출처 : http://securitytracker.com/alerts/2006/Apr/1015879.html
------------------------------------------------------------------------------
PHP phpinfo() Array Validation Bug Lets Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID: 1015879
SecurityTracker URL: http://securitytracker.com/id?1015879
CVE
Reference: CVE-2006-0996 (Links to External Site)
Date: Apr 9 2006
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available: Yes Vendor Confirmed: Yes
Version(s): 4.4.2, 5.1.2
Description: A vulnerability was reported in PHP in the phpinfo() function. A remote user may be able to conduct cross-site scripting attacks.
The phpinfo() function does not properly filter HTML code from user-supplied input before displaying the input when an array of more than 4096 bytes is supplied. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the PHP software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Some demonstration exploit URLs are provided:
phpinfo.php?cx[][][][][][][][][][][][][][][][][][][][][][ ][][][][][][][][][][][][][][][]=[XSS]
phpinfo.php?cx[]=ccccc..~4096chars...ccc[XSS]
The vulnerability resides in php_print_gpcse_array().
Maksymilian Arciemowicz (cXIb8O3) of SecurityReason.com reported this vulnerability.
The original advisory is available at:
http://securityreason.com/achievement_securityalert/ 34
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the PHP software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution: The vendor has issued a fixed version (5.1.3RC3), available at:
Vendor URL: www.php.net/ (Links to External Site)
Cause: Input validation error
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
Reported By: Maksymilian Arciemowicz <max [at] jestsper [dot] pl>
Message History: None.
--------------------------------------------------------------------------------
Source Message Contents
--------------------------------------------------------------------------------
Date: Sat, 8 Apr 2006 21:38:33 +0200
From: Maksymilian Arciemowicz <max [at] jestsper [dot] pl>
Subject:
[Full-disclosure] phpinfo() Cross Site Scripting PHP 5.1.2 and 4.4.2
Source: http://securityreason.com/achievement_securityalert/34
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[phpinfo() Cross Site Scripting PHP 5.1.2 and 4.4.2]
Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written:
26.2.2006
- -Public: 8.4.2006
from SecurityReason.Com
CVE-2006-0996
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much
of its syntax is borrowed
from C, Java and Perl with a couple of unique
PHP-specific features thrown
in. The goal of the language is to allow web
developers to write dynamically
generated pages quickly.
A nice introduction to PHP by Stig Sæther Bakken can be found at
http://www.zend.com/zend/art/intro.php
on the Zend website. Also, much of the
PHP Conference Material is freely
available.
- --- 1. Cross Site Scripting ---
In phpinfo() you can see all Varibles
like:
file: standard/info.c
- -630-636---
php_print_gpcse_array("_REQUEST",
sizeof("_REQUEST")-1 TSRMLS_CC);
php_print_gpcse_array("_GET",
sizeof("_GET")-1 TSRMLS_CC);
php_print_gpcse_array("_POST", sizeof("_POST")-1
TSRMLS_CC);
php_print_gpcse_array("_FILES", sizeof("_FILES")-1
TSRMLS_CC);
php_print_gpcse_array("_COOKIE", sizeof("_COOKIE")-1
TSRMLS_CC);
php_print_gpcse_array("_SERVER", sizeof("_SERVER")-1
TSRMLS_CC);
php_print_gpcse_array("_ENV", sizeof("_ENV")-1 TSRMLS_CC);
-
-630-636---
Function php_print_gpcse_array() for any arrays check 4096b of varible.
file: standard/info.c
- -135-154---
if (Z_TYPE_PP(tmp) == IS_ARRAY)
{
zval *tmp3;
MAKE_STD_ZVAL(tmp3);
if (!sapi_module.phpinfo_as_text)
{
PUTS("<pre>");
}
php_start_ob_buffer(NULL, 4096, 1
TSRMLS_CC);
zend_print_zval_r(*tmp, 0);
php_ob_get_buffer(tmp3
TSRMLS_CC);
php_end_ob_buffer(0, 0 TSRMLS_CC);
elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3)
TSRMLS_CC);
PUTS(elem_esc);
efree(elem_esc);
zval_ptr_dtor(&tmp3);
if (!sapi_module.phpinfo_as_text) {
PUTS("</pre>");
}
} else
if (Z_TYPE_PP(tmp) != IS_STRING) {
- -135-154---
So if we create array longer like 4096, html tags don't be remove.
Exploit:
If in php script is function phpinfo() try create some varibles
(array) like
phpinfo.php?cx[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][]=[XSS]
or
phpinfo.php?cx[]=ccccc..~4096chars...ccc[XSS]
- --- 2. How to fix ---
CVS
http://cvs.php.net/viewcvs.cgi/php-src/NEWS
- --- 3. Greets ---
For: sp3x
and
p_e_a, pi3, eax ;]
- --- 4. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz
( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason
[dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com
-----BEGIN
PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)
iD8DBQFEOAIl3Ke13X/fTO4RAo4LAJ0fBxJWN64vWrDYJEuhGkqc/OC42QCbBxip
f35+6LHjuBoqP5D2JV84ufs=
=iz3m
-----END
PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We
believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted
and sponsored by Secunia - http://secunia.com/
관련 링크: http://securitytracker.com/alerts/2006/Apr/1015879.html
'Security' 카테고리의 다른 글
gzip package security issues (0) | 2006.11.14 |
---|---|
Sendmail MIME DoS vulnerability (0) | 2006.06.30 |
util-linux and mount packages fix security issue (0) | 2006.01.12 |
php security update (1) | 2005.07.13 |
sharutils security issues (0) | 2005.05.21 |