With PHP 4.4.3 a previously fixed bug that was disclosed at the end of October 2005 by the Hardened-PHP Project was reintroduced. Again phpinfo() does not escape the content of user supplied arrays in GET, POST or COOKIE variables when it displays them which leads to an XSS vulnerability.
The phpinfo() function gives detailed information about the current environment of PHP. This includes a dump of the request variables that were sent.
When the content of the request variables is printed to the user there is a special handling for arrays that have to be printed in a recursive way. Earlier versions of PHP did not escape them before output. This was fixed in PHP 4.4.1. Later it turned out that due to output buffering it was still possible to bypass the escaping. Therefore PHP nowadays passes the write function to be used to the inner functions that are called to ensure that the output is properly escaped. This fix was created for the PHP 5 tree and later backported to PHP 4.
Unfortunately the backport was only half and therefore the inner functions accept the write function in the additional parameter, but do not use it at all. This change reintroduced the vulnerability we disclosed in October 2005 back into PHP 4.4.3
Proof of concept, exploit or instructions to reproduce
The attached exploit is a testcase for the PHP test system that is started with the command
$ make test
You can add the testcase by simply copying it into a subdirectory of the tests directory in the PHP source code. When your PHP is vulnerable the testsystem will give the following message.
PASS Classes general test [tests/classes/class_example.phpt]
PASS Classes inheritance test [tests/classes/inheritance.phpt]
FAIL [SECURITY] phpinfo() simple XSS test [tests/exploits/MOPB-08-2007.phpt]
PASS Strlen() function test [tests/func/001.phpt]
PASS Static variables in functions [tests/func/002.phpt]
To manually test for this vulnerability just call the phpinfo() page with a parameter like this.
This vulnerability is a good example why proof of concept exploits in form of testcases need to be added to the PHP source. With such a system in place bugs like this vulnerability would never be reintroduced.
When we tried to convince the PHP Security Response Team that this is necessary we were told that they do not want exploit tests or only hidden in some other testcases that do look harmless to cover it up.
And PLEASE do not put open phpinfo() pages on your server.