PHP mlog.html and mylog.html vulnerabilities

Date: Sun, 19 Oct 1997 20:38:40 -0400
From: bryan berg <km@UNDERWORLD.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Vulnerability in PHP Example Logging Scripts

Whilst perusing various things included with the PHP distribution, I
noticed that there was a gaping security hole in a few of the example
scripts, specifically mlog.html and mylog.html, which allow any remote user
to read any arbitrary file on the system. (which is readable to the user
that httpd and thus PHP are running as) To top it all off, this exploit is
really easy to accomplish.

The problem lies in the line:

<?include "$screen">

in both mlog.html and mylog.html.  The idea is to include a file for each
type of logging stats, however, there is no escaping of slashes, so one can
specify any file on the system.

The exploit for dummies:

http://some.stupid.isp.net/~dumbuser/cool-logs/mlog.html?screen=[fully
qualified path to any file on the system]

useful files to see are /etc/hosts.allow, /etc/passwd (for unshadowed
systems..) and just about anything else.

Temporary fix:

insert the line

<?ereg_replace("/","",$screen);>

just before the <?include... line.

This problem exists in the most current distribution of PHP; I'm willing to
bet that it's been around for a while.  Hopefully, it will be officially
fixed soon... ;)

:bryan



---
         bryan berg % km@underworld.net % http://www.underworld.net/~km/
                  system administrator, the underworld project
               "i was blessed with a birth and a death and i guess
                 i just want some say in between" -- ani difranco