home *** CD-ROM | disk | FTP | other *** search
-
- [ http://www.rootshell.com/ ]
-
- Whilst perusing various things included with the PHP distribution, I
- noticed that there was a gaping security hole in a few of the example
- scripts, specifically mlog.html and mylog.html, which allow any remote user
- to read any arbitrary file on the system. (which is readable to the user
- that httpd and thus PHP are running as) To top it all off, this exploit is
- really easy to accomplish.
-
- The problem lies in the line:
-
- <?include "$screen">
-
- in both mlog.html and mylog.html. The idea is to include a file for each
- type of logging stats, however, there is no escaping of slashes, so one can
- specify any file on the system.
-
- The exploit for dummies:
-
- http://some.stupid.isp.net/~dumbuser/cool-logs/mlog.html?screen=[fully
- qualified path to any file on the system]
-
- useful files to see are /etc/hosts.allow, /etc/passwd (for unshadowed
- systems..) and just about anything else.
-
- Temporary fix:
-
- insert the line
-
- <?ereg_replace("/","",$screen);>
-
- just before the <?include... line.
-
- This problem exists in the most current distribution of PHP; I'm willing to
- bet that it's been around for a while. Hopefully, it will be officially
- fixed soon... ;)
-
- bryan
-
-
- ---------------------------------------------------------------------------------
-
-
- I wrote that fix without testing it... it does not work, I'm just a little
- slow sometimes... ;)
-
- Instead of using the ereg_replace line I submitted before, use the
- following block of code, again, right before <?include... line.
-
- <?if(ereg("\/",$screen)) {
- echo "Permission denied: path may not contain slashes.";
- Exit;
- }
- >
-
- Sorry about that... this has been confirmed on my machine and does work.
-
- bryan
-
-
