5430370 2000-09-04 06:22 /109 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12547>
Ärende: (SRADV00001) Arbitrary file disclosure through PHP file upload
------------------------------------------------------------
From: Secure Reality Advisories <create@SECUREREALITY.COM.AU>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <003201c015b0$ebabb4e0$6d32a4cb@rivrw1.nsw.optushome.com.au>
=================================================
Secure Reality Pty Ltd. Security Advisory #1 (SRADV00001)
http://www.securereality.com.au
=================================================
[Title]
Arbitrary file disclosure through PHP file upload
[Released]
04/09/2000
(We found this particular issue a while ago but were planning to
disclose it at a later date once we had a chance to investigate its
imact on most popular PHP software. However, the issue was recently
half found/disclosed by a poster on the php-general mailing list, who
didn't appear to realise its impact)
[Vulnerable]
_Almost_ any PHP program which provides file upload capability
[Overview] PHP is a feature heavy web scripting language that has
become widely popular. One of its many features is easy handling of
file uploads from remote browsers. This functionality is very
commonly used, particularly in photo gallery, auction and webmail
style applications.
The way that PHP handles file uploads makes it simple to trick PHP
applications into working on arbitrary files local to the server
rather than files uploaded by the user. This will generally lead to a
remote attacker being able to read any file on the server that can be
read by the user the web server is running as, typically 'nobody'.
[Impact]
1. File disclosure
2. (1) will often lead to disclosure of PHP code
3. (2) will often lead to disclosure of database authentication data
4. (3) may lead to machine compromise
[Detail]
When files are uploaded to a PHP script, PHP receives the file, gives it a
random name and places it into a configured temporary directory. The PHP
script is given information about the file that was uploaded in the form of
4 global variables. Presuming the file field in the form was called 'hello',
the 4 variables would be:
$hello = Name of temporary file (e.g '/tmp/ASHDjkjbs')
$hello_name = Name of file when it was on the remote computer (e.g
'c:\hello.tmp)
$hello_type = Mime type of file (e.g 'text/plain')
$hello_size = Size of uploaded file (e.g 2000 bytes)
The temporary file is automatically deleted at the end of the
execution of the script so the PHP script usually needs to move it
somewhere else. For example, it might copy the file into a blob in a
MySQL database.
The problem is actually in the way PHP behaves by default. Unless
deliberately configured otherwise (via register_globals = Off in
php.ini) the values specified in form fields upon a submit are
auctomatically declared by their form name as global variables inside
the PHP script.
If I had a form with an input field like
<INPUT TYPE="hidden" NAME="test" VALUE="12">
When the PHP script is called to handle the form input, the global
variable $test is set. In my opinion this is a significant security
risk, in fact, I'll be posting quite a few security issues based
around it in the coming weeks). The problem is simple, cluttering the
global namespace with user defined input so destablizes the
environment that it is almost impossible to write in it securely.
Back to the issue at hand. Using the fact mentioned above, we can create the
four variables $hell, $hello_name, $hello_type, $hello_size ourselves using
form input like the following
<INPUT TYPE="hidden" NAME="hello" VALUE="/etc/passwd">
<INPUT TYPE="hidden" NAME="hello_name" VALUE="c:\scary.txt">
<INPUT TYPE="hidden" NAME="hello_type" VALUE="text/plain">
<INPUT TYPE="hidden" NAME="hello_size" VALUE="2000">
This should lead the PHP script working on the passwd file, usually
resulting in it being disclosed to the attacker.
[Fix] Unfortunately, I believe this style of problem to be impossible
to fix with the default behaviour/configuration of PHP, I'll be
demonstrating this with several adviories in the next few weeks.
My suggestion to all administrators of PHP enabled boxes is to change
the register_globals in php.ini to off, and switch track_vars to
on. This will however lead to most PHP scripts breaking. In the short
term, disable any PHP scripts you have that provide file upload
functionality until the vendor of those scripts can provide a
fix/determine non vulnerability.
