New PEAR / Apache2Triad Exploit

From: jd2k2000@xxxxxxxxxxx
Date: 9 Jan 2006 03:42:03 -0000

File: go-pear.php
Affects: v0.2.2 (May affect other versions)
Date: 6th January 2006

Issue Description:
====================================

A vulnerability exists within version 0.2.2 of go-pear.php, part of PHP's PEAR Package.
The problem lies in the scripts capacity to utilize a proxy server.

An attacker can take advantage of this option by providing it with a malicious proxy server
that is configured to redirect the original request to another file server.
By simply mirroring the requested content from the intended file server
the attacker can assure the script continues running uninterrupted.

Hosting a modified version of "Tar.php" and pre pending code to the extractModify() function
will allow the attacker to run any PHP code of their choosing. This occurs because go-pear uses
"Tar.php" to extract all the packages it previously retrieved, in doing so it invokes the now
compromised version of extractModify().
=====================================

Scope:
=====================================

This vulnerability has the most serious implications for Apache2Triad users
as the go-pear.php script is installed by default and is accessible at

http://www.yoursite.com/php/pear/go-pear.php
=====================================

Recommendation:
=====================================

Regular PEAR users should simply update to the latest version available
at http://pear.php.net

Apache2Triad users who simply wish to address this issue should do the following:

[1] Go to your apache2triad directory
[2] Navigate to \php\pear
[3] Rename or delete the "go-pear.php" file
=====================================

Discovered By: Gammarays

Prev by Date: [FLSA-2006:168375] Updated mozilla packages fix security issues
Next by Date: Re: Dumb IE6/XP denial of service found on the web
Previous by thread: [FLSA-2006:168375] Updated mozilla packages fix security issues
Next by thread: Microsoft Exchange Critical Vulnerability
Index(es):
- Date
- Thread

Relevant Pages

[NT] Java Applets Can be Used to Redirect Browser Traffic
... giving the appearance that the session was behaving normally. ... Users whose browsers are not behind a proxy server are not ... * The vulnerability only affects configurations that utilize a proxy ... because secure HTTP (HTTPS) is encrypted ...
(Securiteam)
Alert: Microsoft Security Bulletin - MS02-027
... Microsoft Internet Explorer ... Microsoft ISA Server 2000 ... This is a work-around bulletin that details steps customers can take to protect themselves against a publicly disclosed vulnerability until patches are available. ... this means that a proxy client would have to submit the initial request through the proxy server. ...
(NT-Bugtraq)
Re: About proxy
... Whose proxy server are you asking about? ... > Is it safe to surf using proxy? ... If the proxy has vulnerability. ... > safe to use it for internet surfing? ...
(microsoft.public.security)