PHP发现安全漏洞

php4.3.9存在字符攻击漏洞,利用此漏洞,攻击者可读取任意文件。存在于php4.3.6 ~ 4.3.9以及php5.0.0 ~ 5.0.2中的bug,攻击者可以通过构造上传文件的名称来跨越目录权限。这几个漏洞同时存在于win32及unix版本中,win32易受攻击!

Addslashes() 漏洞

在Addslashes()函数中,空字节被错误编码,当某个文件通过include或者require来包含用户输入的文件时,攻击者就可以利用此漏洞来读取文件。
Addslashes函数应该将空字节(在这篇文章中我们表示为”%00″)转化为”\0″,在php4.3.9中,空字节被转化为”\%00″,在include和require指令中所有在此之后的字符将会被忽略,攻击者可缩短include函数中要加载的文件名字。最后一个字符为反斜线,在windows系统中,反斜线是目录分割符。在php4.3.9中,反斜线前面的字符构成的文件名被加载。

攻击示例: 假设有如下代码:

$whatever addslashes($_REQUEST['whatever']);
include(
"/path/to/program/" $whatever "/header.htm"); 

攻击者就可以构造如下的url来读取boot.ini文件

http://localhost/phpscript.php?whatever=../../../../boot.ini%00

%00后的字符被忽略,所以include进来的就是/path/to/program/../../../../boot.ini

上传路径处理错误漏洞

上传文件时,php会自动去掉最后一个斜线或者反斜线前的所有内容,当攻击者上传一个文件名中包含单引号的文件时,如果这个服务器的magic_quotes为打开状态或者使用了addslash函数处理此字符串,单引号前会被加一个反斜线,因为反斜线为windows的路经分割符,攻击者就可以跨越目录。

示例:
当我们上传一个文件名为”..’file.ext”的文件时,php把它转化为”..’file.ext”,这样文件就被拷贝到了上传文件存放路径的上一级目录。

防止遭受攻击的方法是升级到php4.3.10 或者 5.0.3. 呵呵

原文:
————————————————————————-
| PHP Input Validation Vulnerabilities |
————————————————————————-

Date: 12-16-2004
Author: Daniel Fabian
Product: PHP
Vendor: PHP (http://www.php.net)
Vendor-Status: vendor contacted
Vendor-Patches: patched versions have been released

~~~~~~~~
Synopsis
~~~~~~~~~~~~~~~~~~~~~~~~

PHP version 4.3.9 is vulnerable to meta character attacks. The bug could
enable an attacker to read arbitrary files from the filesystem of a
webserver that hosts PHP scripts.

In addition PHP versions 4.3.6 until 4.3.9 as well as PHP versions 5.0.0
until 5.0.2 contain a bug that enables an attacker to manipulate the file
name of uploaded files to perform directory traversal.

While both vulnerabilities exist in windows and unix platform versions of
PHP, they can only be successfully exploited on windows systems.

~~~~~~~~
Vendor Status
~~~~~~~~~~~~~~~~~~~~~~~~

The vendor has been timely informed and has released patched versions of
the software (PHP 4.3.10/PHP 5.0.3). Those can be downloaded from

http://www.php.net

~~~~~~~~
Vulnerabilities
~~~~~~~~~~~~~~~~~~~~~~~~

addslashes() Vulnerability:
—————————

Scope:
PHP version 4.3.9 contains a bug in the function addslashes().
addslashes() can be used to sanitize userinput and render it thus
impossible for an attacker to influence scripts by injection meta
characters. In the default configuration, magic_quotes_gpc is set to “On”
which automagically performs addslashes() on every input value. However
because of a bug, the NULL byte is not correctly encoded by addslashes,
enabling an attacker to read arbitrary files from the file system, if user
input is used within include() or require() directives.

Details:
Addslashes should turn a NULL byte (will be written as %00 in this
advisory) into the string “\0″ (backslash zero). In version 4.3.9 the
NULL byte is encoded as “\%00″ (backslash null byte). Everything after
the NULL byte is ignored in include and require directives so that an
attacker can truncate the name of the file that is included in the PHP
script. The last character however will always be the backslash. As in
Windows the backslash is the path delimitor, this does not matter – the
file named before the backslash is still loaded.

Example:

Consider the following PHP script:

<?
$whatever 
addslashes($_REQUEST['whatever']);
include(
"/path/to/program/" $whatever "/header.htm");
?>

A malicious attacker might open the following URL, disclosing the
boot.ini file:

http://localhost/phpscript.php?whatever=../../../../boot.ini%00

The trailing backslash from the escaped \%00 does for some reason not seem
to be of concern to include().

Upload Path Traversion Vulnerability:
————————————-

Scope:
PHP automatically sanitizes the file name of uploaded files removing
everything before the last slash or backslash. This is done in order to
prevent path traversal attacks with uploaded files. However if an attacker
uploads a file containing a single quote and the attacked web server has
magic_quotes turned on (which is default configuration) or performs an
addslashes() directive on the name of the uploaded file, the quote is
prefixed with a backslash. This occurs after PHP checks for backslashes in
the filename. As the backslash is the path delimitor in windows, this
behavior enables an attacker to traverse the path by one directory level.

Example:
If a file with the name “..’file.ext” is uploaded, PHP turns the name to
“..’file.ext” and the file is uploaded to the directory below of where
the PHP script copies it.

~~~~~~~~
Counter Measures
~~~~~~~~~~~~~~~~~~~~~~~~

Upgrade to PHP version 4.3.10, respectively 5.0.3.

~~~~~~~~
Timeline
~~~~~~~~~~~~~~~~~~~~~~~~

Oct. 08: Notified vendor of addslashes vulnerability
Oct. 14: Vendor reply
Nov. 02: Notified vendor of upload vulnerability
Nov. 04: Vendor reply
Nov. 20: Problems fixed in CVS
Dec. 14: Release of patched versions 4.3.10/5.0.3

EOF Daniel Fabian / @2004
d.fabian at sec-consult dot com

~~~~~~~~
Contact
~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

Büro Wien
Blindengasse 3
A-1080 Wien
Austria

Tel.: +43 / 1 / 409 0307 – 570
Fax.: +43 / 1 / 409 0307 – 590
Mail: office at sec-consult dot com

http://www.sec-consult.com

原文地址:w.securityfocus.com/archive/1/384663/2004-12-13/2004-12-19/0

6 Comments »

  1. send said,

    October 12, 2005 @ 3:07 pm

    You may find it interesting to visit some helpful info dedicated to- Tons of interesdting stuff!!!

  2. 虚拟主机 said,

    June 30, 2006 @ 12:44 am

    Thanks for the information. This is very useful

  3. diet pill said,

    December 20, 2006 @ 9:04 am

    diarrhea:reluctant extreme iniquities,totally reflexiveness elimination threescore:liberals

  4. click here said,

    December 23, 2006 @ 4:40 am

    clumsiness,imprison reactivity:dichotomize customized stupor

  5. canadian pharmacy said,

    December 23, 2006 @ 4:41 am

    solicit Sweeneys whittling phototypesetters consolingly Somers bewilderingly!…

  6. 网站申请 said,

    March 23, 2007 @ 4:37 pm

    菜鸟学习中,^_^

RSS feed for comments on this post

Leave a Comment