For PHP coders with little control over the configuration of the
boxes they work on. Hopefully track_vars has been enabled on the
box. Check if 'hello' is present in $HTTP_GET_VARS, $HTTP_POST_VARS
or $HTTP_COOKIE_VARS, if it is, ignore the input.
[Disclaimer] Advice, directions and instructions on security
vulnerabilities in this advisory do not constitute: an endorsement of
illegal behaviour; a guarantee that protection measures will work; an
endorsement of any product or solution or recommendations on behalf
of Secure Reality Pty Ltd. Content is provided as is and Secure
Reality does not accept responsibity for any damange or injury caused
as a result of its use.
(5430370) ------------------------------------------(Ombruten)
Kommentar i text 5433966 av Brevbäraren (som är implementerad i) Python
Kommentar i text 5433974 av Brevbäraren (som är implementerad i) Python
Kommentar i text 5434036 av Brevbäraren (som är implementerad i) Python
5433966 2000-09-05 02:49 /88 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12562>
Kommentar till text 5430370 av Brevbäraren (som är implementerad i) Python
Ärende: Re: (SRADV00001) Arbitrary file disclosure through PHP file upload
------------------------------------------------------------
From: Signal 11 <signal11@MEDIAONE.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <NEBBKPCNALMEJENIHFBIOEGECAAA.signal11@mediaone.net>
I have forwarded the original message to php-dev@lists.php.net,
as there was no indication the developers were copied on the
bugtraq post.
This issue is Bug ID #6496 in the PHP bug database.
Additional information is here: http://bugs.php.net/bugs.php?id=6496,
and was entered 09/01/2000.
However, the problem was discovered as early as May 15 by
hgerlach@gmx.de Original post:
http://www.php.net/manual/features.file-upload.php (about 2/3rds of
the way down in the user comments)
Also, my copy of PHP has track_vars enabled per default (as per the
php4 that ships with Mandrake 7), which was one of the recommendations
you made in your original post.
Here's how you can reproduce this on your own. Create the following
file as "test.php" on the http server running php:
<!-- test.php ##################################################### -->
<html>
<body>
<form action="<?php echo $PHP_SELF ?>" method="POST"
ENCTYPE="multipart/form-data">
<input type="file" name="userfile">
<input type="submit">
</form>
<pre>
<?php
echo("userfile =$userfile \n");
echo("userfile_name = $userfile_name \n");
echo("userfile_type = $userfile_type \n");
echo("userfile_size = $userfile_size \n");
?>
</pre>
</body>
</html>
<! -- CUT HERE #################################################### -->
Now, create a file on your LOCAL computer called test.html with
the following contents:
<!-- test.html ##################################################### -->
<html>
<body>
<form action="http://YOUR_SERVER_HERE/blah/blah/test.php"
ENCTYPE="multipart/form-data" method="POST">
<input type="file" name="userfile">
<input type="hidden" name="userfile" value="hackme">
<input type="submit">
</form>
</body>
</html>
<! -- CUT HERE #################################################### -->
Goto http://YOUR_SERVER_HERE/blah/blah/test.php and run the script,
upload any file. Note the output. Now open test.html on your LOCAL
computer and repeat the same steps you did when you were on the
server. Hit submit. Note the change in output.
Now, before you go off the deep end there is a simple one-line
workaround...
<?php
if($userfile_size != filesize($userfile)){
echo "File upload variables have been tampered with.\n";
}
?>
This will prevent most attacks, unless the filesize is the same
as the local file. Like I said - workaround.. but it is one you
can impliment in your code *now* instead of waiting for a patch.
I'm hoping the PHP guys will update the bug 6496 with either
a fix or an assignment soon...
--
Signal 11 -o- BOFH, boredengineers.com
Q: What's the difference between your project and putting wings
on an elephant? A: The elephant *might* fly.
