PHProjekt lib_path及lang_path变量多个远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193325 漏洞类型 输入验证
发布时间 2006-10-03 更新时间 2006-10-18
CVE编号 CVE-2006-5123 CNNVD-ID CNNVD-200610-023
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2006100038
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-023
|漏洞详情
PHProjekt的多个脚本没有对lib_path及lang_path变量做充分的检查过滤,远程攻击者可以通过包含远程服务器上的任意文件导致执行任意代码。
|漏洞EXP
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hardened-PHP Project
                        www.hardened-php.net

-= Security  Advisory =-

Advisory: PHProjekt (Remote) Include Vulnerabilities
 Release Date: 2006/09/29
Last Modified: 2006/09/29
       Author: Stefan Esser [sesser (at) hardened-php (dot) net [email concealed]]

Application: PHProjekt 5.1.1
     Severity: An unverified path may allow an attacker to inject 
               and execute arbitrary PHP code
         Risk: Critical
Vendor Status: Vendor has a released an updated version
   References: http://www.hardened-php.net/advisory_062006.129.html

Overview:

Quote from http://www.phprojekt.com
   "PHProjekt is a modular application for the coordination of group 
   activities and to share informations and document via intranet and 
   internet. Components of PHProjekt: Group calendar, project 
   management, time card system, file management, contact manager, 
   mail client and 9 other modules ...(feature list).
   PHProjekt supports many protocols like ldap, soap and webdav and is 
   available for 36 languages and 7 databases."
   
   While searching for applications that are vulnerable to a new class 
   of vulnerabilities inside PHP applications we took a quick look 
   into the current PHProjekt source code and discovered that a (remote)
   include vulnerability had been (re)introduced.
   
   By overwriting a variable with user input it is possible to inject
   and execute arbitrary PHP code. Overwriting this variable is possible
   regardless of the register_globals setting.
   
   It is recommended to install our Suhosin (http://www.suhosin.org)
   PHP extension, because it is the only solution that stops 100% of
   all URL includes. Please note that allow_url_fopen is NOT a 100%
   protection because it does NOT stop all URL types.

Details:

PHProjekt includes several files from different paths. In earlier
   versions it was possible to overwrite the base path variable 
   $path_pre from the outside and use it to include arbitrary files
   or URLs. This vulnerability had been fixed by checking the content
   of $path_pre and bailing out of the PHP script in case of an
   attack.
   
   Unfortunately the code within PHProjekt was moved around, which
   resulted in $lib_path and $lang_path beeing filles before the 
   request variables are extracted into the global namespace by the
   PHP script. (This globalisation is done by the code of PHProjekt
   and has nothing todo with PHP's register_globals feature).
   
   Because of this construction it is possible to include arbitrary
   PHP files by filling $lib_path or $lang_path through f.e. the URL.
   
   This vulnerability was now fixed by modifying all include paths
   to use constants instead of variables, because constants cannot
   be overwritten once they are set.

Proof of Concept:

The Hardened-PHP Project is not going to release exploits for
   this vulnerability to the public.

Disclosure Timeline:

21. September 2006 - Contacted PHProjekt developers by email
   28. September 2006 - Updated PHProjekt was released
   29. September 2006 - Public Disclosure

Recommendation:

It is strongly recommended to upgrade to the newest version of
   PHProejekt 5.1.2 which you can download at:

http://www.phprojekt.com/download/phprojekt.tar.gz
   
   As usual we very stronlgy recommend to install our Suhosin PHP 
   extension, because it is the only solution that stops all
   PHP remote URL includes. The often advertised allow_url_fopen
   configuration directive does NOT protect against 'php://input'
   or 'data:' URL types. Suhosin additionally can stop several 
   directory traversal attacks that try to include local files.

Grab your copy and more information at:
   
   http://www.hardened-php.net/suhosin/index.html

GPG-Key:

http://www.hardened-php.net/hardened-php-signature-key.asc

pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1

Copyright 2006 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFFHQmFRDkUzAqGSqERAsoTAJ4gmFLTcReHvo6EvtxlZXHI41tPDgCg1ppS
7THEd6ldw69+Hx9dO9zkcew=
=NXXs
-----END PGP SIGNATURE-----
|参考资料

来源:XF
名称:phprojekt-unspecified-file-include(29262)
链接:http://xforce.iss.net/xforce/xfdb/29262
来源:BID
名称:20268
链接:http://www.securityfocus.com/bid/20268
来源:BUGTRAQ
名称:20060929Advisory06/2006:PHProjekt(Remote)IncludeVulnerabilities
链接:http://www.securityfocus.com/archive/1/archive/1/447360/100/0/threaded
来源:www.phprojekt.com
链接:http://www.phprojekt.com/modules.php?op=modload&name=News&file=article&sid=259
来源:MISC
链接:http://www.hardened-php.net/advisory_062006.129.html
来源:VUPEN
名称:ADV-2006-3845
链接:http://www.frsirt.com/english/advisories/2006/3845
来源:SECUNIA
名称:22167
链接:http://secunia.com/advisories/22167
来源:OSVDB
名称:29290
链接:http://www.osvdb.org/29290
来源:SREASON
名称:1672
链接:http://securityreason.com/securityalert/1672