BugTraq
Back to list
|
Post reply
90% of programs made in PHP5 and prior Full Path Disclosure vuln.
May 14 2006 06:16AM
sirdarckcat gmail com
:Introduction:
Normally one of the last steps when accessing to a web-server is to find the url where the web is installed (more common in RFD).
This may be a hard step, if the RPD is the only bug in that server, but PHP programs have functions that unexpectedly can return lots of errors.
**** ATTENTION ****
This is a design Error made by the programmers of the affected php programms, PHP language by it is safe.
*******************
Normally a Full Path Disclosure is not dangerous, but in this case the 90% of the programs written in PHP are vulnerable.
This is a list of 21 tested programs, in their last release at 13/05/06, 19 are vulnerable:
-paFileDB - Affected
-PhpWiki - Affected (GET Data)
-CuteNews - Affected (GET Data)
-SMF - Affected (GET POST & COOKIE)
-phpBB - Not Affected
-phpNuke - Affected
-myBB - Affected (POST Data)
-phpMyAdmin - Affected
-PHProxy - Affected (Cookie & Post Data)
-phpSurveyor - Affected
-vBulletin - Affected (POST Data)
-PunBB - Affected (POST Data)
-XMB - Affected (just some files)
-IPB - Not Affected (some cases)
-Quick Forum - Affected
-FreeScene - Affected (POST Data)
-EBB - Affected (just some files)
-tinyBB - Affected (no filters xD)
-SciELO - Affected (GET Data)
-XOOPS - Affected (POST Data)
-SquirrelMail- Affected
The design-error AMAZINGLY USED is when you parse an Array into a function that spect a STRING.
The mainly bug in PHP found was:
PHPSESSID *or equivalent* equal to a null-array.
when calling the function session_start(); will return an error like:
Warning: session_start(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in /%path%/test.php on line 3
** NOTE **
This error also appears when calling with no value (that also bypass filters).
This will also bypass all cleaning functions as:
-htmlentities
-urlencode
-etc..
returning "specting T_STRING" error.
:Solution:
The only way to detect is to add to your filter the condition is_array().
Also, you have to clean with this all parameters incoming from $_REQUEST(cookie,get and post)
:Other Solution:
Disabling all errors and warnings in php.ini
:Dangereous?:
No, but a Path Disclosure can reveal sensitive information.
:Impact:
The path may contain the username of the account, includes file and path, version of software, drive were web is installed, etc..
:Note:
I repeat. THIS IS NOT DANGEROUS, its only an aditional help you are giving to hackers that already have access to your server.
:Research made by:
sirdarckcat
elhacker.net
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Normally one of the last steps when accessing to a web-server is to find the url where the web is installed (more common in RFD).
This may be a hard step, if the RPD is the only bug in that server, but PHP programs have functions that unexpectedly can return lots of errors.
**** ATTENTION ****
This is a design Error made by the programmers of the affected php programms, PHP language by it is safe.
*******************
Normally a Full Path Disclosure is not dangerous, but in this case the 90% of the programs written in PHP are vulnerable.
This is a list of 21 tested programs, in their last release at 13/05/06, 19 are vulnerable:
-paFileDB - Affected
-PhpWiki - Affected (GET Data)
-CuteNews - Affected (GET Data)
-SMF - Affected (GET POST & COOKIE)
-phpBB - Not Affected
-phpNuke - Affected
-myBB - Affected (POST Data)
-phpMyAdmin - Affected
-PHProxy - Affected (Cookie & Post Data)
-phpSurveyor - Affected
-vBulletin - Affected (POST Data)
-PunBB - Affected (POST Data)
-XMB - Affected (just some files)
-IPB - Not Affected (some cases)
-Quick Forum - Affected
-FreeScene - Affected (POST Data)
-EBB - Affected (just some files)
-tinyBB - Affected (no filters xD)
-SciELO - Affected (GET Data)
-XOOPS - Affected (POST Data)
-SquirrelMail- Affected
The design-error AMAZINGLY USED is when you parse an Array into a function that spect a STRING.
The mainly bug in PHP found was:
PHPSESSID *or equivalent* equal to a null-array.
when calling the function session_start(); will return an error like:
Warning: session_start(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in /%path%/test.php on line 3
** NOTE **
This error also appears when calling with no value (that also bypass filters).
This will also bypass all cleaning functions as:
-htmlentities
-urlencode
-etc..
returning "specting T_STRING" error.
:Solution:
The only way to detect is to add to your filter the condition is_array().
Also, you have to clean with this all parameters incoming from $_REQUEST(cookie,get and post)
:Other Solution:
Disabling all errors and warnings in php.ini
:Dangereous?:
No, but a Path Disclosure can reveal sensitive information.
:Impact:
The path may contain the username of the account, includes file and path, version of software, drive were web is installed, etc..
:Note:
I repeat. THIS IS NOT DANGEROUS, its only an aditional help you are giving to hackers that already have access to your server.
:Research made by:
sirdarckcat
elhacker.net
[ reply ]