PHP Application Note: PHP4.3.10 or earlier versions have severe vulnerabilities

Affected systems: PHP5.0.2PHP5.0.1PHP5.0.0PHP4.3.9PHP4.3.8PHP4.3.7PHP4.3.6 unaffected systems: PHP5.0.3PHP4.3.10 description: PHP has a Input/input verification vulnerability. remote attackers can exploit this vulnerability to read and perform system file content.

Affected systems:

PHP 5.0.2
PHP 5.0.1
PHP 5.0.0
PHP 4.3.9
PHP 4.3.8
PHP 4.3.7
PHP 4.3.6

Unaffected system:

PHP 5.0.3
PHP 4.3.10
Description:PHP has the input/input verification vulnerability. remote attackers can exploit this vulnerability to read system file content and perform directory traversal attacks.

Title 1: addslashes () has a title. addslashes () is used to filter user input. when magic_quotes_gpc sets 'on', it filters addslashes () for each input and output, however, because the NULL bytes are not accurately encoded by addslashes (), if the user enters an include () or require () application, attackers may read arbitrary files in the file system.

The second part is the upload Path Traversal Title. PHP actively filters the uploaded file name data and deletes the data before the slash or backslash. However, if the file uploaded by an attacker contains single quotes, in the WEB service, magic_quotes is set to ON, or addslashes () is used to control the uploaded file name. a backslash is prefixed before the single quotation marks. Therefore, the directory traversal title can be created in Windows, as a result, files are uploaded to any directory in the system.

<* Origin: Daniel Fabian (d.fabian@sec-consult.com)

Link: http://marc.theaimsgroup.com /? L = bugtraq & m = 110321976808504 & w = 2
*>

Test method:

Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Daniel Fabian (d.fabian@sec-consult.com) provides the following test methods:

The following PHP script is available:

$ Whatever = addslashes ($ _ REQUEST ['whatever']);
Include ('/path/to/program/'. $ whatever. '/header.htm ');
?>

Malicious attackers can submit the following URL to obtain the file content:

Http: // localhost/phpscript. php? Whatever =.../boot. ini \ 0


The official website has announced the upgrade patch to fix this security Title. we strongly recommend that all friends running PHP on Windows hosts upgrade to PHP 4.3.10 or 5.0.3.