Nmap Development mailing list archives

Re: [NSE] PHP version disclosure (OSVDB 12184)

From: David Fifield <david () bamsoftware com>
Date: Thu, 27 May 2010 10:46:45 -0600

On Sat, May 22, 2010 at 11:01:10AM +0200, Gutek wrote:

Ref: http://osvdb.org/12184

Many webadmins when dealing with PHP and security use several tricks
such as banner falsification etc. But many don't know about an hidden
joke inside PHP : an Easteregg left behind by developpers.
It can be revealed by sending a specialy crafted GET query. What's
interresting is the fact that
- - this Easteregg changes in time,
- - on a multihosting scenario, thousands of web admins are dependant
from a PHP configuration they can not access

So, if we know the different existing eggs and the PHP versions they
were hidded in, we can reveal a kind of information that the webadmin is
not even aware of.
Web Vuln Scanners like Nikto sometimes warn about this : "PHP reveals
potentially sensitive information via certain HTTP requests which
contain specific QUERY strings."

The queries
- -----------

?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 -- shows a modified PHP logo
(gif). That's what the script (attached) tries to fetch.
?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 -- part of the phpinfo(),
shows dev' credits
?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 -- shows the Zend logo

The script
- ----------

It tries to fetch the modified PHP logo by GETting the special query
from the index page.
There are 5 known modified logos as of today, all GIF pictures witch
have their respective 9 first hex digits (right after the GIF89a header)
different from each other.
The script captures it, md5(it) and finaly compares it with already
known signatures.

Nmap scan report for 66.A5.236.132
Host is up (0.12s latency).
PORT   STATE SERVICE
80/tcp open  http
| php-easteregg: This EasterEgg Matches PHP Versions:
| 5.1.4,
|_5.2.0


This is an interesting script. Here are some ideas I have.

First, you should use the http module instead of crafting your own HTTP
request.

You can express the lookup as a table instead of a big if/else and
remove some duplication.

local lookup = {
        ["22b3e09ce849d37ec897dc3f9491e3f8"] = {"4.3.11", "4.4.0", "4.4.4", "5.0.5-2ubuntu1.1", "5.0.5-pl3-gentoo", 
"5.1.0", "5.1.2"},
        ["4e3838a1c92196cdfd9b20a3ffd09dad"] = {"4.3.1", "5.0.0", "5.0.3"},
        ...
}

Where did you find out the version numbers? Just by sampling different
web sites?

I recommend hashing the entire file, not just 9 bytes of it. Then a
future file that happens to match in those 9 bytes can also be detected.
But it seems to me that the PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
(phpinfo) information is more likely to change with versions than the
logo. What happens if you use that query instead? I think it would be
more discriminating.

For example, http://php.net/?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
reveals "PHP 5" and has a long list of people that might get updated
with different versions.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] PHP version disclosure (OSVDB 12184) Gutek (May 22)
- Re: [NSE] PHP version disclosure (OSVDB 12184) David Fifield (May 27)
  - Re: [NSE] PHP version disclosure (OSVDB 12184) Gutek (May 27)
  - Re: [NSE] PHP version disclosure (OSVDB 12184) Gutek (May 29)
    - Re: [NSE] PHP version disclosure (OSVDB 12184) David Fifield (Jun 18)