From: ludovit at scholtz dot sk
Operating system: win, unix
PHP version: 5.1.2
PHP Bug Type: Filesystem function related
Bug description: critical bypass of include "my_dir/".$file.".data";
Description:
------------
There is a serious bug in all versions of php.
When webmaster use input variables in directories functions, like is_file,
include, ... , hacker could include his own file in system.
For example.
Someone do logs in files. Hacker is able to put in logs something like <?
phpinfo();?>. He know the path.
let say /data/log.txt
Then there is /index.php file, which contains
<?
// if magic quotes are on
foreach($_REQUEST as $k=>$v) $_REQUEST[$k] = stripslashes($v);
if(is_file("my_lang_dir/".$_REQUEST["x"].".txt")
include "my_lang_dir/".$_REQUEST["x"].".txt";
?>
...
Problem is when attacker use ?x=../data/log.txt%00&
function stripslashes makes from %00 chr(0)
then in is_file() fc goes my_lang_dir/../data/log.txt\0.txt
and most probably functions in os sees only my_lang_dir/../data/log.txt
and zero, as terminating char.
i think this should return false, but it return true, and continue.....
I found this error while i was testing one server, and with this i have
gained access to remote server.
Reproduce code:
---------------
?x=../data/log.txt%00&
<?
// if magic quotes are on
foreach($_REQUEST as $k=>$v) $_REQUEST[$k] = stripslashes($v);
if(is_file("my_lang_dir/".$_REQUEST["x"].".txt")
include "my_lang_dir/".$_REQUEST["x"].".txt";
?>
Expected result:
----------------
it should not include anything
Actual result:
--------------
it includes log file
--
Edit bug report at http://bugs.php.net/?id=36225&edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=36225&r=trysnapshot44
Try a CVS snapshot (PHP 5.1):
http://bugs.php.net/fix.php?id=36225&r=trysnapshot51
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=36225&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=36225&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=36225&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=36225&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=36225&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=36225&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=36225&r=support
Expected behavior: http://bugs.php.net/fix.php?id=36225&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=36225&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=36225&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=36225&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=36225&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=36225&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=36225&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=36225&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=36225&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=36225&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=36225&r=mysqlcfg
