PHP phpinfo() Array Validation Bug

출처 : http://securitytracker.com/alerts/2006/Apr/1015879.html

------------------------------------------------------------------------------

PHP phpinfo() Array Validation Bug Lets Remote Users Conduct Cross-Site Scripting Attacks

SecurityTracker Alert ID: 1015879
SecurityTracker URL: http://securitytracker.com/id?1015879
CVE Reference: CVE-2006-0996 (Links to External Site)
Date: Apr 9 2006

Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information

Fix Available: Yes Vendor Confirmed: Yes

Version(s): 4.4.2, 5.1.2

Description: A vulnerability was reported in PHP in the phpinfo() function. A remote user may be able to conduct cross-site scripting attacks.

The phpinfo() function does not properly filter HTML code from user-supplied input before displaying the input when an array of more than 4096 bytes is supplied. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the PHP software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

phpinfo.php?cx[][][][][][][][][][][][][][][][][][][][][][ ][][][][][][][][][][][][][][][]=[XSS]

phpinfo.php?cx[]=ccccc..~4096chars...ccc[XSS]

The vulnerability resides in php_print_gpcse_array().

Maksymilian Arciemowicz (cXIb8O3) of SecurityReason.com reported this vulnerability.

The original advisory is available at:

http://securityreason.com/achievement_securityalert/ 34

Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the PHP software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution: The vendor has issued a fixed version (5.1.3RC3), available at:

http://www.php.net/

Vendor URL: www.php.net/ (Links to External Site)

Cause: Input validation error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Reported By: Maksymilian Arciemowicz <max [at] jestsper [dot] pl>

Message History: None.

--------------------------------------------------------------------------------

Source Message Contents

--------------------------------------------------------------------------------

Date: Sat, 8 Apr 2006 21:38:33 +0200
From: Maksymilian Arciemowicz <max [at] jestsper [dot] pl>
Subject: [Full-disclosure] phpinfo() Cross Site Scripting PHP 5.1.2 and 4.4.2

Source: http://securityreason.com/achievement_securityalert/34

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[phpinfo() Cross Site Scripting PHP 5.1.2 and 4.4.2]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 26.2.2006
- -Public: 8.4.2006
from SecurityReason.Com
CVE-2006-0996

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed
from C, Java and Perl with a couple of unique PHP-specific features thrown
in. The goal of the language is to allow web developers to write dynamically
generated pages quickly.

A nice introduction to PHP by Stig Sæther Bakken can be found at
http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the
PHP Conference Material is freely available.

- --- 1. Cross Site Scripting ---
In phpinfo() you can see all Varibles like:

file: standard/info.c
- -630-636---
php_print_gpcse_array("_REQUEST", sizeof("_REQUEST")-1 TSRMLS_CC);
php_print_gpcse_array("_GET", sizeof("_GET")-1 TSRMLS_CC);
php_print_gpcse_array("_POST", sizeof("_POST")-1 TSRMLS_CC);
php_print_gpcse_array("_FILES", sizeof("_FILES")-1 TSRMLS_CC);
php_print_gpcse_array("_COOKIE", sizeof("_COOKIE")-1 TSRMLS_CC);
php_print_gpcse_array("_SERVER", sizeof("_SERVER")-1 TSRMLS_CC);
php_print_gpcse_array("_ENV", sizeof("_ENV")-1 TSRMLS_CC);
- -630-636---

Function php_print_gpcse_array() for any arrays check 4096b of varible.

file: standard/info.c
- -135-154---
if (Z_TYPE_PP(tmp) == IS_ARRAY) {
zval *tmp3;
MAKE_STD_ZVAL(tmp3);
if (!sapi_module.phpinfo_as_text) {
PUTS("<pre>");
}
php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
zend_print_zval_r(*tmp, 0);
php_ob_get_buffer(tmp3 TSRMLS_CC);
php_end_ob_buffer(0, 0 TSRMLS_CC);

elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
PUTS(elem_esc);
efree(elem_esc);
zval_ptr_dtor(&tmp3);

if (!sapi_module.phpinfo_as_text) {
PUTS("</pre>");
}
} else if (Z_TYPE_PP(tmp) != IS_STRING) {
- -135-154---

So if we create array longer like 4096, html tags don't be remove.

Exploit:
If in php script is function phpinfo() try create some varibles (array) like

phpinfo.php?cx[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][]=[XSS]

or

phpinfo.php?cx[]=ccccc..~4096chars...ccc[XSS]

- --- 2. How to fix ---
CVS
http://cvs.php.net/viewcvs.cgi/php-src/NEWS

- --- 3. Greets ---

For: sp3x
and
p_e_a, pi3, eax ;]

- --- 4. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFEOAIl3Ke13X/fTO4RAo4LAJ0fBxJWN64vWrDYJEuhGkqc/OC42QCbBxip
f35+6LHjuBoqP5D2JV84ufs=
=iz3m
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

관련 링크: http://securitytracker.com/alerts/2006/Apr/1015879.html