Advisory 20/2005: PHP File-Upload $GLOBALS Overwrite Vulnerability

From: Stefan Esser (sesser_at_hardened-php.net)
Date: 10/31/05

  • Next message: Stefan Esser: "Advisory 19/2005: PHP register_globals Activation Vulnerability in parse_str()" 
    Date: Mon, 31 Oct 2005 14:35:20 +0100
To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk, red@heisec.de

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

                            Hardened-PHP Project
                            www.hardened-php.net

                          -= Security Advisory =-

         Advisory: PHP File-Upload $GLOBALS Overwrite Vulnerability
     Release Date: 2005/10/31
    Last Modified: 2005/10/31
           Author: Stefan Esser [sesser@hardened-php.net]

      Application: PHP4 <= 4.4.0
                   PHP5 <= 5.0.5
         Severity: $GLOBALS overwrite can lead to unexpected behaviour
                   of PHP applications, which can lead to execution of
                   remote PHP code in many situations
             Risk: Critical
    Vendor Status: Vendor has released a bugfixed PHP 4 version
       References: http://www.hardened-php.net/advisory_202005.79.html
                   http://www.hardened-php.net/globals-problem

    Overview:

       PHP is a widely-used general-purpose scripting language that is
       especially suited for Web development and can be embedded into HTML.

       During the development of the Hardening-Patch which adds security
       hardening features to the PHP codebase, several vulnerabilities
       within PHP were discovered. This advisory describes one of these
       flaws concerning a weakness in the file upload code, that allows
       overwriting the GLOBALS array when register_globals is turned on.
       Overwriting this array can lead to unexpected security holes in
       code assumed secure.

       This vulnerability has consequences for a lot of PHP applications
       f.e. everything based on PEAR.php and vBulletin. And can lead to
       remote PHP code execution.
       
       For a detailed explanation of the $GLOBALS overwrite problem, have
       a look at the following article which describes it in more detail:
       
       http://www.hardened-php.net/globals-problem

    Details:

       In PHP 4.3.11 some code was added to disallow overwriting the
       $GLOBALS array when register_globals is turned on. Unfortunately
       there was a hole in this protection. The introduced code did only
       affect the globalisation of the GET, POST and COOKIE variables.
       However it was overseen, that the rfc1867 file upload code within
       PHP also registers global variables, which can be used by an
       attacker to overwrite the $GLOBALS array by simply sending a
       multipart/form-data POST request containing a fileupload field
       with the name 'GLOBALS'.
       
       Until now it was not realised, how dangerous the problem is. This
       is also one of the reasons why all PHP <= 4.3.10 packages shipped
       with various distributions are still vulnerable to the normal
       $GLOBALS overwrite, which was fixed in PHP 4.3.11.
       
       Describing the impact of $GLOBALS overwrite vulnerabilities and
       why it does not only affect installations, where register_globals
       is turned on, why it allows remote code execution in a lot of
       PHP applications and why this is also a threat for applications
       that allow local file includes and are running in a SAFE_MODE or
       open_basedir environment is out of the scope of this advisory.
       
       The interested reader is advised to read the following article,
       that describes this "new" bugclass a bit more detailed, with
       examples.
       
       http://www.hardened-php.net/globals-problem
       
       Finally it should be noted that users of our Hardening-Patch for
       PHP are not affected if they run the at least version from
       September.

    Proof of Concept:

       The Hardened-PHP project is not going to release exploits for any
       of these vulnerabilities to the public.

    Recommendation:

       It is strongly recommended to upgrade to the new PHP-Releases as
       soon as possible, because the GLOBALS problem is very dangerous
       to a lot of PHP applications in the wild. Especially because
       writing a worm that f.e. uses this problem to exploit everything
       based on PEAR.php is very simple. Additionally we always recommend
       to run PHP with the Hardening-Patch applied, especially because
       it offers even more protection against $GLOBALS overwrites than
       the default PHP.

    GPG-Key:

       http://www.hardened-php.net/hardened-php-signature-key.asc

       pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
       Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1

    Copyright 2005 Stefan Esser. All rights reserved.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: For info see http://www.gnupg.org

    iD8DBQFDZh0fRDkUzAqGSqERAo5yAJ0fNc8IZKgAdhGf7VkuzcubwN0+2ACfWK8K
    IZXWzIMzQMf2DEc2ktRgOHQ=
    =X87Q
    -----END PGP SIGNATURE-----

  • Next message: Stefan Esser: "Advisory 19/2005: PHP register_globals Activation Vulnerability in parse_str()"

    Relevant Pages