PHP 5.2.6 posix_access() (posix ext) safe_mode bypass

2008.06.17
Risk: Low
Local: Yes
Remote: No
CWE: CWE-264


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

[PHP 5.2.6 posix_access() (posix ext) safe_mode bypass ] Author: Maksymilian Arciemowicz Date: - Written: 10.05.2008 - Public: 17.06.2008 CVE: CVE-2008-2665 CWE: CWE-264 Risk: Low Affected Software: PHP 5.2.6 Vendor: http://www.php.net - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. posix_access ? Determine accessibility of a file SYNOPSIS: bool posix_access ( string $file [, int $mode ] ) http://pl2.php.net/manual/pl/function.posix-access.php !!! WARNING !!! IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. WE WILL NOT LIST ALL VULNERABLE FUNCTIONS - --- 1. PHP 5.2.6 posix_access() safe_mode bypass --- Let's see to posix_access() function - --- PHP_FUNCTION(posix_access) { long mode = 0; int filename_len, ret; char *filename, *path; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &filename, &filename_len, &mode) == FAILURE) { RETURN_FALSE; } path = expand_filepath(filename, NULL TSRMLS_CC); if (!path) { POSIX_G(last_error) = EIO; RETURN_FALSE; } if (php_check_open_basedir_ex(path, 0 TSRMLS_CC) || (PG(safe_mode) && (!php_checkuid_ex(filename, NULL, CHECKUID_CHECK_FILE_AND_DIR, CHECKUID_NO_ERRORS)))) { efree(path); POSIX_G(last_error) = EPERM; RETURN_FALSE; } ret = access(path, mode); efree(path); if (ret) { POSIX_G(last_error) = errno; RETURN_FALSE; } RETURN_TRUE; } - --- var_dump(posix_access("http://../../../etc/passwd"))==True var_dump(posix_access("/etc/passwd"))==False Why? Because path = expand_filepath(filename, NULL TSRMLS_CC); will change "http://../../../etc/passwd" to path=/etc/passwd (PG(safe_mode) && (!php_checkuid_ex(filename, NULL, CHECKUID_CHECK_FILE_AND_DIR, CHECKUID_NO_ERRORS))) will check realy path "http://../../../etc/passwd". http:// is using in php_checkuid_ex(), so safe_mode is bypassed. !!! WARNING !!! IT IS POSSIBLE TO EXPLOIT MORE FUNCTIONS WITH http: PREFIX. We WILL NOT LIST ALL VULNERABLE FUNCTIONS - --- 2. How to Fix --- Do not use safe_mode as a main safety - --- 3. Author --- Author:Maksymilian Arciemowicz


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top