RSS

PHP 5.2.12/5.3.1 symlink () open_basedir bypass

January 6, 2010

Exploit , Security , Vulnerability

PHP 5.2.12/5.3.1 symlink() open basedir bypass Although later than the date of publication of this exploit (11/13/2009) Today I'll talk about a serious flaw discovered in versions of PHP 5.2.12/5.3.1 that exploiting loopholes structural function symlink () allows you to bypass check the permissions of the open_basedir function.

In fact this vulnerability to possible areas of reading / WebServer unauthorized file as the file "/ etc / passwd" and the like.

The simplest and most practical application of this vulnerability is the following code: 

  <? Php
  "/etc/passwd" , "prova.txt" ) ; symlink ("/ etc / passwd", "test.txt");
  ?>

If the "safe_mode" PHP was disabled in the right space would have created a symbolic link named "test.txt" that pointed to the content of "/ etc / passwd". In this way the browser calling the symbolic link as follows:

http:// <domain> / test.txt

we see on screen the contents of the file "/ etc / passwd". Depending Hosting this file may also contain the password of the web of customer and therefore the severity of the vulnerability is high.

If, however, the safe_mode of PHP was active would receive an error message indicating the inability to perform the operation due to lack of access permissions to the file "/ etc / passwd".

I tried to apply this technique on different hosting where I sitarelli or space for testing and according to some security settings (privileges, followsymlink, etc..) You may or may not have access to sensitive data such as, for instance, view files configuration of other domains on the same server where we are.

The vulnerability of Php has given birth to some discussions related to various mass attacks that occurred last year on a variety of Web hosting known and unknown. From my point of view is plausible, therefore, that this flaw has given the ability to access hundreds of Web space and violate stealing valuable information for any further attacks.

Related links:

Exploit

PHP 5.2.12/5.3.1 symlink () open_basedir bypass - SecurityReason.com

Symlink Attack - HTML.it

, , ,

About

I am a 28 year old geek, love computer science from the age of 7. Passionate about the web programming languages ​​and computer security. In 2007 I created this site to collect all that I learn every day in my work in an IT Department.

View all posts by capn3m0

No comments yet.

Leave a Reply

Stop SOPA