SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   PHP Vendors:   PHP Group
PHP posix_access() safe_mode Restrictions Can By Bypass With 'http://' Prefix
SecurityTracker Alert ID:  1020327
SecurityTracker URL:  http://securitytracker.com/id/1020327
CVE Reference:   CVE-2008-2665   (Links to External Site)
Date:  Jun 19 2008
Impact:   Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
Exploit Included:  Yes  
Version(s): 5.2.6
Description:   A vulnerability was reported in PHP. A user can bypass safe_mode restrictions.

A user can supply a specially crafted value to the posix_access() function to bypass safe_mode restrictions. A value beginning with the 'http://' prefix can trigger the flaw.

Other functions are affected.

Maksymilian Arciemowicz (cXIb8O3) of SecurityReason.com reported this vulnerability.
Impact:   A user can bypass safe_mode restrictions.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.php.net/ (Links to External Site)
Cause:   Access control error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Wed, 18 Jun 2008 20:05:48 +0200
Subject:  [Full-disclosure] PHP 5.2.6 posix_access() (posix ext) safe_mode

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[PHP 5.2.6 posix_access() (posix ext) safe_mode bypass ]

Author: Maksymilian Arciemowicz (cXIb8O3)
SecurityReason.com
Date:
- - Written: 10.05.2008
- - Public: 17.06.2008

SecurityReason Research
SecurityAlert Id: 54

CVE: CVE-2008-2665
CWE: CWE-264
SecurityRisk: Low

Affected Software: PHP 5.2.6
Advisory URL: http://securityreason.com/achievement_securityalert/54
Vendor: http://www.php.net

- --- 0.Description ---

PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific
 features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.

posix_access ? Determine accessibility of a file

SYNOPSIS:

bool posix_access  ( string $file  [, int $mode  ] )

http://pl2.php.net/manual/pl/function.posix-access.php

!!! WARNING !!!
IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON WILL NOT LIST ALL VULNERABLE FUNCTIONS

- --- 1. PHP 5.2.6 posix_access() safe_mode bypass ---
Let's see to posix_access() function

- ---
PHP_FUNCTION(posix_access)
{
	long mode = 0;
	int filename_len, ret;
	char *filename, *path;

	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &filename, &filename_len, &mode) == FAILURE) {
		RETURN_FALSE;
	}

	path = expand_filepath(filename, NULL TSRMLS_CC);
	
	if (!path) {
		POSIX_G(last_error) = EIO;
		RETURN_FALSE;
	}

	if (php_check_open_basedir_ex(path, 0 TSRMLS_CC) ||
			(PG(safe_mode) && (!php_checkuid_ex(filename, NULL, CHECKUID_CHECK_FILE_AND_DIR, CHECKUID_NO_ERRORS)))) {
		efree(path);
		POSIX_G(last_error) = EPERM;
		RETURN_FALSE;
	}
	
	ret = access(path, mode);
	efree(path);

	if (ret) {
		POSIX_G(last_error) = errno;
		RETURN_FALSE;
	}

	RETURN_TRUE;
}
- ---

var_dump(posix_access("http://../../../etc/passwd"))==True
var_dump(posix_access("/etc/passwd"))==False

Why?

Because path = expand_filepath(filename, NULL TSRMLS_CC); will change "http://../../../etc/passwd" to path=/etc/passwd

(PG(safe_mode) && (!php_checkuid_ex(filename, NULL, CHECKUID_CHECK_FILE_AND_DIR, CHECKUID_NO_ERRORS))) will check realy path "http://../../../etc/passwd".
 http:// is using in php_checkuid_ex(), so safe_mode is bypassed.

!!! WARNING !!!
IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. SECURITYREASON WILL NOT LIST ALL VULNERABLE FUNCTIONS

- --- 2. How to Fix ---
Do not use safe_mode as a main safety

- --- 3. Greets ---
sp3x Infospec schain p_e_a Chujwamwdupe

- --- 4. Contact ---
Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: cxib [at] securityreason [dot] com
GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)

iD8DBQFIWCC+W1OhNJH6DMURAsq4AJ0eC1qKOZVOJJB3XDRIhpufNe1qUwCfTWv0
n4Sg31DePRpr4h3PLouKFoA=
=6qwD
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC