Debian Bug report logs -
#361853
[CVE-2006-0996] phpinfo() Cross Site Scripting
Reported by: Oliver Paulus <oliver@code-project.org>
Date: Mon, 10 Apr 2006 19:33:06 UTC
Severity: important
Tags: security
Found in versions php4/4:4.3.10-16, 4:4.4.2-1.1
Done: sean finney <seanius@seanius.net>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#361853; Package php4.
(full text, mbox, link).
Acknowledgement sent to Oliver Paulus <oliver@code-project.org>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: php4
Version: 4:4.3.10-16
Severity: grave
for more informaton see:
http://securityreason.com/achievement_securityalert/34
--
Oliver Paulus
OpenPGP
Key id: 28D9C44F
Fingerprint: EADA 62FC 07DC 3361 A3D6 4174 2DE3 C027 28D9 C44F
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x28D9C44F
[Message part 2 (application/pgp-signature, inline)]
Tags added: security
Request was from Filipus Klutiero <ido@vif.com>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#361853; Package php4.
(full text, mbox, link).
Acknowledgement sent to Ondrej Sury <ondrej@sury.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(full text, mbox, link).
Message #12 received at 361853@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[phpinfo() Cross Site Scripting PHP 5.1.2 and 4.4.2]
Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 26.2.2006
- -Public: 8.4.2006
from SecurityReason.Com
CVE-2006-0996
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is
borrowed from C, Java and
Perl with a couple of unique PHP-specific features thrown in. The goal
of the language is to
allow web developers to write dynamically generated pages quickly.
A nice introduction to PHP by Stig Sæther Bakken can be found at
http://www.zend.com/zend/art/intro.php on the Zend website. Also, much
of the PHP Conference
Material is freely available.
- --- 1. Cross Site Scripting ---
In phpinfo() you can see all Varibles like:
file: standard/info.c
- -630-636---
php_print_gpcse_array("_REQUEST", sizeof("_REQUEST")-1 TSRMLS_CC);
php_print_gpcse_array("_GET", sizeof("_GET")-1 TSRMLS_CC);
php_print_gpcse_array("_POST", sizeof("_POST")-1 TSRMLS_CC);
php_print_gpcse_array("_FILES", sizeof("_FILES")-1 TSRMLS_CC);
php_print_gpcse_array("_COOKIE", sizeof("_COOKIE")-1 TSRMLS_CC);
php_print_gpcse_array("_SERVER", sizeof("_SERVER")-1 TSRMLS_CC);
php_print_gpcse_array("_ENV", sizeof("_ENV")-1 TSRMLS_CC);
- -630-636---
Function php_print_gpcse_array() for any arrays check 4096b of varible.
file: standard/info.c
- -135-154---
if (Z_TYPE_PP(tmp) == IS_ARRAY) {
zval *tmp3;
MAKE_STD_ZVAL(tmp3);
if (!sapi_module.phpinfo_as_text) {
PUTS("<pre>");
}
php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
zend_print_zval_r(*tmp, 0);
php_ob_get_buffer(tmp3 TSRMLS_CC);
php_end_ob_buffer(0, 0 TSRMLS_CC);
elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
PUTS(elem_esc);
efree(elem_esc);
zval_ptr_dtor(&tmp3);
if (!sapi_module.phpinfo_as_text) {
PUTS("</pre>");
}
} else if (Z_TYPE_PP(tmp) != IS_STRING) {
- -135-154---
So if we create array longer like 4096, html tags don't be remove.
