Bugtraq mailing list archives
Update on PHP/FI hole
From: jshaman () M-NET ARBORNET ORG (Shamanski)
Date: Wed, 16 Apr 1997 21:01:12 -0400
============================================================================ [DiS] Advisory 97-347.1 Issue date: April 16, 1997 Topic: REMOTE Vulnerability in PHP/FI ---------------------------------------------------------------------------- A vulnerability has been found by DiS in PHP/FI, a NCSA httpd cgi enhancment. This vulnerability allows unauthorized users to view arbitrary file contents on the machine running httpd by sending the file name wishing to be displayed as the QUERY_STRING. I. Exploit simply use any web browser to send the following URL: http://boogered.system.com/cgi-bin/php.cgi?/file/to/view Note: this exploit has not been tested on a system that has compiled PHP/FI as an apache module. This information may or may not be applicable on such a system. II. Impact Remote, unauthorized users can view arbitrary file contents on the system with the same privileges as the httpd (HTTP daemon) child process. III. Solution The author has propsed the following sollution:
...The workaround is to set the following in php.h #define PATTERN_RESTRICT ".*\\.phtml$" This will limit the php.cgi parser to only display files ending in .phtml The exact same adviasory applies to any other parser someone might decide to stick in their cgi-bin directory. This is in no way specific to PHP/FI. You can also avoid the problem by using either CGI redirection or by using the Apache module version. -Rasmus
---------------------------------------------------------------------------- The current PHP/FI distribution may be obtained from http://www.vex.net/php J-Man Th' Shaman [DiGiTAL iNFORMATiON SOCiETY] jshaman () m-net arbornet org jamin () avatar ml org
Current thread:
- Sendmail Vulnerability. Alan Brown (Apr 14)
- TcpWrappers and Sendmail Neil Harkins (Apr 15)
- Handy change I made in ltread.c Nathan D. Faber (Apr 15)
- NIS+ and signed directory objects Sun Security Coordination (Apr 15)
- Update on PHP/FI hole Shamanski (Apr 16)
- Buffer overflow in sperl5.003 Murphy (Apr 17)
- Re: Buffer overflow in sperl5.003 David Luyer (Apr 17)
- Re: Buffer overflow in sperl5.003 Jon Lewis (Apr 19)
- [NTSEC] ALERT - NT security flaw announcement Aleph One (Apr 18)
- Beta testers wanted for new security tool! Alfred Huger (Apr 18)
- IRIX 6.x /cgi-bin/wrap bug J.A. Gutierrez (Apr 19)
- Re: Buffer overflow in sperl5.003 David Luyer (Apr 17)
- PHP/FI command line buffer overflow David Sacerdote (Apr 17)
- Sun Security Bulletin #00138 Aleph One (Apr 17)