From: ieb9 at tfd dot co dot uk Operating system: Linux RH9, Apache 2 PHP version: 4.3.10 PHP Bug Type: *General Issues Bug description: urldecode security issue, please read before rejecting
Description: ------------ Before you say no, please read. I have recently seen a hacker install a rootkit using URL decode. It was outfault for not having the right version of phpBB..... but we did have a safe apache install with all the right permissions and all the things in the right place and the lates kernel patch. The only reason we notices was due to a strange hardware configuration that caused the hacker problems when the started to insert code into /dev/kmem However, looking at the code in phpBB, the commands they executed I found that they could do exactly the same think on at least 5 other php applications. eg versions of mambo, phpBugTrak, postNuke (and not just the phpBB plugin) >From what I could see the exploit only used the urldecode function and no other libraries, if this is the case, could you please fix the problem before it becomes a real issue. I think the hacker used this code to initiate the root kit installation http://downloads.securityfocus.com/vulnerabilities/exploits/phpBBCodeExecExploitRUSH.pl Reproduce code: --------------- I dont think you really want me to post this. Expected result: ---------------- An open tcp channel where I can get bash shell access as the apache user on the exploited box, then inject the kernel system call table and install a rootkit Actual result: -------------- A hacked machine (luckilly for us caught by a bit of Cisco hardware) -- Edit bug report at http://bugs.php.net/?id=31759&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=31759&r=trysnapshot4 Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=31759&r=trysnapshot50 Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=31759&r=trysnapshot51 Fixed in CVS: http://bugs.php.net/fix.php?id=31759&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=31759&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=31759&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=31759&r=needscript Try newer version: http://bugs.php.net/fix.php?id=31759&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=31759&r=support Expected behavior: http://bugs.php.net/fix.php?id=31759&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=31759&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=31759&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=31759&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=31759&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=31759&r=dst IIS Stability: http://bugs.php.net/fix.php?id=31759&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=31759&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=31759&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=31759&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=31759&r=mysqlcfg