PHP mlog.html and mylog.html vulnerabilities
Description: | Trivially read any file on the remote system by exploiting these cgi scripts |
Author: | bryan berg <km@UNDERWORLD.NET> |
Compromise: | remotely read any httpd-readable file on the remote system |
Vulnerable Systems: | Those running vulnerable versions of the PHP distribution. |
Date: | 19 October 1997 |
Date: Sun, 19 Oct 1997 20:38:40 -0400
From: bryan berg <km@UNDERWORLD.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Vulnerability in PHP Example Logging Scripts
Whilst perusing various things included with the PHP distribution, I
noticed that there was a gaping security hole in a few of the example
scripts, specifically mlog.html and mylog.html, which allow any remote user
to read any arbitrary file on the system. (which is readable to the user
that httpd and thus PHP are running as) To top it all off, this exploit is
really easy to accomplish.
The problem lies in the line:
<?include "$screen">
in both mlog.html and mylog.html. The idea is to include a file for each
type of logging stats, however, there is no escaping of slashes, so one can
specify any file on the system.
The exploit for dummies:
http://some.stupid.isp.net/~dumbuser/cool-logs/mlog.html?screen=[fully
qualified path to any file on the system]
useful files to see are /etc/hosts.allow, /etc/passwd (for unshadowed
systems..) and just about anything else.
Temporary fix:
insert the line
<?ereg_replace("/","",$screen);>
just before the <?include... line.
This problem exists in the most current distribution of PHP; I'm willing to
bet that it's been around for a while. Hopefully, it will be officially
fixed soon... ;)
:bryan
---
bryan berg % km@underworld.net % http://www.underworld.net/~km/
system administrator, the underworld project
"i was blessed with a birth and a death and i guess
i just want some say in between" -- ani difranco
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: