As posted on http://1337day.com/exploits/18605, cheki claimed that PHP 5.4.3 is vulnerable to code read vulnerability, where the PHP interpreter will fail to execute the file once ‘~’ symbol added to the end of the file name. Snipped from the PoC:
============================================================= #Demo: [root@cheki]# curl 22.214.171.124/index.php~ result: <!--?php phpinfo(); ?--> #Target: http://localhost/index.php~ result: <!--?php phpinfo(); ?--> ============================================================ [root@cheki]# curl 126.96.36.199/index.php result: NULL #Target: http://localhost/index.php result: NULL ===========================================================
Ok.. Since I had a test machine (Ubuntu) SSHed earlier, so I stright away add a new PPA repo (https://launchpad.net/~ondrej/+archive/php5) and install PHP 5.4.3. So here is my version to verify the PoC:
xanda@vostro:~$ php -v PHP 5.4.3-4~precise+1 (cli) (built: May 17 2012 13:00:25) Copyright (c) 1997-2012 The PHP Group Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies xanda@vostro:~$ curl 127.0.0.1/index.php <form action="" method="post"> <input type="text" name="lala"> <input type="submit"> </form> xanda@vostro:~$ curl 127.0.0.1/index.php~ <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL /index.php~ was not found on this server.</p> <hr> <address>Apache/2.2.22 (Ubuntu) Server at 127.0.0.1 Port 80</address> </body></html>
Hurmmmm okkkk…. I haven’t tested on Fedora release 17 (Beefy Miracle) as claimed by the author, but I think this is… You name it..
Please take note that most of GUI based text editor (eg: Gedit) will (auto)save your edited file into a backup file with the same file name but ended with ‘~’… Just like in the PoC huh?
If anyone managed to test it on Fedora release 17 (Beefy Miracle), kindly drop me the result on the comment section. Thanks in advance
Mirror for the advisory: http://pastebin.com/H1tjRDpD
1) @Netasq has given 2 workarounds for this issue.
In case you can't update PHP to 5.4.4, a quick Apache fix #security (1/2) Order allow,deny Deny from all
Quick Apache fix for PHP recent flaw #security (2/2) Order allow,deny Deny from all
2) Its not listed here (or I’ve missed it?) :- http://www.php.net/ChangeLog-5.php