Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Report a vulnerability that you have found to SecurityTracker
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
PHP.EXE Windows CGI for Apache Web Server May Let Remote Users View Files on the Server Due to Configuration Error
|
Date: Jan 4 2002
|
Impact: Disclosure of system information, Disclosure of user information
|
Exploit Included: Yes
|
Description: SecuriTeam reported a configuration vulnerability in the PHP.EXE CGI binary for Windows platforms running Apache. A remote user can view files located anywhere on the server.
It is reported that the installation text recommends the following configuration in the httpd.conf Apache configuration file:
ScriptAlias /php/ "c:/php/"
AddType application/x-httpd-php .php
Action application/x-httpd-php "/php/php.exe"
The
ScriptAlias configuration line shown above reportedly creates a vulnerability. A remote user can specify the following type of
URL to directly execute the PHP.EXE binary.
http://[targethost]/php/php.exe
To retrieve a file from the server, the following
type of URL can be used:
http://[targethost]/php/php.exe?c:\[filepath]
It is also reported that if an executable within the
php directory is specified, that binary will be executed with the above type of URL.
SecuriTeam credits Paul Brereton with reporting
this configuration flaw.
|
Impact: A remote user can view files located on the server and may be able to execute certain binaries on the system.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.php.net/ (Links to External Site)
|
Cause: Access control error, Configuration error
|
Underlying OS: Windows (Any)
|
Reported By: support@securiteam.com
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 3 Jan 2002 18:28:31 -0500
From: support@securiteam.com
Subject: [NT] Security Risk When Using the CGI Binary (PHP.EXE) Under Apache
|
The following security advisory is sent to the securiteam mailing list, and can be found at the Secur
iTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Security Risk When Using the CGI Binary (PHP.EXE) Under Apache
------------------------------------------------------------------------
SUMMARY
As advised in the installation text that comes with all versions of PHP,
when installing PHP.EXE for use on a windows machine installed with
Apache, the user should insert a few lines of code into the Apache
"httpd.conf". These exact lines are shown here:
ScriptAlias /php/ "c:/php/"
AddType application/x-httpd-php .php
Action application/x-httpd-php "/php/php.exe"
A security vulnerability arises when placing the ScriptAlias line above.
This line effectively maps the alias /php/ to your web document root such
that typing "http://www.example.com/php/" will actually try to access in
this case "c:\php\". Please note that the last "/" on the end of the URL
has to exist for this to work ("http://www.example.com/php" will not
work). At this point your server will respond with "Access Denied",
however if you now specify the URL "http://www.example.com/php/php.exe" ,
you will see the error "No input file specified". This error is actually
returned by php.exe, which you have just executed on the server.
There are many exploits that can happen with this setup (some very
serious, which could be used to gain root access).
DETAILS
Exploit 1:
It is possible to read any file remotely on the server, even across drives
with the following URL construct:
"http://www.example.com/php/php.exe?c:\winnt\repair\sam"
PHP.EXE will parse the sam file "c:\winnt\repair\sam" and return it to the
browser for download (this is the Windows NT password file).
"http://www.example.com/php/php.exe?d:\winnt\repair\sam"
PHP.EXE will return the same file on the D: drive.
The above SAM file can then be used to decrypt all the Account Passwords
for the Server.
Exploit 2:
If you specify a file that exists in the php directory (different files
exist depending on the version of PHP), the web server will try to execute
this file and will throw back an error reporting the install directory of
php. So in PHP4, for example, you would specify the following line:
"http://www.example.com/php/php4ts.dll"
The error returned by the web server would be: " couldn't create child
process: 22693: C:/php/php4ts.dll " showing the install path of PHP.
ADDITIONAL INFORMATION
The information has been provided by
<mailto:brereton_paul@btopenworld.com> Paul Brereton.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@secu
riteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.co
m
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, con
sequential, loss of business
profits or special damages.
|
|
Go to the Top of This SecurityTracker Archive Page
|
