server. */ echo '<pre>' . htmlentities(file_get_contents($path)) . '</pre>'; ?> Previous Comments: ------------------------------------------------------------------------ [2008-12-09 09:26:51] [EMAIL PROTECTED] Unfortunately obvious coding errors are not PHP bugs. Never ever trust any input without filtering it. ------------------------------------------------------------------------ [2008-12-09 08:25:13] deminy at deminy dot net 'allow_url_include' has nothing to do with the bug I mentioned. The bug was not introduced because of including a URL using include/require constructs. ------------------------------------------------------------------------ [2008-12-09 04:43:12] crrodriguez at opensuse dot org There is extensive literature out there about this, please do your homework before opening bug reports. ps: use allow_url_include=off to prevent this problem, which is fundamentally a problem in **your code**. ------------------------------------------------------------------------ [2008-12-09 00:57:54] deminy at deminy dot net Description: ------------ One of my web hosts was hacked some time ago. After checking access_log and made some research online, I think it was caused by a security bug in PHP, which may cause some PHP open source programs vulnerable. If a PHP program include a file whose file name is based on user request data (e.g., "include($_REQUEST['lang'] . 'inc.php';"), and '/proc/self/environ' is (accidentally) readable by Apache user on Unix/Linux server, the server is probably vulnerable. Posting related HTTP access log and sample code here may be a threaten to sites built on some PHP open source programs. Please send me an email to request details. Thanks. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=46804&edit=1
