COMMAND

    php.cgi

SYSTEMS AFFECTED

    Systems running mentioned cgi

PROBLEM

    Bryan Berg  posted about  following vulnerability  in PHP  Example
    Logging Scripts. He noticed that there was a gaping security  hole
    in  a  few  of  the  example  scripts,  specifically mlog.html and
    mylog.html,  which  allow  any  remote  user to read any arbitrary
    file on the system. (which is readable to the user that httpd  and
    thus PHP  are running  as).   To top  it all  off, this exploit is
    really  easy  to  accomplish.   This  problem  exists  in the most
    current distribution of PHP.

    The problem lies in the line:

        <?include "$screen">

    in both mlog.html and mylog.html.   The idea is to include a  file
    for each type of logging  stats, however, there is no  escaping of
    slashes, so one can specify any file on the system.

    The exploit for dummies:

        http://some.stupid.isp.net/~dumbuser/cool-logs/mlog.html?screen=[fully qualified path to any file on the system]

    Useful  files  to  see  are  /etc/hosts.allow,  /etc/passwd   (for
    unshadowed systems..) and  just about anything  else (and if  your
    httpd is still running as root you may be considered as lucky  guy
    while you can't say the say for dummy admin of that machine).

SOLUTION

    Temporary  fix  should  be  following  block  of code right before
    <?include... line:

    <?if(ereg("\/",$screen)) {
            echo "Permission denied: path may not contain slashes.";
            Exit;
            }