OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
avart_at_gmx.de
Date: Fri Jul 12 2002 - 08:27:55 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Several problems in CARE 2002
    -------------------------------------

    # What is CARE 2002?
    CARE 2002 is a free software package for hospitals. It's based on php +
    mysql. For further information visit <http://www.care2x.com/>.

    #### include + NULL problem ####
    # Problem description
    There are several include statements which use variables passed by
    the user. So if register_globals is on and magic_quotes_gpc is off you
    are able to read any file on the webserver:
    ./main/cafenews.php:
    [...]
    include("../language/".$lang."/lang_".$lang."_newsdummy.php");
    [...]

    If $lang contains NULL (aka \0 or %00) the include statement ignores
    everything after the NULL and includes the file.
    Here's some metacode explaining the behavior:

    foobar.php looks like this:
    <?php
    include("../".$input."blubb");
    ?>

    Calling the file with the following parameter:
    foobar.php?input=bla%00bla

    results in (with enabled magic_quotes_gcp):
    <br />
    <b>Warning</b>: Failed opening '../bla\0blablubb' for inclusion
    (include_path='.:/usr/local/lib/php') in <b>/home/user/public_html/foobar.php</b> on
    line
    <b>2</b><br />

    This doesn't seem to be exploitable, but what happens, if magic_quotes_gcp
    is turned off (like on php.ini-recommened, for performance reasons, without
    pointing to THIS kind of problem)?:
    <br />
    <b>Warning</b>: Failed opening '../bla' for inclusion
    (include_path='.:/usr/local/lib/php') in <b>/home/user/public_html/foobar.php</b> on line
    <b>2</b><br />

    Huh?! Did you get it? Everything after NULL (%00) is ignored!
    So what can we do now? We can take a look at the avaiable users:
    foobar.php?input=../../../etc/passwd%00

    Voila...
    You can open every file you want. Ok, not every file. It has to be
    readable by the http-user, like wwwrun or www.

    # And the solution?
    One can test, if a file exists with the function file_exists(). This
    function doesn't ignore the characters after NULL.
    On the other side, one could try to avoid using userdata to open a file.

    In CARE 2002 and other webapps, you are often faced to this kind of
    problem while handling language or themes files.

    # Fix?
    The authors will release a new version (1.0.0.2) at
    <http://www.care2x.com/>.
    The best way for a admin is, to enable magic_quotes_gpc and/or other
    security related options in php. For further information take a look at:
    <http://php.net/security> .
    Other options, like enable_safe_mode or open_base_dir helps you too, to
    keep your server privacy if you can't trust the executed phpcode.

    #### missing addslashes() ####

    # Problem description
    None of the data passed (there are just a few exeptions) to the mysqld
    is checked for control characters like ', " et al.
    So one is able to commit injected sql queries.
    The problem exists, when magic_quotes_gpc is turned off.

    For further information about dangerous sql queries
    see:
    *<http://www.php.net/manual/en/security.database.php#security.database.sql-injection>.
    * <http://www.google.com/search?q=sql+injection+problem>

    # And the solution?
    One can use addslashes() for _every_ data a user enters and is submitted
    to the database.
    Lazy people hope, that magic_quotes_gpc is enabled. Never expect, that an
    admin configured a webserver correct, try to start the security at
    application level.

    # Fix?
    Within the new release, the author fixed the problems.
    Turn magic_quotes_qpc on!

    ##### Credits #####
    Thanks skyp, for cross reading the text.
    For the german-speaking folk: <http://bluephod.net/>
    Sorry for the broken lines I hate webmailer :).

    -- 
    GMX - Die Kommunikationsplattform im Internet.
    http://www.gmx.net