PHP 5.2.0 bug
<P>Обнаружена возможность выхода за пределы корневой директории, заданной через ограничения Safe Mode/open_basedir в PHP 5.2, через установку некорректных значений в session.save_path.</P>
<P> Advisory Text :<BR> -----BEGIN PGP SIGNED MESSAGE-----<BR>Hash: SHA1</P>
<P>[PHP 5.2.0 session.save_path safe_mode and open_basedir bypass]</P>
<P><BR>Author: Maksymilian Arciemowicz (SecurityReason)<BR>Date:<BR>- - Written: 02.10.2006<BR>- - Public: 08.12.2006<BR>SecurityAlert Id: 43<BR>CVE: CVE-2006-6383<BR>SecurityRisk: High<BR>Affected Software: PHP 5.2.0<BR>Advisory URL: <A href="
http://securityreason.com/achievement_securityalert/43">http://securityreason.com/achievement_securityalert/43</A><BR>Vendor: <A href="
http://www.php.net">http://www.php.net</A></P>
<P>- --- 0.Description ---<BR>PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and<BR>Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to<BR>allow web developers to write dynamically generated pages quickly.</P>
<P>A nice introduction to PHP by Stig Sather Bakken can be found at<BR><A href="
http://www.zend.com/zend/art/intro.php">http://www.zend.com/zend/art/intro.php</A> on the Zend website. Also, much of the PHP Conference<BR>Material is freely available. </P>
<P>Session support in PHP consists of a way to preserve certain data across subsequent accesses.<BR>This enables you to build more customized applications and increase the appeal of your web<BR>site.</P>
<P>A visitor accessing your web site is assigned a unique id, the so-called session id. This is<BR>either stored in a cookie on the user side or is propagated in the URL.</P>
<P>session.save_path defines the argument which is passed to the save handler. If you choose the<BR>default files handler, this is the path where the files are created. Defaults to /tmp. See<BR>also session_save_path().</P>
<P>There is an optional N argument to this directive that determines the number of directory<BR>levels your session files will be spread around in. For example, setting to '5;/tmp' may end<BR>up creating a session file and location like<BR>/tmp/4/b/1/e/3/sess_4b1e384ad74619bd212e236e52a5a174If . In order to use N you must create<BR>all of these directories before use. A small shell script exists in ext/session to do this,<BR>it's called mod_files.sh. Also note that if N is used and greater than 0 then automatic<BR>garbage collection will not be performed, see a copy of php.ini for further information.<BR>Also, if you use N, be sure to surround session.save_path in "quotes" because the<BR>separator (
is also used for comments in php.ini. </P>
<P>- --- 1. session.save_path safe mode and open basedir bypass ---<BR>session.save_path can be set in ini_set(), session_save_path() function. In session.save_path<BR>there must be path where you will save yours tmp file. But syntax for session.save_path can<BR>be:</P>
<P>[/PATH]</P>
<P>OR</P>
<P>[N;/PATH]</P>
<P>N - can be a string.</P>
<P>EXAMPLES:</P>
<P>1. session_save_path("/DIR/WHERE/YOU/HAVE/ACCESS")<BR>2. session_save_path("5;/DIR/WHERE/YOU/HAVE/ACCESS")</P>
<P>and </P>
<P>3.<BR>session_save_path("/DIR/WHERE/YOU/DONT/HAVE/ACCESS\0;/DIR/WHERE/YOU/HAVE/ACCESS")</P>
<P><BR>- -1477-1493--- Code from PHP520 ext/session/session.c [START]<BR>PHP_FUNCTION(session_save_path)<BR>{<BR>zval **p_name;<BR>int ac = ZEND_NUM_ARGS();<BR>char *old;</P>
