Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: web5076.htm

Mutliple PHP path revelation due to bad config & coding practice



7th Feb 2002 [SBWID-5076]
COMMAND

	Mutliple PHP path revelation due to bad config & coding practice

SYSTEMS AFFECTED

	PHP used as CGI on Windows plateforms

PROBLEM

	In Paul Breton [brereton_paul@btopenworld.com] advisories :
	

	 Problem 1

	 =========

	

	By appending /123 to the end of a PHP file such as
	

	http://somehost/database.php/123 

	

	the PHP program will return its install path, the following  message  is
	displayed :
	

	Premature end of script headers: C:/php/php.exe

	

	

	 Problem 2

	 =========

	

	When a web administrator installs Apache with PHP and adds index.php  to
	the Apache configuration file, Apache first  looks  for  index.php  when
	sending back the default web page for this directory. This  opens  up  a
	security  weakness  that  allows  remote  attackers  to  gain  sensitive
	information  about  the  directory  structure  of  the  Apache  and  PHP
	installation. Sending an OPTIONS request to the web server  reveals  the
	installation path of PHP.
	

	Example:
	

	The OPTIONS output is show here:
	

	> OPTIONS / HTTP/1.1

	> Host: 192.168.1.2

	> Accept: */*

	

	< HTTP/1.1 500 Internal Server Error

	< Date: Sun, 03 Feb 2002 10:56:53 GMT

	< Server: Apache/2.0.28 (Win32)

	< Vary: accept-language

	< Accept-Ranges: bytes

	< Content-Length: 680

	< Connection: close

	< Content-Type: text/html; charset=ISO-8859-1

	

	< <!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\">

	< <HTML>

	< <HEAD>

	< <TITLE>Server error!</TITLE>

	< <LINK REV=\"made\" HREF=\"mailto:admin@192.168.1.2\">

	< </HEAD>

	<

	< <BODY BGCOLOR=\"#FFFFFF\" TEXT=\"#000000\" LINK=\"#0000CC\">

	< <H1>Server error!</H1>

	< <DL>

	< <DD>

	<

	<

	<

	< handler \"cgi-script\" not found for: C:/php/php.exe

	<

	<

	< </DL><DL><DD>

	<If you think this is a server error, please contact

	<the <A HREF=\"mailto:admin@192.168.1.2\">Webmaster</A>

	<

	< </DL>

	<

	< <H2>Error 500</H2>

	< <DL>

	< <DD>

	< <ADDRESS>

	< <A HREF=\"/\">192.168.1.2</A>

	< <BR>

	<

	< <small>02/03/02 10:56:53</small>

	< <BR>

	< <small>Apache/2.0.28 (Win32)</small>

	< </ADDRESS>

	< </DL>

	< </BODY>

	< </HTML>

	<

	

	As you can see  the  line  \"  handler  \"cgi-script\"  not  found  for:
	C:/php/php.exe \" reveals the install path of PHP.
	

	 Problem 3

	 =========

	

	When making pages in PHP or JSP, many programmers keep include files  in
	the same directory as  the  file  calling  them.  Programmers  can  then
	include the file without having to code in  the  paths  to  the  include
	file. This would allow an attacker to reveal  the  true  path  directory
	used by the server or reveal the content of the JSP file accessed.
	

	Examples:
	

	A programmer would have 2 files. The first would be ShowData.php:
	

	<? include(\'database.php\'); ?>

	

	And the second file would obviously  be  called  database.php  with  the
	code requred to connect to the database.
	

	When a  user  calls  http://someserver/ShowData.php  the  base  path  to
	database.php is stored in the server variable as http://someserver/  and
	so the include will  load  http://someserver/database.php.  However,  if
	you    add    a    trailing    slash    to     the     request     (i.e.
	http://someserver/ShowData.php/)  the  base  path   will   be   set   to
	http://someserver/ShowData.php, causing the include statement to try  to
	load http://someserver/ShowData.php/database.php.
	

	Because the include file is not found, an error is thrown  back  to  the
	user, that will include the full path to the include file that  was  not
	found.
	

	-Also-
	

	JSP files work in the same way, with many pages throwing exceptions  and
	showing their true path. But even more serious, it has been  found  that
	many JSP pages, when submitted with  a  trailing  slash  (such  as  form
	logins that redirect to the same page to check the login  details)  will
	reveal the source code  of  the  JSP  (that  usually  contain  sensitive
	information).

SOLUTION

	Configure display_errors to 0 in PHP Configuration.
	

	Chris Adams also added that all these problems occur only  when  PHP  is
	used as a CGI instead of a server module, and  then  only  on  a  poorly
	configured server.
	

	To bypass the third problem :
	

	Use hard coded directory paths in the  \'include\'  statements  you  use
	(same goes for the \'require\' statements).


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH