#38248 [NEW]: PHP ip2long() function circumvention

rgod at autistici dot org Sat, 29 Jul 2006 02:05:01 -0700

From:             rgod at autistici dot org
Operating system: all
PHP version:      5.1.4
PHP Bug Type:     *Network Functions
Bug description:  PHP ip2long() function circumvention


Description:
------------
--- PHP ip2long() function circumvention
--------------------------------------

tested on php 5.0.2
           "  4.3.3
--------------------------------------------------------------------------------
after some test on miniBB application (http://www.minibb.net/) I obtained
that
the php ip2long() function can be tricked to return a valid IPv4 Internet
network address instead of "-1" even if the ip address argument is not a
valid
one, through the injection of some chars, ex:

<?php
 for ($i=0; $i<=255; $i++)
 {
  echo $i.":".ip2long("1.1.1.1".chr($i)."'or'a'='a'/*")."\r\n";
 }
?>

when chr($i) is chr(0), chr(9), chr(10), chr(11), chr(12), chr(13) or
chr(32)

it gives the following (valid) result:

16843009

in minibb case this could result in sql injection, forging an header like
this:

X-FORWARDED-FOR: 1.1.1.1[CHR(9)]'[SQL CODE]

or even like this:

X-FORWARDED-FOR: 1[CHR(9)]'[SQL CODE]

(however Minibb limit the string to 15 chars so you will have an unuseful
twelve
chars sql injection...)
also remember that HTTP headers is not filtered by PHP magic_quotes_gpc,
so this
could give an attacker the way to fully compromise an application

code taken from MiniBB 2.0
index.php, 248-264
/* Banned IPs/IDs stuff */
$thisIp=getIP();                      <--------------------- here $thisIp
becomes our sql code
$cen=explode('.', $thisIp);

if(isset($cen[0]) and isset($cen[1]) and isset($cen[2])){
$thisIpMask[0]=$cen[0].'.'.$cen[1].'.'.$cen[2].'.+';
$thisIpMask[1]=$cen[0].'.'.$cen[1].'.+';
}
else {
$thisIpMask[0]='0.0.0.+';
$thisIpMask[1]='0.0.0.+';
}

if (db_ipCheck($thisIp,$thisIpMask,$user_id)) { //<-----------  $thisIp is
passed to the db_ipCheck() function
$title=$sitename." :: ".$l_accessDenied;
echo ParseTpl(makeUp('main_access_denied')); exit;
}

bb_functions.php, near lines 123-131
//--------------->
function getIP(){
$ip1=getenv('REMOTE_ADDR');$ip2=getenv('HTTP_X_FORWARDED_FOR');
if ($ip2!='' and ip2long($ip2)!=-1) $finalIP=$ip2; else $finalIP=$ip1;
//<-- vulnerable code
$finalIP=substr($finalIP,0,15);
return $finalIP;
}

//--------------->

setup_mysql.php, near lines 99-105:

function db_ipCheck($thisIp,$thisIpMask,$user_id){
$res=mysql_query('select id from '.$GLOBALS['Tb'].' where
banip='."'".$thisIp."'".' or banip='."'".$thisIpMask[0]."'".' or //<---
sql injection
banip='."'".$thisIpMask[1]."'".' or banip='."'".$user_id."'");
echo mysql_error();
if($res and mysql_num_rows($res)>0) return TRUE; else return FALSE;
}

--------------------------------------------------------------------------------
1.05 29/07/2006
rgod
http://retrogod.altervista.org/php_ip2long.html
--------------------------------------------------------------------------------





-- 
Edit bug report at http://bugs.php.net/?id=38248&edit=1
-- 
Try a CVS snapshot (PHP 4.4): 
http://bugs.php.net/fix.php?id=38248&r=trysnapshot44
Try a CVS snapshot (PHP 5.2): 
http://bugs.php.net/fix.php?id=38248&r=trysnapshot52
Try a CVS snapshot (PHP 6.0): 
http://bugs.php.net/fix.php?id=38248&r=trysnapshot60
Fixed in CVS:                 http://bugs.php.net/fix.php?id=38248&r=fixedcvs
Fixed in release:             
http://bugs.php.net/fix.php?id=38248&r=alreadyfixed
Need backtrace:               http://bugs.php.net/fix.php?id=38248&r=needtrace
Need Reproduce Script:        http://bugs.php.net/fix.php?id=38248&r=needscript
Try newer version:            http://bugs.php.net/fix.php?id=38248&r=oldversion
Not developer issue:          http://bugs.php.net/fix.php?id=38248&r=support
Expected behavior:            http://bugs.php.net/fix.php?id=38248&r=notwrong
Not enough info:              
http://bugs.php.net/fix.php?id=38248&r=notenoughinfo
Submitted twice:              
http://bugs.php.net/fix.php?id=38248&r=submittedtwice
register_globals:             http://bugs.php.net/fix.php?id=38248&r=globals
PHP 3 support discontinued:   http://bugs.php.net/fix.php?id=38248&r=php3
Daylight Savings:             http://bugs.php.net/fix.php?id=38248&r=dst
IIS Stability:                http://bugs.php.net/fix.php?id=38248&r=isapi
Install GNU Sed:              http://bugs.php.net/fix.php?id=38248&r=gnused
Floating point limitations:   http://bugs.php.net/fix.php?id=38248&r=float
No Zend Extensions:           http://bugs.php.net/fix.php?id=38248&r=nozend
MySQL Configuration Error:    http://bugs.php.net/fix.php?id=38248&r=mysqlcfg

#38248 [NEW]: PHP ip2long() function circumvention

Reply via email to