Update on PHP/FI hole

[jshaman () M-NET ARBORNET ORG (Shamanski)]

============================================================================
[DiS] Advisory 97-347.1
Issue date: April 16, 1997
Topic:  REMOTE Vulnerability in PHP/FI
----------------------------------------------------------------------------

A vulnerability has been found by DiS in PHP/FI, a NCSA httpd cgi enhancment.
This vulnerability allows unauthorized users to view arbitrary file contents
on the machine running httpd by sending the file name wishing to be displayed
as the QUERY_STRING.

I. Exploit

   simply use any web browser to send the following URL:

   http://boogered.system.com/cgi-bin/php.cgi?/file/to/view

   Note: this exploit has not been tested on a system that has compiled
         PHP/FI as an apache module. This information may or may not
         be applicable on such a system.

II. Impact

    Remote, unauthorized users can view arbitrary file contents on the
    system with the same privileges as the httpd (HTTP daemon) child process.


III. Solution

    The author has propsed the following sollution:

> > ...The workaround is to set the following in php.h
> >
> > #define PATTERN_RESTRICT ".*\\.phtml$"
> >
> > This will limit the php.cgi parser to only display files ending in .phtml
> >
> > The exact same adviasory applies to any other parser someone might decide
> > to stick in their cgi-bin directory.  This is in no way specific to PHP/FI.
> >
> > You can also avoid the problem by using either CGI redirection or
> > by using the Apache module version.
> >
> > -Rasmus

----------------------------------------------------------------------------

The current PHP/FI distribution may be obtained from http://www.vex.net/php

J-Man Th' Shaman [DiGiTAL iNFORMATiON SOCiETY]
jshaman () m-net arbornet org
jamin () avatar ml org