(5433966) ------------------------------------------(Ombruten)
Kommentar i text 5434017 av Brevbäraren (som är implementerad i) Python
5434017 2000-09-05 05:10 /70 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12578>
Kommentar till text 5433966 av Brevbäraren (som är implementerad i) Python
Ärende: Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through
------------------------------------------------------------
PHP file upload
From: Rasmus Lerdorf <rasmus@LINUXCARE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.21.0009032345020.2340-100000@thinkpad.php.net>
The fix for this particular variation of the exploit is already in
CVS and is included below. Note that this has nothing to do with
track_vars nor with register_globals despite what the bugtraq posting
said. And your user-level data validation solution is pretty good.
An attacker would have to know the exact size of a file on your
system in order to get at it. Chances are that if the exact size is
already know, the contents will be as well.
Index: php4/main/rfc1867.c
diff -u php4/main/rfc1867.c:1.38 php4/main/rfc1867.c:1.39
--- php4/main/rfc1867.c:1.38 Sat Aug 5 23:40:28 2000
+++ php4/main/rfc1867.c Sun Sep 3 22:09:46 2000
@@ -15,7 +15,7 @@
| Authors: Rasmus Lerdorf <rasmus@php.net> |
+----------------------------------------------------------------------+
*/
-/* $Id: rfc1867.c,v 1.38 2000/08/06 06:40:28 rasmus Exp $ */
+/* $Id: rfc1867.c,v 1.39 2000/09/04 05:09:46 rasmus Exp $ */
#include <stdio.h>
#include "php.h"
@@ -64,7 +64,7 @@
int eolsize;
long bytes, max_file_size = 0;
char *namebuf=NULL, *filenamebuf=NULL, *lbuf=NULL,
- *abuf=NULL, *start_arr=NULL, *end_arr=NULL, *arr_index=NULL;
+ *abuf=NULL, *start_arr=NULL, *end_arr=NULL, *arr_index=NULL, *sbuf=NULL;
FILE *fp;
int itype, is_arr_upload=0, arr_len=0;
zval *http_post_files=NULL;
@@ -172,8 +172,10 @@
}
abuf = estrndup(namebuf, strlen(namebuf)-arr_len);
sprintf(lbuf,
"%s_name[%s]", abuf, arr_index);
+ sbuf = estrdup(abuf);
} else {
sprintf(lbuf,
"%s_name", namebuf);
+ sbuf = estrdup(abuf);
}
s = strrchr(filenamebuf, '\\');
if (s && s > filenamebuf) {
@@ -252,7 +254,11 @@
}
*(loc - 4) = '\0';
- php_register_variable(namebuf, ptr, array_ptr ELS_CC PLS_CC);
+ /* Check to make sure we are not overwriting special file
+ * upload variables */
+ if(memcmp(namebuf,sbuf,strlen(sbuf))) {
+ php_register_variable(namebuf, ptr, array_ptr ELS_CC PLS_CC);
+ }
/* And a little kludge to pick out special
* MAX_FILE_SIZE */
itype = php_check_ident_type(namebuf);
@@ -353,6 +359,7 @@
break;
}
}
+ if(sbuf) efree(sbuf);
SAFE_RETURN;
}
(5434017) ------------------------------------------(Ombruten)
Kommentar i text 5434009 av Brevbäraren (som är implementerad i) Python
5434009 2000-09-05 04:58 /21 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12575>
Kommentar till text 5434017 av Brevbäraren (som är implementerad i) Python
Sänt: 2000-09-05 05:10
Ärende: Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through
------------------------------------------------------------
PHP file upload The initial fix published earlier did NOT fix the
vulnerability that was discovered, and could also cause crashes under
certain circumstances. It could also cause some applications to
fail, due to a side effect that prevents certain valid form variables
from being processed correctly.
The correct, tested fixed file (without any side effects) is
available at
http://cvsweb.php.net/viewcvs.cgi/~checkout~/php4/main/rfc1867.c?rev=1.45&content-type=text/plain
The diff against version 4.0.2 is available at:
http://cvsweb.php.net/viewcvs.cgi/php4/main/rfc1867.c.diff?r1=1.38%3Aphp_4_0_2&tr1=1.1&r2=text&tr2=1.45&diff_format=u
It is also attached to this message.
Thanks to James Moore for helping me test this fix.
