PHP 5.1.2 and 4.4.2 phpinfo() Cross Site Scripting

2006.04.08
Credit: Maksymilian Arciemowicz
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2006-0996
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

[phpinfo() Cross Site Scripting PHP 5.1.2 and 4.4.2] Author: Maksymilian Arciemowicz Date: - -Written: 26.2.2006 - -Public: 8.4.2006 CVE-2006-0996 - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. A nice introduction to PHP by Stig S&#230;ther Bakken can be found at http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the PHP Conference Material is freely available. - --- 1. Cross Site Scripting --- In phpinfo() you can see all Varibles like: file: standard/info.c - -630-636--- php_print_gpcse_array("_REQUEST", sizeof("_REQUEST")-1 TSRMLS_CC); php_print_gpcse_array("_GET", sizeof("_GET")-1 TSRMLS_CC); php_print_gpcse_array("_POST", sizeof("_POST")-1 TSRMLS_CC); php_print_gpcse_array("_FILES", sizeof("_FILES")-1 TSRMLS_CC); php_print_gpcse_array("_COOKIE", sizeof("_COOKIE")-1 TSRMLS_CC); php_print_gpcse_array("_SERVER", sizeof("_SERVER")-1 TSRMLS_CC); php_print_gpcse_array("_ENV", sizeof("_ENV")-1 TSRMLS_CC); - -630-636--- Function php_print_gpcse_array() for any arrays check 4096b of varible. file: standard/info.c - -135-154--- if (Z_TYPE_PP(tmp) == IS_ARRAY) { zval *tmp3; MAKE_STD_ZVAL(tmp3); if (!sapi_module.phpinfo_as_text) { PUTS("<pre>"); } php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC); zend_print_zval_r(*tmp, 0); php_ob_get_buffer(tmp3 TSRMLS_CC); php_end_ob_buffer(0, 0 TSRMLS_CC); elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC); PUTS(elem_esc); efree(elem_esc); zval_ptr_dtor(&tmp3); if (!sapi_module.phpinfo_as_text) { PUTS("</pre>"); } } else if (Z_TYPE_PP(tmp) != IS_STRING) { - -135-154--- So if we create array longer like 4096, html tags don't be remove. Exploit: If in php script is function phpinfo() try create some varibles (array) like phpinfo.php?cx[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]=[XSS] or phpinfo.php?cx[]=ccccc..~4096chars...ccc[XSS] - --- 2. How to fix --- CVS http://cvs.php.net/viewcvs.cgi/php-src/NEWS - --- 3. Greets --- p_e_a, pi3, eax ;] - --- 4. Contact --- Author: Maksymilian Arciemowicz

References:

http://rhn.redhat.com/errata/RHSA-2006-0549.html
http://rhn.redhat.com/errata/RHSA-2006-0276.html
http://www.redhat.com/support/errata/RHSA-2006-0501.html
http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/info.c
http://www.novell.com/linux/security/advisories/05-05-2006.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top