Debian Bug report logs -
#361856
[CVE-2006-1608] copy() Safe Mode Bypass
Reported by: Oliver Paulus <oliver@code-project.org>
Date: Mon, 10 Apr 2006 19:33:14 UTC
Severity: important
Tags: patch, security
Found in versions php4/4:4.3.10-16, 4:4.4.2-1.1
Done: sean finney <seanius@seanius.net>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
:
Bug#361856
; Package php4
.
(full text, mbox, link).
Acknowledgement sent to Oliver Paulus <oliver@code-project.org>
:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: php4
Version: 4:4.3.10-16
Severity: grave
for more informaton see:
http://securityreason.com/achievement_securityalert/37
--
Oliver Paulus
OpenPGP
Key id: 28D9C44F
Fingerprint: EADA 62FC 07DC 3361 A3D6 4174 2DE3 C027 28D9 C44F
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x28D9C44F
[Message part 2 (application/pgp-signature, inline)]
Tags added: security
Request was from Filipus Klutiero <ido@vif.com>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
:
Bug#361856
; Package php4
.
(full text, mbox, link).
Acknowledgement sent to Ondrej Sury <ondrej@sury.org>
:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #12 received at 361856@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[copy() Safe Mode Bypass PHP 4.4.2 and 5.1.2]
Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
- -Written: 2.4.2006
- -Public: 8.4.2006
from SECURITYREASON.COM
CVE-2006-1608
- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is
borrowed from C, Java and
Perl with a couple of unique PHP-specific features thrown in. The goal
of the language is to
allow web developers to write dynamically generated pages quickly.
A nice introduction to PHP by Stig Sæther Bakken can be found at
http://www.zend.com/zend/art/intro.php on the Zend website. Also, much
of the PHP Conference
Material is freely available.
The PHP safe mode is an attempt to solve the shared-server security
problem. It is
architecturally incorrect to try to solve this problem at the PHP level,
but since the
alternatives at the web server and OS levels aren't very realistic, many
people, especially
ISP's, use safe mode for now.
- --- 1. Safe Mode Bypass ---
General problem exists in safe mode function, because safe mode accept
path like
"compress.zlib://".
PHP442 File "main/safe_mode.c"
- -78-80---
wrapper = php_stream_locate_url_wrapper(filename, NULL,
STREAM_LOCATE_WRAPPERS_ONLY
TSRMLS_CC);
if (wrapper != NULL)
return 1;
- -78-80---
if php_stream_locate_url_wrapper() return something.. safe mode is going
to stop.
Let`s see the function php_stream_locate_url_wrapper().
PHP442 File "main/streams.c"
- -2522-2588---
PHPAPI php_stream_wrapper *php_stream_locate_url_wrapper(const char
*path, char
**path_for_open, int options TSRMLS_DC)
{
HashTable *wrapper_hash = (FG(stream_wrappers) ? FG(stream_wrappers) :
&url_stream_wrappers_hash);
php_stream_wrapper *wrapper = NULL;
const char *p, *protocol = NULL;
int n = 0;
if (path_for_open)
*path_for_open = (char*)path;
if (options & IGNORE_URL)
return (options & STREAM_LOCATE_WRAPPERS_ONLY) ? NULL :
&php_plain_files_wrapper;
for (p = path; isalnum((int)*p) || *p == '+' || *p == '-' || *p == '.';
p++) {
n++;
}
if ((*p == ':') && (n > 1) && !strncmp("://", p, 3)) {
protocol = path;
} else if (strncasecmp(path, "zlib:", 5) == 0) {
/* BC with older php scripts and zlib wrapper */
protocol = "compress.zlib";
n = 13;
if (options & REPORT_ERRORS) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Use of \"zlib:\" wrapper is
deprecated; please use \"compress.zlib://\" instead.");
}
}
if (protocol) {
if (FAILURE == zend_hash_find(wrapper_hash, (char*)protocol, n,
(void**)&wrapper)) {
char wrapper_name[32];
if (options & REPORT_ERRORS) {
if (n >= sizeof(wrapper_name))
n = sizeof(wrapper_name) - 1;
PHP_STRLCPY(wrapper_name, protocol, sizeof(wrapper_name), n);
php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unable to find the wrapper
\"%s\" - did you forget to enable it when you configured PHP?",
wrapper_name);
}
wrapper = NULL;
protocol = NULL;
}
}
/* TODO: curl based streams probably support file:// properly */
if (!protocol || !strncasecmp(protocol, "file", n)) {
if (protocol && path[n+1] == '/' && path[n+2] == '/') {
if (options & REPORT_ERRORS)
php_error_docref(NULL TSRMLS_CC, E_WARNING, "remote host file access not
supported,
%s", path);
return NULL;
}
if (protocol && path_for_open)
*path_for_open = (char*)path + n + 1;
/* fall back on regular file access */
return (options & STREAM_LOCATE_WRAPPERS_ONLY) ? NULL :
&php_plain_files_wrapper;
}
if (wrapper && wrapper->is_url && !PG(allow_url_fopen)) {
if (options & REPORT_ERRORS)
php_error_docref(NULL TSRMLS_CC, E_WARNING, "URL file-access is disabled
in the
server configuration");
return NULL;
}
return wrapper;
}
- -2522-2588---
So if you use in your path (for example "compress.zlib://"), function
php_stream_locate_url_wrapper() return something variable and safe mode
return 1.
Let's see now the source of function copy().
PHP442: ext/standard/file.c
- -2114-2138---
PHP_FUNCTION(copy)
{
zval **source, **target;
if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &source, &target)
== FAILURE)
{
WRONG_PARAM_COUNT;
}
convert_to_string_ex(source);
convert_to_string_ex(target);
if (PG(safe_mode) &&(!php_checkuid(Z_STRVAL_PP(source), NULL,
CHECKUID_CHECK_FILE_AND_DIR))) {
RETURN_FALSE;
}
if (php_check_open_basedir(Z_STRVAL_PP(source) TSRMLS_CC)) {
RETURN_FALSE;
}
if (php_copy_file(Z_STRVAL_PP(source), Z_STRVAL_PP(target)
TSRMLS_CC)==SUCCESS) {
RETURN_TRUE;
} else {
RETURN_FALSE;
}
}
- -2114-2138---
http://pl2.php.net/manual/en/function.copy.php
Description
bool copy ( string source, string dest )
example:
copy("compress.zlib:///etc/passwd", "/home/cxib/to/bandyta/passwd.txt");
safe mode return 1 and skip security.
if (PG(safe_mode) &&(!php_checkuid(Z_STRVAL_PP(source), NULL,
CHECKUID_CHECK_FILE_AND_DIR))) {
RETURN_FALSE;
}
return true.
Rest functions have checking safe_mode without path and safe mode works.
I don't have tested
all functions in php ;].
- --- 2. How to fix ---
CVS
http://cvs.php.net/viewcvs.cgi/php-src/NEWS
- --- 3. Exploit ---
http://securityreason.com/achievement_exploitalert/8
- --- 4. Greets ---
For: sp3x
and
p_e_a, eax, Infospec
- --- 5. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
SecurityReason.Com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)
iD8DBQFEOAu93Ke13X/fTO4RApXzAKC4OuM/3vn8kyw+EP2R8YVYyH9gkgCcDCMj
2dB55e2x6sPGBJW+w9Kw/OY=
=Lfuk
-----END PGP SIGNATURE-----
--
Ondrej Sury <ondrej@sury.org>
[signature.asc (application/pgp-signature, inline)]
Tags added: security
Request was from Ondrej Sury <ondrej@sury.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Severity set to `important'.