Zeev
(5434009) ------------------------------------------(Ombruten)
Kommentar i text 5434010 av Brevbäraren (som är implementerad i) Python
Kommentar i text 5434011 av Brevbäraren (som är implementerad i) Python
5434010 2000-09-05 04:58 /191 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12576>
Kommentar till text 5434009 av Brevbäraren (som är implementerad i) Python
Ärende: Bilaga (rfc1867.c.diff) till: Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through
------------------------------------------------------------
PHP file upload
===================================================================
RCS file: /repository/php4/main/rfc1867.c,v
retrieving revision 1.38
retrieving revision 1.45
diff -u -r1.38 -r1.45
--- php4/main/rfc1867.c 2000/08/06 06:40:28 1.38 php_4_0_2
+++ php4/main/rfc1867.c 2000/09/04 22:26:01 1.45
@@ -15,7 +15,7 @@
| Authors: Rasmus Lerdorf <rasmus@php.net> |
+----------------------------------------------------------------------+
*/
-/* $Id: rfc1867.c,v 1.38 2000/08/06 06:40:28 rasmus Exp $ */
+/* $Id: rfc1867.c,v 1.45 2000/09/04 22:26:01 zeev Exp $ */
#include <stdio.h>
#include "php.h"
@@ -28,28 +28,57 @@
#define NEW_BOUNDARY_CHECK 1
-#define SAFE_RETURN { if (namebuf) efree(namebuf); if (filenamebuf)
efree(filenamebuf); if (lbuf) efree(lbuf); if (abuf) efree(abuf);
if(arr_index) efree(arr_index); return; }
+#define SAFE_RETURN { if (namebuf) efree(namebuf); if (filenamebuf)
efree(filenamebuf); if (lbuf) efree(lbuf); if (abuf) efree(abuf);
if(arr_index) efree(arr_index);
zend_hash_destroy(&PG(rfc1867_protected_variables)); return; }
/* The longest property name we use in an uploaded file array */
#define MAX_SIZE_OF_INDEX sizeof("[tmp_name]")
+static void add_protected_variable(char *varname PLS_DC)
+{
+ int dummy=1;
+
+ zend_hash_add(&PG(rfc1867_protected_variables), varname,
strlen(varname)+1, &dummy, sizeof(int), NULL);
+}
+
+
+static zend_bool is_protected_variable(char *varname PLS_DC)
+{
+ return zend_hash_exists(&PG(rfc1867_protected_variables),
varname, strlen(varname)+1);
+}
+
+
+static void safe_php_register_variable(char *var, char *strval, zval
*track_vars_array, zend_bool override_protection ELS_DC PLS_DC)
+{
+ if (override_protection || !is_protected_variable(var PLS_CC)) {
+ php_register_variable(var, strval, track_vars_array ELS_CC PLS_CC);
+ }
+}
+
-static void register_http_post_files_variable(char *strvar, char
*val, zval *http_post_files ELS_DC PLS_DC)
+static void safe_php_register_variable_ex(char *var, zval *val, pval
*track_vars_array, zend_bool override_protection ELS_DC PLS_DC)
+{
+ if (override_protection || !is_protected_variable(var PLS_CC)) {
+ php_register_variable_ex(var, val, track_vars_array ELS_CC PLS_CC);
+ }
+}
+
+
+static void register_http_post_files_variable(char *strvar, char *val, zval *http_post_files, zend_bool override_protection ELS_DC PLS_DC)
{
int register_globals = PG(register_globals);
-
+
PG(register_globals) = 0;
- php_register_variable(strvar, val, http_post_files ELS_CC PLS_CC);
+ safe_php_register_variable(strvar, val, http_post_files, override_protection ELS_CC PLS_CC);
PG(register_globals) = register_globals;
}
-static void register_http_post_files_variable_ex(char *var, zval
*val, zval *http_post_files ELS_DC PLS_DC)
+static void register_http_post_files_variable_ex(char *var, zval *val, zval *http_post_files, zend_bool override_protection ELS_DC PLS_DC)
{
int register_globals = PG(register_globals);
-
+
PG(register_globals) = 0;
- php_register_variable_ex(var, val, http_post_files ELS_CC PLS_CC);
+ safe_php_register_variable_ex(var, val, http_post_files, override_protection ELS_CC PLS_CC);
PG(register_globals) = register_globals;
}
@@ -71,6 +100,8 @@
ELS_FETCH();
PLS_FETCH();
+ zend_hash_init(&PG(rfc1867_protected_variables), 5, NULL, NULL, 0);
+
if (PG(track_vars)) {
ALLOC_ZVAL(http_post_files);
array_init(http_post_files);
@@ -78,7 +109,6 @@
PG(http_globals).post_files = http_post_files;
}
-
ptr = buf;
rem = cnt;
len = strlen(boundary);
@@ -177,9 +207,9 @@
}
s = strrchr(filenamebuf, '\\');
if (s && s > filenamebuf) {
- php_register_variable(lbuf, s+1, NULL ELS_CC PLS_CC);
+ safe_php_register_variable(lbuf, s+1, NULL, 0 ELS_CC PLS_CC);
} else {
- php_register_variable(lbuf, filenamebuf, NULL ELS_CC PLS_CC);
+ safe_php_register_variable(lbuf, filenamebuf, NULL, 0 ELS_CC PLS_CC);
}
/* Add $foo[name] */
@@ -189,9 +219,9 @@
sprintf(lbuf, "%s[name]", namebuf);
}
if (s && s > filenamebuf) {
- register_http_post_files_variable(lbuf, s+1, http_post_files ELS_CC PLS_CC);
+ register_http_post_files_variable(lbuf, s+1, http_post_files, 0 ELS_CC PLS_CC);
} else {
- register_http_post_files_variable(lbuf, filenamebuf, http_post_files ELS_CC PLS_CC);
+ register_http_post_files_variable(lbuf, filenamebuf, http_post_files, 0 ELS_CC PLS_CC);
}
state = 3;
@@ -221,7 +251,7 @@
} else {
sprintf(lbuf, "%s_type", namebuf);
}
- php_register_variable(lbuf, s, NULL ELS_CC PLS_CC);
+ safe_php_register_variable(lbuf, s, NULL, 0 ELS_CC PLS_CC);
/* Add $foo[type] */
if (is_arr_upload) {
@@ -229,7 +259,7 @@
} else {
sprintf(lbuf, "%s[type]", namebuf);
}
- register_http_post_files_variable(lbuf, s, http_post_files ELS_CC PLS_CC);
+ register_http_post_files_variable(lbuf, s, http_post_files, 0 ELS_CC PLS_CC);
if(*s != '\0') {
*(loc2 - 1) = '\n';
}
@@ -252,7 +282,9 @@
}
*(loc - 4) = '\0';
- php_register_variable(namebuf, ptr, array_ptr ELS_CC PLS_CC);
+ /* Check to make sure we are not overwriting special file
+ * upload variables */
+ safe_php_register_variable(namebuf, ptr, array_ptr, 0 ELS_CC PLS_CC);
/* And a little kludge to pick out special MAX_FILE_SIZE */
itype = php_check_ident_type(namebuf);
@@ -316,7 +348,8 @@
php_error(E_WARNING, "Only %d bytes were written, expected to write %ld", bytes, loc - ptr - 4);
}
}
- php_register_variable(namebuf, fn, NULL ELS_CC PLS_CC);
+ add_protected_variable(namebuf PLS_CC);
+ safe_php_register_variable(namebuf, fn, NULL, 1 ELS_CC PLS_CC);
/* Add $foo[tmp_name] */
if(is_arr_upload) {
@@ -324,7 +357,8 @@
} else {
sprintf(lbuf, "%s[tmp_name]", namebuf);
}
- register_http_post_files_variable(lbuf, fn, http_post_files ELS_CC PLS_CC);
+ add_protected_variable(lbuf PLS_CC);
+ register_http_post_files_variable(lbuf, fn, http_post_files, 1 ELS_CC PLS_CC);
{
zval file_size;
@@ -337,7 +371,7 @@
} else {
sprintf(lbuf, "%s_size", namebuf);
}
- php_register_variable_ex(lbuf, &file_size, NULL ELS_CC PLS_CC);
+ safe_php_register_variable_ex(lbuf, &file_size, NULL, 0 ELS_CC PLS_CC);
/* Add $foo[size] */
if(is_arr_upload) {
@@ -345,7 +379,7 @@
} else {
sprintf(lbuf, "%s[size]", namebuf);
}
- register_http_post_files_variable_ex(lbuf, &file_size, http_post_files ELS_CC PLS_CC);
+ register_http_post_files_variable_ex(lbuf, &file_size, http_post_files, 0 ELS_CC PLS_CC);
}
state = 0;
rem -= (loc - ptr);
(5434010) ------------------------------------------(Ombruten)
5434011 2000-09-05 04:58 /6 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12577>
Kommentar till text 5434009 av Brevbäraren (som är implementerad i) Python
Ärende: Bilaga till: Re: [PHP-DEV] RE: (SRADV00001) Arbitrary file disclosure through
------------------------------------------------------------
PHP file upload
--
Zeev Suraski <zeev@zend.com>
http://www.zend.com/
(5434011) ------------------------------------------
Läsa nästa kommentar.
5433974 2000-09-05 03:04 /34 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12565>
Kommentar till text 5430370 av Brevbäraren (som är implementerad i) Python
Ärende: Re: (SRADV00001) Arbitrary file disclosure through PHP file upload
------------------------------------------------------------
From: Mads Bach <bach@INDER.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <39B326C5.7D945111@inder.net>
Secure Reality Advisories wrote:
> Back to the issue at hand. Using the fact mentioned above, we can create the
> four variables $hell, $hello_name, $hello_type, $hello_size ourselves using
> form input like the following
> <INPUT TYPE="hidden" NAME="hello" VALUE="/etc/passwd">
> <INPUT TYPE="hidden" NAME="hello_name" VALUE="c:\scary.txt">
> <INPUT TYPE="hidden" NAME="hello_type" VALUE="text/plain">
> <INPUT TYPE="hidden" NAME="hello_size" VALUE="2000">
>
> This should lead the PHP script working on the passwd file, usually
> resulting in it being disclosed to the attacker.
>
> [Fix]
> Unfortunately, I believe this style of problem to be impossible to fix with
> the default behaviour/configuration of PHP, I'll be demonstrating this with
> several adviories in the next few weeks.
One simple fix (which I would recommend to all developers working in
PHP) is to check the filename ("hello" in the example above), and
make sure that it is in fact located in the temp directory. This way,
nothing vital should be available to the attacker.
Regards,
Mads Bach
--
"Honestly, OS/2 with EMX is closer to Unix than AIX is."
- Brandon S. Allbery in Scary Devil Monastery
(5433974) ------------------------------------------(Ombruten)
5434036 2000-09-05 05:28 /21 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12582>
Kommentar till text 5430370 av Brevbäraren (som är implementerad i) Python
Ärende: Re: (SRADV00001) Arbitrary file disclosure through PHP file upload
------------------------------------------------------------
From: Brian Smith <avalon73@ARTHURIAN.NU>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.3.96.1000904134913.25398B-100000@camelot.arthurian.nu>
A couple things I see with this:
1) Wouldn't the same problem also exist if you turned register_globals off
and used the HTTP request value arrays?
2) It's not always a problem... it all depends on what you do with the
uploaded file. I recently did a file upload form that merely emails
the file as an attachment to a fixed address (for manual processing
later)... nobody trying to exploit the script in the way that you're
suggesting can get anything out of the script that way.
----------------------------------------------------------------------
Brian Smith // avalon73@earthling.net // http://www.arthurian.nu/
Software Developer // Gamer // Webmaster // System Administrator
Echelon Teasers: NSA CIA FBI Mossad MI5 Cocaine Cuba Revolution Espionage
(5434036) ------------------------------------------