41 lines
No EOL
1.5 KiB
Text
41 lines
No EOL
1.5 KiB
Text
Abysssec Inc Public Advisory
|
|
|
|
|
|
Title : PHP <= 5.2.9 SafeMod Bypass Vulnerability
|
|
Affected Version : Tested on 5.2.8, 5.2.6 but previous versions maybe be afftect
|
|
Vendor Site : www.php.net
|
|
|
|
Vulnerability Discoverd by : www.abysssec.com
|
|
|
|
|
|
Description :
|
|
|
|
Here is another safemod bypass vulnerability exist in php <= 5.2.9 on windows .
|
|
the problem comes from OS behavior - implement and interfacing between php
|
|
and operation systems directory structure . the problem is php won't tell difference
|
|
between directory browsing in linux and windows this can lead attacker to ability
|
|
execute his / her commands on targert machie even in SafeMod On (php.ini setting) .
|
|
|
|
Vulnerability :
|
|
|
|
in linux when you want open a directory for example php directory you need
|
|
to go to /usr/bin/php and you can't use \usr\bin\php . but windows won't tell
|
|
diffence between slash and back slash it means there is no didffrence between
|
|
c:\php and c:/php , and this is not vulnerability but itself but because of this simple
|
|
php implement "\" character can escape safemode using function like excec .
|
|
|
|
|
|
PoC / Exploit :
|
|
|
|
orginal : www.abysssec.com/safemod-windows.zip
|
|
mirror : https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/8799.zip (2009-safemod-windows.zip)
|
|
|
|
|
|
|
|
note : this vulnerabities is just for educational purpose and showing vulnerability exist
|
|
so author will be not be responsible for any damage using this vulnerabilty.
|
|
|
|
for more information visit Abysssec.com
|
|
feel free to contact me at admin [at] abysssec.com
|
|
|
|
# milw0rm.com [2009-05-26] |