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Reply sent to Steve Langasek <vorlon@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Oliver Paulus <oliver@code-project.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #23 received at 361856-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 4:4.4.2-1
severity 361854 important
severity 361855 important
severity 361856 important
thanks
On Mon, Apr 10, 2006 at 11:14:43PM +0200, Oliver Paulus wrote:
> for more informaton see:
> http://securityreason.com/achievement_securityalert/34
On Mon, Apr 10, 2006 at 11:14:43PM +0200, Oliver Paulus wrote:
> for more informaton see:
> http://securityreason.com/achievement_securityalert/35
On Mon, Apr 10, 2006 at 11:16:11PM +0200, Oliver Paulus wrote:
> for more informaton see:
> http://securityreason.com/achievement_securityalert/36
On Mon, Apr 10, 2006 at 11:17:52PM +0200, Oliver Paulus wrote:
> for more informaton see:
> http://securityreason.com/achievement_securityalert/37
It is my understanding that all of these bugs are fixed in the etch version
of php4; I'm accordingly marking them as closed.
In addition, except for the cross-site scripting bug, none of these appear
to warrant severity: grave.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
:
Bug#361856
; Package php4
.
(full text, mbox, link).
Acknowledgement sent to Allard Hoeve <allard@byte.nl>
:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #28 received at 361856@bugs.debian.org (full text, mbox, reply):
Hello Steve,
> #361853
> #361854
> #361855
> #361856
>
> It is my understanding that all of these bugs are fixed in the etch
> version of php4; I'm accordingly marking them as closed.
But these issues are not yet fixed in the sarge version. Shouldn't they be
fixed there?
Regards,
Allard Hoeve
Bug marked as found in version 4:4.4.2-1.
Request was from Filipus Klutiero <ido@vif.com>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug marked as not found in version 4:4.4.2-1.
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug marked as fixed in version 4:4.4.2-1, send any further explanations to Oliver Paulus <oliver@code-project.org>
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
:
Bug#361856
; Package php4
.
(full text, mbox, link).
Acknowledgement sent to Steve Langasek <vorlon@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #39 received at 361856@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Tue, Apr 11, 2006 at 03:19:09PM +0200, Allard Hoeve wrote:
> >#361853
> >#361854
> >#361855
> >#361856
> >It is my understanding that all of these bugs are fixed in the etch
> >version of php4; I'm accordingly marking them as closed.
> But these issues are not yet fixed in the sarge version. Shouldn't they be
> fixed there?
Grave-severity security bugs will normally be fixed in stable, yes.
Severity: important security bugs may be fixed at the discretion of the
security team.
Neither factor is a reason not to mark the bugs as fixed in etch if this is
the case.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
[signature.asc (application/pgp-signature, inline)]
Changed Bug title.
Request was from Filipus Klutiero <ido@vif.com>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug reopened, originator not changed.
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
:
Bug#361856
; Package php4
.
(full text, mbox, link).
Acknowledgement sent to Allard Hoeve <allard@byte.nl>
:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #48 received at 361856@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags patch
thanks
Dear Maintainers,
This is the patch from CVS (5.1.x) backported to 4.3.10-16.
Please review.
http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/file.c?r1=1.409.2.5&r2=1.409.2.6&pathrev=PHP_5_1
Regards,
Allard
[copy.diff (text/plain, attachment)]
Tags added: patch
Request was from Allard Hoeve <allard@byte.nl>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
:
Bug#361856
; Package php4
.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>
:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #55 received at 361856@bugs.debian.org (full text, mbox, reply):
found 361856 4:4.4.2-1.1
found 361854 4:4.4.2-1.1
thanks
see
http://secunia.com/advisories/19599/
for #361856
http://www.frsirt.com/english/advisories/2006/1290
for #361854
Bug marked as found in version 4:4.4.2-1.1.
Request was from Stefan Fritsch <sf@sfritsch.de>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug closed, send any further explanations to Oliver Paulus <oliver@code-project.org>
Request was from sean finney <seanius@seanius.net>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 18 Jun 2007 09:51:34 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:57:30 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.