Exploit:
If in php script is function phpinfo() try create some varibles (array)
like
phpinfo.php?cx[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]=[XSS
]
or
phpinfo.php?cx[]=ccccc..~4096chars...ccc[XSS]
- --- 2. How to fix ---
CVS
http://cvs.php.net/viewcvs.cgi/php-src/NEWS
- --- 3. Greets ---
For: sp3x
and
p_e_a, pi3, eax ;]
- --- 4. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)
iD8DBQFEOAIl3Ke13X/fTO4RAo4LAJ0fBxJWN64vWrDYJEuhGkqc/OC42QCbBxip
f35+6LHjuBoqP5D2JV84ufs=
=iz3m
-----END PGP SIGNATURE-----
--
Ondrej Sury <ondrej@sury.org>
[signature.asc (application/pgp-signature, inline)]
Tags added: security
Request was from Ondrej Sury <ondrej@sury.org>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to Steve Langasek <vorlon@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Oliver Paulus <oliver@code-project.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #21 received at 361853-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 4:4.4.2-1
severity 361854 important
severity 361855 important
severity 361856 important
thanks
On Mon, Apr 10, 2006 at 11:14:43PM +0200, Oliver Paulus wrote:
> for more informaton see:
> http://securityreason.com/achievement_securityalert/34
On Mon, Apr 10, 2006 at 11:14:43PM +0200, Oliver Paulus wrote:
> for more informaton see:
> http://securityreason.com/achievement_securityalert/35
On Mon, Apr 10, 2006 at 11:16:11PM +0200, Oliver Paulus wrote:
> for more informaton see:
> http://securityreason.com/achievement_securityalert/36
On Mon, Apr 10, 2006 at 11:17:52PM +0200, Oliver Paulus wrote:
> for more informaton see:
> http://securityreason.com/achievement_securityalert/37
It is my understanding that all of these bugs are fixed in the etch version
of php4; I'm accordingly marking them as closed.
In addition, except for the cross-site scripting bug, none of these appear
to warrant severity: grave.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
[signature.asc (application/pgp-signature, inline)]
Bug marked as found in version 4:4.4.2-1.
Request was from Filipus Klutiero <ido@vif.com>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as not found in version 4:4.4.2-1.
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as fixed in version 4:4.4.2-1, send any further explanations to Oliver Paulus <oliver@code-project.org>
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Changed Bug title.
Request was from Filipus Klutiero <ido@vif.com>
to control@bugs.debian.org.
(full text, mbox, link).
Bug reopened, originator not changed.
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#361853; Package php4.
(full text, mbox, link).
Acknowledgement sent to David Sterratt <david.c.sterratt@ed.ac.uk>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(full text, mbox, link).
Message #36 received at 361853@bugs.debian.org (full text, mbox, reply):
There appears to have been some ambiguity with the vulnerability
announcements, with some sites saying PHP 5.1.2 and prior
PHP 4.4.2 and prior
(http://securityreason.com/achievement_securityalert/34) and others just
saying PHP 5.1.2 and 4.4.2
http://www.securityfocus.com/archive/1/archive/1/430449/100/0/threaded
However, in php_print_gpcse_array() in ext/standard/info.c in the debian
sarge package there is no reference to the 4096 byte buffer which seemed
to be the cause of the problem.
David.
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#361853; Package php4.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(full text, mbox, link).
Message #41 received at 361853@bugs.debian.org (full text, mbox, reply):
found 361853 4:4.4.2-1.1
thanks
according to secunia [1], this has been fixed in 4.4.3, not in 4.4.2
[1] http://secunia.com/advisories/19599
Bug marked as found in version 4:4.4.2-1.1.
Request was from Stefan Fritsch <sf@sfritsch.de>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#361853; Package php4.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(full text, mbox, link).
Message #48 received at 361853@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hello Stefan,
> according to secunia [1], this has been fixed in 4.4.3, not in 4.4.2
>
> [1] http://secunia.com/advisories/19599
I've verified that the bug is indeed marked as fixed in the 4.4.3
changelog of PHP.
However, phpinfo() is a debug tool. I don't know why you would want to
use it on a production system and inside a context where cookies contain
security relevant information at the same time. If you ask me, this is
'important' at most. Secunia labels it as "not critical".
Thijs
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#361853; Package php4.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(full text, mbox, link).
Message #53 received at 361853@bugs.debian.org (full text, mbox, reply):
severity 361853 important
thanks
On Tuesday 15 August 2006 11:14, Thijs Kinkhorst wrote:
> However, phpinfo() is a debug tool. I don't know why you would want
> to use it on a production system and inside a context where cookies
> contain security relevant information at the same time. If you ask
> me, this is 'important' at most. Secunia labels it as "not
> critical".
You are right. For some reason, I thought is was already marked
important by Steve's mail.
Cheers,
Stefan
Severity set to `important' from `grave'
Request was from Stefan Fritsch <sf@sfritsch.de>
to control@bugs.debian.org.
(full text, mbox, link).
Bug closed, send any further explanations to Oliver Paulus <oliver@code-project.org>
Request was from sean finney <seanius@seanius.net>
to control@bugs.debian.org.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 18 Jun 2007 08:24:49 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:16:17 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon