[UNIX] PHP File-Upload $GLOBALS Overwrite Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



PHP File-Upload $GLOBALS Overwrite Vulnerability
------------------------------------------------------------------------


SUMMARY

PHP's $GLOBALS overwrite can lead to unexpected behavior of PHP
applications, which can lead to execution of remote PHP code in many
situations.

DETAILS

Vulnerable Systems:
* PHP4 version 4.4.0 and prior
* PHP5 version 5.0.5 and prior

Immune Systems:
* PHP4 version 4.4.1
* PHP5 version 5.0.6

PHP is a widely-used general-purpose scripting language that is especially
suited for Web development and can be embedded into HTML.

During the development of the Hardening-Patch which adds security
hardening features to the PHP codebase, several vulnerabilities within PHP
were discovered. This advisory describes one of these flaws concerning a
weakness in the file upload code, that allows overwriting the GLOBALS
array when register_globals is turned on. Overwriting this array can lead
to unexpected security holes in code assumed secure.

This vulnerability has consequences for a lot of PHP applications f.e.
everything based on PEAR.php and vBulletin. And can lead to remote PHP
code execution.

For a detailed explanation of the $GLOBALS overwrite problem, have a look
at the following article which describes it in more detail:
<http://www.hardened-php.net/globals-problem>
http://www.hardened-php.net/globals-problem

In PHP 4.3.11 some code was added to disallow overwriting the $GLOBALS
array when register_globals is turned on. Unfortunately there was a hole
in this protection. The introduced code did only affect the globalisation
of the GET, POST and COOKIE variables. However it was overseen, that the
rfc1867 file upload code within PHP also registers global variables, which
can be used by an attacker to overwrite the $GLOBALS array by simply
sending a multipart/form-data POST request containing a fileupload field
with the name 'GLOBALS'.

Until now it was not realized, how dangerous the problem is. This is also
one of the reasons why all PHP version 4.3.10 and prior packages shipped
with various distributions are still vulnerable to the normal $GLOBALS
overwrite, which was fixed in PHP 4.3.11.

Describing the impact of $GLOBALS overwrite vulnerabilities and why it
does not only affect installations, where register_globals is turned on,
why it allows remote code execution in a lot of PHP applications and why
this is also a threat for applications that allow local file includes and
are running in a SAFE_MODE or open_basedir environment is out of the scope
of this advisory.

The interested reader is advised to read the following article, that
describes this "new" bugclass a bit more detailed, with examples:
<http://www.hardened-php.net/globals-problem>
http://www.hardened-php.net/globals-problem

Finally it should be noted that users of our Hardening-Patch for PHP are
not affected if they run the at least version from September.

Recommendation:
It is strongly recommended to upgrade to the new PHP-Releases as soon as
possible, because the GLOBALS problem is very dangerous to a lot of PHP
applications in the wild. Especially because writing a worm that f.e. uses
this problem to exploit everything based on PEAR.php is very simple.
Additionally we always recommend to run PHP with the Hardening-Patch
applied, especially because it offers even more protection against
$GLOBALS overwrites than the default PHP.


ADDITIONAL INFORMATION

The information has been provided by <mailto:sesser@xxxxxxxxxxxxxxxx>
Stefan Esser.
The original article can be found at:
<http://www.hardened-php.net/advisory_202005.79.html>
http://www.hardened-php.net/advisory_202005.79.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages