Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] PHP File-Upload GLOBALS Overwrite Vulnerability

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] PHP File-Upload GLOBALS Overwrite Vulnerability
Date: 23 Aug 2006 11:26:19 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  PHP File-Upload GLOBALS Overwrite Vulnerability
------------------------------------------------------------------------


SUMMARY

PHP's GLOBALS overwrite can lead to unexpected behavior of PHP 
applications, which can lead to execution of remote PHP code in many 
situations.

DETAILS

Vulnerable Systems:
 * PHP4 version 4.4.0 and prior
 * PHP5 version 5.0.5 and prior

Immune Systems:
 * PHP4 version 4.4.1
 * PHP5 version 5.0.6

PHP is a widely-used general-purpose scripting language that is especially 
suited for Web development and can be embedded into HTML.

During the development of the Hardening-Patch which adds security 
hardening features to the PHP codebase, several vulnerabilities within PHP 
were discovered. This advisory describes one of these flaws concerning a 
weakness in the file upload code, that allows overwriting the GLOBALS 
array when register_globals is turned on. Overwriting this array can lead 
to unexpected security holes in code assumed secure.

This vulnerability has consequences for a lot of PHP applications f.e. 
everything based on PEAR.php and vBulletin. And can lead to remote PHP 
code execution.

For a detailed explanation of the $GLOBALS overwrite problem, have a look 
at the following article which describes it in more detail:  
<http://www.hardened-php.net/globals-problem> 
http://www.hardened-php.net/globals-problem

In PHP 4.3.11 some code was added to disallow overwriting the $GLOBALS 
array when register_globals is turned on. Unfortunately there was a hole 
in this protection. The introduced code did only affect the globalisation 
of the GET, POST and COOKIE variables. However it was overseen, that the 
rfc1867 file upload code within PHP also registers global variables, which 
can be used by an attacker to overwrite the $GLOBALS array by simply 
sending a multipart/form-data POST request containing a fileupload field 
with the name 'GLOBALS'.

Until now it was not realized, how dangerous the problem is. This is also 
one of the reasons why all PHP version 4.3.10 and prior packages shipped 
with various distributions are still vulnerable to the normal $GLOBALS 
overwrite, which was fixed in PHP 4.3.11.

Describing the impact of $GLOBALS overwrite vulnerabilities and why it 
does not only affect installations, where register_globals is turned on, 
why it allows remote code execution in a lot of PHP applications and why 
this is also a threat for applications that allow local file includes and 
are running in a SAFE_MODE or open_basedir environment is out of the scope 
of this advisory.

The interested reader is advised to read the following article, that 
describes this "new" bugclass a bit more detailed, with examples:  
<http://www.hardened-php.net/globals-problem> 
http://www.hardened-php.net/globals-problem

Finally it should be noted that users of our Hardening-Patch for PHP are 
not affected if they run the at least version from September.

Recommendation:
It is strongly recommended to upgrade to the new PHP-Releases as soon as 
possible, because the GLOBALS problem is very dangerous to a lot of PHP 
applications in the wild. Especially because writing a worm that f.e. uses 
this problem to exploit everything based on PEAR.php is very simple. 
Additionally we always recommend to run PHP with the Hardening-Patch 
applied, especially because it offers even more protection against 
$GLOBALS overwrites than the default PHP.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:sesser@hardened-php.net> 
Stefan Esser.
The original article can be found at:  
<http://www.hardened-php.net/advisory_202005.79.html> 
http://www.hardened-php.net/advisory_202005.79.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] PHP File-Upload GLOBALS Overwrite Vulnerability, SecuriTeam <=
Previous by Date:  [UNIX] Asterisk Multiple Vulnerabilities (AUEP and Record), SecuriTeam
Next by Date:  [NT] MDaemon POP3 Server Buffer Overflow (preauth), SecuriTeam
Previous by Thread:  [UNIX] Asterisk Multiple Vulnerabilities (AUEP and Record), SecuriTeam
Next by Thread:  [NT] MDaemon POP3 Server Buffer Overflow (preauth), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]