LINUX.ORG.RU

Multiple vulnerabilities within PHP 4/5


0

0

Группа Hardened-PHP Project представила список критических уязвимостей:

[01 - pack() - integer overflow leading to heap bufferoverflow ]
[02 - unpack() - integer overflow leading to heap info leak ]
[03 - safe_mode_exec_dir bypass in multithreaded PHP ]
[05 - path truncation in realpath() ]
[06 - unserialize() - wrong handling of negative references ]
[07 - unserialize() - wrong handling of references to freed data ]

Examples of vulnerable scripts: phpBB2, Invision Board и т.д.

It is strongly recommended to upgrade to the new PHP-Releases as soon as possible, because a lot of PHP applications expose the easy to exploit unserialize() vulnerability to remote attackers.

>>> Подробности



Проверено: maxcom ()
Ответ на: комментарий от MakcuM

можно, то можно, только и новых вскоре обнаружатся какие-нить уязвимости,.. топом опять новые тянуть и опять..

MiracleMan ★★★★★
()
Ответ на: комментарий от x97Rang

> Examples of vulnerable scripts: phpBB2 Linuxcenter опять поломают ))))

anonymous
()

Опять, опять и снова :(

IceD
()

ыксплойт хде??

anonymous
()

записывайтксь скорее в морквоведы,.. :-))

MiracleMan ★★★★★
()

В догонку, чтобы жизнь медом не казалась ....

~~~~~~~~ Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~

addslashes() Vulnerability: ---------------------------

Scope: PHP version 4.3.9 contains a bug in the function addslashes(). addslashes() can be used to sanitize userinput and render it thus impossible for an attacker to influence scripts by injection meta characters. In the default configuration, magic_quotes_gpc is set to "On" which automagically performs addslashes() on every input value. However because of a bug, the NULL byte is not correctly encoded by addslashes, enabling an attacker to read arbitrary files from the file system, if user input is used within include() or require() directives.

Details: Addslashes should turn a NULL byte (will be written as %00 in this advisory) into the string "\0" (backslash zero). In version 4.3.9 the NULL byte is encoded as "\%00" (backslash null byte). Everything after the NULL byte is ignored in include and require directives so that an attacker can truncate the name of the file that is included in the PHP script. The last character however will always be the backslash. As in Windows the backslash is the path delimitor, this does not matter - the file named before the backslash is still loaded.

Example:

Consider the following PHP script:

<? $whatever = addslashes($_REQUEST['whatever']); include("/path/to/program/" . $whatever . "/header.htm"); ?>

A malicious attacker might open the following URL, disclosing the boot.ini file:

http://localhost/phpscript.php?whatever=../../../../boot.ini%00

The trailing backslash from the escaped \%00 does for some reason not seem to be of concern to include().

Upload Path Traversion Vulnerability: -------------------------------------

Scope: PHP automatically sanitizes the file name of uploaded files removing everything before the last slash or backslash. This is done in order to prevent path traversal attacks with uploaded files. However if an attacker uploads a file containing a single quote and the attacked web server has magic_quotes turned on (which is default configuration) or performs an addslashes() directive on the name of the uploaded file, the quote is prefixed with a backslash. This occurs after PHP checks for backslashes in the filename. As the backslash is the path delimitor in windows, this behavior enables an attacker to traverse the path by one directory level.

Example: If a file with the name "..'file.ext" is uploaded, PHP turns the name to "..\'file.ext" and the file is uploaded to the directory below of where the PHP script copies it.

~~~~~~~~ Counter Measures ~~~~~~~~~~~~~~~~~~~~~~~~

Upgrade to PHP version 4.3.10, respectively 5.0.3.

rusxakep
()
Ответ на: комментарий от Viper

Warning: main(): open_basedir restriction in effect. File(/var/www/html/site_1/temp/../../site_2/index.php\) is not within the allowed path(s): (/var/www/html/site_1:/var/www/tmp) in /var/www/html/site_1/temp/hack.php on line 1

Warning: main(/var/www/html/site_1/temp/../../site_2/index.php\): failed to open stream: Operation not permitted in /var/www/html/site_1/temp/hack.php on line 1

Warning: main(): Failed opening '/var/www/html/site_1/temp/../../site_2/index.php\' for inclusion (include_path='.:/var/www/html/site_1') in /var/www/html/site_1/temp/hack.php on line 1

Viper
()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.