Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-97.047 -- SNI Security Advisory and DIS Advisory 97-347.1 PHP/FI command line buffer overflow and PHP/FI cgi program files restriction 23 April 1997 =========================================================================== Secure Networks Inc and the Digital Information Society (DIS) have released the following advisories concerning two vulnerabilities in the PHP/FI cgi program. The first vulnerability, addressed in the SNI advisory, concerns a buffer overflow in the PHP cgi program. This vulnerability may allow unauthorized users to obtain shell or command line access to any vulnerable system. The second vulnerability, addressed in the DIS advisory, concerns a lack of restriction on the files that can be viewed on the system. This vulnerability may allow unauthorized users to view arbitrary file contents on the vulnerable system. AUSCERT has received information from the maintainer of PHP/FI, Rasmus Lerdorf, that PHP/FI 2.0b11 to be released in the near future, will address both vulnerabilities. In the interim, sites are advised to remove the PHP cgi program if it is not required. If it is needed, it is advised that sites apply BOTH solutions given in the bulletins bellow to remove both vulnerabilities. More information on PHP/FI can be found at: http://www.vex.net/php/ The following security bulletins are provided as a service to AUSCERT's members. As AUSCERT did not write these documents, AUSCERT has had no control over their contents. As such, the decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. Contact information for Secure Networks Inc and the Digital Information Society is included in the Security Bulletins below. If you have any questions or need further information, please contact them directly. If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 4477 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- ###### ## ## ###### ## ### ## ## ###### ## # ## ## ## ## ### ## ###### . ## ## . ######. Secure Networks Inc. Security Advisory April 17, 1997 Buffer Overflow in php.cgi This advisory describes a remotely exploitable buffer overflow in the PHP cgi program. This is *NOT* the PATTERN_RESTRICT issue described in earlier bugtraq discussion. Problem Description ~~~~~~~~~~~~~~~~~~~ In the function FixFilename() function in file.c, PHP attempts to pass strings whose length may be as long as 8 kilobytes into buffers as small as 128 bytes. This overwrites the stack, making it possible for an attacker to obtain shell access to the machine running the web server. Technical Details ~~~~~~~~~~~~~~~~~ The filename argument to FixFilename is derived from the command line used to invoke to the CGI script, or from the QUERY_STRING environment variable passed to it. The total length of either can be as long as eight kilobytes, but the fn string is a mere 128 bytes long. An excerpt from the flawed code reads: char *FixFilename(char *filename, int cd, int *ret) { ... char fn[128], user[128], *s; ... s = strrchr(filename,'/'); if(s) { strcpy(fn,s+1); ... Impact ~~~~~~ Attackers can remotely obtain shell or command line access to any vulnerable system. Vulnerable Systems ~~~~~~~~~~~~~~~~~~ Any computer running a web server with php.cgi 2.0beta10 or earlier is vulnerable, irrespective of what operating system it is running, provided that PHP is run as a cgi, and not as an Apache module. When compiled as an Apache module, PHP does not appear to execute the problem code. To determine whether a system is running a web server with php.cgi installed as a cgi, use your favorite web browser to access the URL http://hostname/cgi-bin/php.cgi If you see something like: PHP/FI Version 2.0b10 ... Then the machine hostname is running PHP/FI. Fix information ~~~~~~~~~~~~~~~ Use the patch program to apply the following diffs to file.c, then recompile php.cgi. These diffs are against version 2.0b10. *** file.c Thu Apr 17 09:36:07 1997 - - --- file.c.fixed Thu Apr 17 09:36:00 1997 *************** *** 295,315 **** s = strrchr(filename,'/'); if(s) { ! strcpy(fn,s+1); o=*s; *s='