============================================================================================= Vulnerable Software: PHP 5.3.10/5.4.0 php-5.3.10-Win32-VC9-x86.zip (MD5 SUM: af452dfa681ae03ff42eea6d1c7348cd ) php-5.4.0-Win32-VC9-x86.zip (MD5 SUM: b1b0abe883f84eb6d76793aabf1aa612 ) Downloaded From:windows.php.net ============================================================================================= Tested: OS:Windows NT SRV2003-A1W2LOM 5.2 build 3790 (Windows Server 2003 Enterprise Edition) i586 Apache from apachelounge.com: Version: 2.2.22.0 =============================INFO============================================================ PHP 5.3.10 OS:Windows NT SRV2003-A1W2LOM 5.2 build 3790 (Windows Server 2003 Enterprise Edition) i586 PHP Version 5.3.10 Build Date Feb 2 2012 20:26:31 Compiler MSVC9 (Visual C++ 2008) Architecture x86 Configure Command cscript /nologo configure.js "--enable-snapshot-build" "--disable-isapi" "--enable-debug-pack" "--disable-isapi" "--without-mssql" "--without-pdo-mssql" "--without-pi3web" "--with-pdo-oci=C:\php-sdk\oracle\instantclient10\sdk,shared" "--with-oci8=C:\php-sdk\oracle\instantclient10\sdk,shared" "--with-oci8-11g=C:\php-sdk\oracle\instantclient11\sdk,shared" "--enable-object-out-dir=../obj/" "--enable-com-dotnet" "--with-mcrypt=static" "--disable-static-analyze" ============================================================================================== PHP 5.4.0 OS:Windows NT SRV2003-A1W2LOM 5.2 build 3790 (Windows Server 2003 Enterprise Edition) i586 Build Date Feb 29 2012 19:20:16 Compiler MSVC9 (Visual C++ 2008) Architecture x86 Configure Command cscript /nologo configure.js "--enable-snapshot-build" "--disable-isapi" "--enable-debug-pack" "--disable-nsapi" "--without-mssql" "--without-pdo-mssql" "--without-pi3web" "--with-pdo-oci=C:\php-sdk\oracle\instantclient10\sdk,shared" "--with-oci8=C:\php-sdk\oracle\instantclient10\sdk,shared" "--with-oci8-11g=C:\php-sdk\oracle\instantclient11\sdk,shared" "--enable-object-out-dir=../obj/" "--enable-com-dotnet" "--with-mcrypt=static" "--disable-static-analyze" "--with-pgo" =============================================================================================== Vuln Desc: Cross Site Scripting Vulnerabilities. Reason:Misconfiguration in php.ini-* file about:=> html_error <= directive Also insufficent sanitization when generating warnings which is manipulatable by client side. Problem in that PHP 5.3.10's php.ini "says": //Snippet from php.ini-production (This also applies to php.ini-development except display_errors) ---------SNIP STUFF ------------------------ display_errors = off ----- SOME CONFIGURATION SNIP------------ ; When PHP displays or logs an error, it has the capability of inserting html ; links to documentation related to that error. This directive controls whether ; those HTML links appear in error messages or not. For performance and security ; reasons, it's recommended you disable this on production servers. ; Note: This directive is hardcoded to Off for the CLI SAPI ; Default Value: On ; Development Value: On ; Production value: Off ; http://php.net/html-errors html_errors = off ------------EOF SNIP STUFF------------------------ I Agree with: display_errors =off it works as expected but... Simply enable it: display_errors = off to On state. (display_errors = On) Restart Apache And exploitate: (lets say it is vulnerable script in server In eg:) cat step2.php /* BEGIN */ /* = EOF */ Exploit: http://192.168.0.15/bypass/work/step2.php?test=../../../../../../../../../../../../../../ From source code of page:(Take a look it doesn't "htmlentitied" by PHP.(Non Persistent Cross Site Scripting Vuln)) Warning: file_get_contents(): Unable to access ../../../../../../../../../../../../../../ in C:\Program Files\Apache2.2\Apache2\htdocs\bypass\work\step2.php on line 6 Warning: file_get_contents(../../../../../../../../../../../../../../): failed to open stream: No such file or directory in C:\Program Files\Apache2.2\Apache2\htdocs\bypass\work\step2.php on line 6 Print screen: http://s019.radikal.ru/i634/1204/d8/ec8485e212bc.png All problem in that: html_errors = off doesn't works as expected.(Am i Confused or ?) (Note: In PHP Version 5.4.0 php.ini-production html_errors=On (<=In this state it is disabled) (This means it is off default.Because php 5.4.10 too is prone to this. For testing Change it to Off.It is also vulnerable)) It "thinks" OFF state is ON and versa (OFF is ON) You can confirm it simply: change it to On state then restart Apache and try to exploitate like bottom.(It'll not work in this case.) Here is after changing= > html_errors=On <= state: (Changed to On state) From source code of page:(Take a look it is "htmlentitied" and safe now.)
Warning: file_get_contents(../../../../../../../../../../../../../../<script>alert(1);</script>) [function.file-get-contents]: failed to open stream: Invalid argument in C:\Program Files\Apache2.2\Apache2\htdocs\bypass\work\step2.php on line 6
In fact on production servers => display_errors = off (default)<= so this suppress all this stuff.(This will mitigate this issuse.) Here is my md5 summary's: me@localhost.localdomain /cygdrive/c/temp/mydirsnap $ md5sum php-5.3.10-Win32-VC9-x86.zip af452dfa681ae03ff42eea6d1c7348cd *php-5.3.10-Win32-VC9-x86.zip <= It is from my VirtualBox (same md5 summary) me@localhost.localdomain /cygdrive/c/temp/mydirsnap $ md5sum 2/php-5.3.10-Win32-VC9-x86.zip af452dfa681ae03ff42eea6d1c7348cd *2/php-5.3.10-Win32-VC9-x86.zip <= Just downloaded from windows.php.net (same md5 summary.See bottom) me@localhost.localdomain /cygdrive/c/temp/mydirsnap $ ls -liaR .: total 15436 44754521297054585 drwxrwxrwt+ 1 Гость Отсутствует 0 Apr 8 22:57 . 3659174697249195 drwxrwxrwt+ 1 Domain Отсутствует 0 Apr 8 22:57 .. 5629499534273522 drwxrwxrwt+ 1 Гость Отсутствует 0 Apr 8 23:01 2 3659174697298844 -rwxrwxrwx+ 1 Гость Отсутствует 15805513 Feb 13 00:37 php-5.3.10-Win32-VC9-x86.zip <= It is from my VirtualBox ./2: total 15436 5629499534273522 drwxrwxrwt+ 1 Гость Отсутствует 0 Apr 8 23:01 . 44754521297054585 drwxrwxrwt+ 1 Гость Отсутствует 0 Apr 8 22:57 .. 26177172834151436 -rwxrwxrwx+ 1 user Отсутствует 15805513 Apr 8 22:12 php-5.3.10-Win32-VC9-x86.zip <= Just downloaded from windows.php.net me@localhost.localdomain /cygdrive/c/temp/mydirsnap Note: Not tested under Linux.Tested *Only* under Windows Server 2003 OS. ********************************************** Workaround ******************************************* After playing with html_error=on/off test your server like bottom) Turn off all Display_erros in your php.ini (Suppress all errors,warnings and do not output anything to client side) **************************************************************************************************** /AkaStep ^_^ Greetz to all: packetstormsecurity.*,securityfocus.com,cxsecurity.com,security.nnov.ru,securtiyvulns.com and to all others! Thank you.