95 lines
No EOL
2.8 KiB
Text
95 lines
No EOL
2.8 KiB
Text
[MajorSecurity Advisory #57]PHP <=5.3 - preg_match() full path disclosure
|
|
|
|
Details
|
|
=======
|
|
Product: PHP <=5.3
|
|
Security-Risk: moderated
|
|
Remote-Exploit: yes
|
|
Vendor-URL: http://www.php.net/
|
|
Vendor-Status: informed
|
|
Advisory-Status: published
|
|
|
|
Credits
|
|
============
|
|
Discovered by: David Vieira-Kurz
|
|
http://www.majorsecurity.info
|
|
|
|
Affected Products:
|
|
----------------------------
|
|
PHP 5.3 and prior
|
|
PHP 5.2.11 and prior
|
|
|
|
Original Advisory:
|
|
============
|
|
http://www.majorsecurity.info/index_2.php?major_rls=major_rls57
|
|
|
|
Introduction
|
|
============
|
|
"PHP is a widely-used general-purpose scripting language that is
|
|
especially suited for Web development and can be embedded into HTML."
|
|
- from php.net
|
|
|
|
More Details
|
|
============
|
|
1. Full Path Disclosure
|
|
-----------------------------------
|
|
There is a full path disclosure vulnerability concerning the
|
|
preg_match() php function which allow attackers to
|
|
gather the real path of the server side script.
|
|
|
|
The preg_match() PHP function takes strings as parameters and will raise
|
|
warnings when values that are passed are arrays rather then strings.
|
|
To get the path of the current script, you simply need to pass the
|
|
arguments as arrays rather then expected strings
|
|
and then simply read the warning message generated by PHP to see the
|
|
error including the full path of the current running script.
|
|
|
|
Proof of concept:
|
|
http://localhost/cms/modules/system/admin.php?fct=users&op[]=
|
|
|
|
Warning: preg_match() expects parameter 2 to be string, array given in
|
|
/htdocs/cms/include/common.php on line 105
|
|
|
|
Solution
|
|
================
|
|
I would NOT recommend to just react by "security through obscurity" and
|
|
turn off the error messages, error reporting etc.
|
|
This is not a solution because there are a lot of users that are having
|
|
a shared hosting server where they aren't able to manipulate
|
|
the "php.ini" configuration file - even ini_set() is forbidden on some
|
|
shared hoster servers.
|
|
So they still would have the full path disclosure there.
|
|
|
|
Workaround
|
|
================
|
|
I would recommend to meticulously go through the code forcing PHP to
|
|
cast the data to the desired type, in this case the (string) casts
|
|
to eliminate the Notice or Warning messages.
|
|
|
|
Example:
|
|
<?PHP
|
|
if(isset($_GET['page'])) {
|
|
if (is_array($page = $_GET['page'])) {
|
|
|
|
$casted = (string)$page;
|
|
} else {
|
|
$page = htmlspecialchars($_GET['page'],ENT_QUOTES,'UTF-8');
|
|
validate_alpha($page);
|
|
}
|
|
}
|
|
function validate_alpha($page) {
|
|
return preg_match("/^[A-Za-z0-9_-]+$/ ", $page);
|
|
} ?>
|
|
|
|
Vendor communication
|
|
================
|
|
The PHP Developer team has been informed that there is this vulnerability.
|
|
|
|
MajorSecurity
|
|
================
|
|
MajorSecurity is a German penetrationtesting and security research
|
|
company which focuses on web application security. We offer professional
|
|
penetrationtestings, security audits,
|
|
source code reviews and reliable proof of concepts.
|
|
You will find more Information about MajorSecurity at
|
|
http://www.majorsecurity.info/ |