7th Feb 2002 [SBWID-5076]
COMMAND
Mutliple PHP path revelation due to bad config & coding practice
SYSTEMS AFFECTED
PHP used as CGI on Windows plateforms
PROBLEM
In Paul Breton [brereton_paul@btopenworld.com] advisories :
Problem 1
=========
By appending /123 to the end of a PHP file such as
http://somehost/database.php/123
the PHP program will return its install path, the following message is
displayed :
Premature end of script headers: C:/php/php.exe
Problem 2
=========
When a web administrator installs Apache with PHP and adds index.php to
the Apache configuration file, Apache first looks for index.php when
sending back the default web page for this directory. This opens up a
security weakness that allows remote attackers to gain sensitive
information about the directory structure of the Apache and PHP
installation. Sending an OPTIONS request to the web server reveals the
installation path of PHP.
Example:
The OPTIONS output is show here:
> OPTIONS / HTTP/1.1
> Host: 192.168.1.2
> Accept: */*
< HTTP/1.1 500 Internal Server Error
< Date: Sun, 03 Feb 2002 10:56:53 GMT
< Server: Apache/2.0.28 (Win32)
< Vary: accept-language
< Accept-Ranges: bytes
< Content-Length: 680
< Connection: close
< Content-Type: text/html; charset=ISO-8859-1
< <!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\">
< <HTML>
< <HEAD>
< <TITLE>Server error!</TITLE>
< <LINK REV=\"made\" HREF=\"mailto:admin@192.168.1.2\">
< </HEAD>
<
< <BODY BGCOLOR=\"#FFFFFF\" TEXT=\"#000000\" LINK=\"#0000CC\">
< <H1>Server error!</H1>
< <DL>
< <DD>
<
<
<
< handler \"cgi-script\" not found for: C:/php/php.exe
<
<
< </DL><DL><DD>
<If you think this is a server error, please contact
<the <A HREF=\"mailto:admin@192.168.1.2\">Webmaster</A>
<
< </DL>
<
< <H2>Error 500</H2>
< <DL>
< <DD>
< <ADDRESS>
< <A HREF=\"/\">192.168.1.2</A>
< <BR>
<
< <small>02/03/02 10:56:53</small>
< <BR>
< <small>Apache/2.0.28 (Win32)</small>
< </ADDRESS>
< </DL>
< </BODY>
< </HTML>
<
As you can see the line \" handler \"cgi-script\" not found for:
C:/php/php.exe \" reveals the install path of PHP.
Problem 3
=========
When making pages in PHP or JSP, many programmers keep include files in
the same directory as the file calling them. Programmers can then
include the file without having to code in the paths to the include
file. This would allow an attacker to reveal the true path directory
used by the server or reveal the content of the JSP file accessed.
Examples:
A programmer would have 2 files. The first would be ShowData.php:
<? include(\'database.php\'); ?>
And the second file would obviously be called database.php with the
code requred to connect to the database.
When a user calls http://someserver/ShowData.php the base path to
database.php is stored in the server variable as http://someserver/ and
so the include will load http://someserver/database.php. However, if
you add a trailing slash to the request (i.e.
http://someserver/ShowData.php/) the base path will be set to
http://someserver/ShowData.php, causing the include statement to try to
load http://someserver/ShowData.php/database.php.
Because the include file is not found, an error is thrown back to the
user, that will include the full path to the include file that was not
found.
-Also-
JSP files work in the same way, with many pages throwing exceptions and
showing their true path. But even more serious, it has been found that
many JSP pages, when submitted with a trailing slash (such as form
logins that redirect to the same page to check the login details) will
reveal the source code of the JSP (that usually contain sensitive
information).
SOLUTION
Configure display_errors to 0 in PHP Configuration.
Chris Adams also added that all these problems occur only when PHP is
used as a CGI instead of a server module, and then only on a poorly
configured server.
To bypass the third problem :
Use hard coded directory paths in the \'include\' statements you use
(same goes for the \'require\' statements).
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