<P>if (ac < 0 || ac > 1 || zend_get_parameters_ex(ac, &p_name) == FAILURE)<BR>WRONG_PARAM_COUNT;</P>
<P>old = estrdup(PS(save_path));</P>
<P>if (ac == 1) {<BR>convert_to_string_ex(p_name);<BR>zend_alter_ini_entry("session.save_path", sizeof("session.save_path"),<BR>Z_STRVAL_PP(p_name), Z_STRLEN_PP(p_name), PHP_INI_USER, PHP_INI_STAGE_RUNTIME);<BR>}</P>
<P>RETVAL_STRING(old, 0);<BR>}<BR>- -1477-1493--- Code from PHP520 ext/session/session.c [END]</P>
<P>Values are set to hash_memory (but before that, safe_mode and open_basedir check this<BR>value).<BR>And if you are starting session (for example session_start()), that value from<BR>session.save_path is checked by function PS_OPEN_FUNC(files).</P>
<P>- -242-300--- Code from PHP520 ext/session/mod_files.c [START]<BR>PS_OPEN_FUNC(files)<BR>{<BR>ps_files *data;<BR>const char *p, *last;<BR>const char *argv[3];<BR>int argc = 0;<BR>size_t dirdepth = 0;<BR>int filemode = 0600;</P>
<P>if (*save_path == '\0') {<BR>/* if save path is an empty string, determine the temporary dir */<BR>save_path = php_get_temporary_directory();<BR>}</P>
<P>/* split up input parameter */<BR>last = save_path;<BR>p = strchr(save_path, ';');<BR>while (p) {<BR>argv[argc++] = last;<BR>last = ++p;<BR>p = strchr(p, ';');<BR>if (argc > 1) break;<BR>}<BR>argv[argc++] = last;</P>
<P>if (argc > 1) {<BR>errno = 0;<BR>dirdepth = (size_t) strtol(argv[0], NULL, 10);<BR>if (errno == ERANGE) {<BR>php_error(E_WARNING, <BR>"The first parameter in session.save_path is invalid");<BR>return FAILURE;<BR>}<BR>}</P>
<P>if (argc > 2) {<BR>errno = 0;<BR>filemode = strtol(argv[1], NULL, 8);<BR>if (errno == ERANGE || filemode < 0 || filemode > 07777) {<BR>php_error(E_WARNING, <BR>"The second parameter in session.save_path is invalid");<BR>return FAILURE;<BR>}<BR>}<BR>save_path = argv[argc - 1];</P>
<P>data = emalloc(sizeof(*data));<BR>memset(data, 0, sizeof(*data));</P>
<P>data->fd = -1;<BR>data->dirdepth = dirdepth;<BR>data->filemode = filemode;<BR>data->basedir_len = strlen(save_path);<BR>data->basedir = estrndup(save_path, data->basedir_len);</P>
<P>PS_SET_MOD_DATA(data);</P>
<P>return SUCCESS;<BR>}<BR>- -242-300--- Code from PHP520 ext/session/mod_files.c [END]</P>
<P>Because in session.save_path there is a NULL byte before ";", strchr() doesn't see<BR>";" and path is /DIR/WHERE/YOU/DONT/HAVE/ACCESS.</P>
<P>Problem exists because safe_mode and open_basedir check what is after ;. And it is needed to<BR>set correct path after ";".</P>
<P>- --- 2. How to fix ---<BR><A href="
http://cvs.php.net/viewcvs.cgi/php-src/NEWS">http://cvs.php.net/viewcvs.cgi/php-src/NEWS</A></P>
<P>- --- 3. Greets ---</P>
<P>For: sp3x<BR>and<BR>l5x, p_e_a, lorddav, pi3</P>
<P>- --- 4. Contact ---<BR>Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]<BR>Email: cxib [at] securityreason [dot] com<BR>GPG: <A href="
http://securityreason.com/key/Arciemowicz.Maksymilian.gpg">http://securityreason.com/key/Arciemowicz.Maksymilian.gpg</A></P>
<P>Regards <BR>SecurityReason</P>
<P>-----BEGIN PGP SIGNATURE-----<BR>Version: GnuPG v1.4.2.2 (FreeBSD)</P>
<P>iD8DBQFFedKL3Ke13X/fTO4RAms1AKCTSc8CNZmHWhXvOdjtTBcIgdHTuwCgkvrz<BR>9KnewH0rOVFfmPRx2f1x5W4=<BR>=YAP9<BR>-----END PGP SIGNATURE-----</P>
<P><A class="" href="
http://securityreason.com/achievement_securityalert/43" target=_blank>securityreason</A></P>
Ви маєте увійти під своїм обліковим записом