lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200604082138.33555.max@jestsuper.pl>
Date: Sun Apr  9 02:20:49 2006
From: max at jestsuper.pl (Maksymilian Arciemowicz)
Subject: phpinfo() Cross Site Scripting PHP 5.1.2 and 4.4.2

Source: http://securityreason.com/achievement_securityalert/34

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[phpinfo() Cross Site Scripting PHP 5.1.2 and 4.4.2]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 26.2.2006
- -Public: 8.4.2006
from SecurityReason.Com
CVE-2006-0996

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed 
from C, Java and Perl with a couple of unique PHP-specific features thrown 
in. The goal of the language is to allow web developers to write dynamically 
generated pages quickly.

A nice introduction to PHP by Stig S?ther Bakken can be found at 
http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the 
PHP Conference Material is freely available. 

- --- 1. Cross Site Scripting ---
In phpinfo() you can see all Varibles like:

file: standard/info.c
- -630-636---
		php_print_gpcse_array("_REQUEST", sizeof("_REQUEST")-1 TSRMLS_CC);
		php_print_gpcse_array("_GET", sizeof("_GET")-1 TSRMLS_CC);
		php_print_gpcse_array("_POST", sizeof("_POST")-1 TSRMLS_CC);
		php_print_gpcse_array("_FILES", sizeof("_FILES")-1 TSRMLS_CC);
		php_print_gpcse_array("_COOKIE", sizeof("_COOKIE")-1 TSRMLS_CC);
		php_print_gpcse_array("_SERVER", sizeof("_SERVER")-1 TSRMLS_CC);
		php_print_gpcse_array("_ENV", sizeof("_ENV")-1 TSRMLS_CC);
- -630-636---

Function php_print_gpcse_array() for any arrays check 4096b of varible. 

file: standard/info.c
- -135-154---
			if (Z_TYPE_PP(tmp) == IS_ARRAY) {
				zval *tmp3;
				MAKE_STD_ZVAL(tmp3);
				if (!sapi_module.phpinfo_as_text) {
					PUTS("<pre>");
				}
				php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
				zend_print_zval_r(*tmp, 0);
				php_ob_get_buffer(tmp3 TSRMLS_CC);
				php_end_ob_buffer(0, 0 TSRMLS_CC);
				
				elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
				PUTS(elem_esc);
				efree(elem_esc);
				zval_ptr_dtor(&tmp3);

				if (!sapi_module.phpinfo_as_text) {
					PUTS("</pre>");
				}
			} else if (Z_TYPE_PP(tmp) != IS_STRING) {
- -135-154---

So if we create array longer like 4096, html tags don't be remove.

Exploit:
If in php script is function phpinfo() try create some varibles (array) like

phpinfo.php?cx[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][]=[XSS]

or 

phpinfo.php?cx[]=ccccc..~4096chars...ccc[XSS]

- --- 2. How to fix ---
CVS
http://cvs.php.net/viewcvs.cgi/php-src/NEWS

- --- 3. Greets ---

For: sp3x
and
p_e_a, pi3, eax ;]

- --- 4. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFEOAIl3Ke13X/fTO4RAo4LAJ0fBxJWN64vWrDYJEuhGkqc/OC42QCbBxip
f35+6LHjuBoqP5D2JV84ufs=
=iz3m
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