CVE-2004-1064
CVSS10.0
发布时间 :2005-01-10 00:00:00
修订时间 :2016-10-17 22:51:06
NMCOP    

[原文]The safe mode checks in PHP 4.x to 4.3.9 and PHP 5.x to 5.0.2 truncate the file path before passing the data to the realpath function, which could allow attackers to bypass safe mode. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion.


[CNNVD]PHP SafeMode 绕过安全限制漏洞(CNNVD-200501-050)

        PHP是一种流行的WEB服务器端编程语言。
        多个PHP版本(4.x至4.3.9,5.x至5.0.2)存在绕过安全机制漏洞。
        上述版本的PHP在安全模式(safe mode)检查机制中,将数据传递给函数前会去除文件路径,这导致攻击者可能绕过安全模式。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1064
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1064
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200501-050
(官方数据源) CNNVD

- 其它链接及资源

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000915
(UNKNOWN)  CONECTIVA  CLA-2005:915
http://marc.info/?l=bugtraq&m=111117104809638&w=2
(UNKNOWN)  UBUNTU  USN-99-1
http://marc.info/?l=bugtraq&m=111170851228358&w=2
(UNKNOWN)  UBUNTU  USN-99-2
http://www.gentoo.org/security/en/glsa/glsa-200412-14.xml
(UNKNOWN)  GENTOO  GLSA-200412-14
http://www.hardened-php.net/advisories/012004.txt
(UNKNOWN)  MISC  http://www.hardened-php.net/advisories/012004.txt
http://www.mandriva.com/security/advisories?name=MDKSA-2004:151
(UNKNOWN)  MANDRAKE  MDKSA-2004:151
http://www.mandriva.com/security/advisories?name=MDKSA-2005:072
(UNKNOWN)  MANDRAKE  MDKSA-2005:072
http://www.php.net/release_4_3_10.php
(UNKNOWN)  CONFIRM  http://www.php.net/release_4_3_10.php
http://www.securityfocus.com/advisories/9028
(UNKNOWN)  HP  HPSBMA01212
http://www.securityfocus.com/archive/1/384545
(UNKNOWN)  BUGTRAQ  20041215 Advisory 01/2004: Multiple vulnerabilities in PHP 4/5
http://www.securityfocus.com/bid/11964
(UNKNOWN)  BID  11964
http://xforce.iss.net/xforce/xfdb/18512
(UNKNOWN)  XF  php-realpath-safemode-bypass(18512)

- 漏洞信息

PHP SafeMode 绕过安全限制漏洞
危急 设计错误
2005-01-10 00:00:00 2005-10-20 00:00:00
远程※本地  
        PHP是一种流行的WEB服务器端编程语言。
        多个PHP版本(4.x至4.3.9,5.x至5.0.2)存在绕过安全机制漏洞。
        上述版本的PHP在安全模式(safe mode)检查机制中,将数据传递给函数前会去除文件路径,这导致攻击者可能绕过安全模式。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.php.net/downloads.php

- 漏洞信息 (F35361)

012004.txt (PacketStormID:F35361)
2004-12-30 00:00:00
Stefan Esser  hardened-php.net
advisory,remote,arbitrary,local,php,vulnerability
CVE-2004-1018,CVE-2004-1019,CVE-2004-1063,CVE-2004-1064
[点击下载]

Hardened-PHP Project Security Advisory - Several vulnerabilities within PHP allow local and remote execution of arbitrary code. PHP4 versions 4.3.9 and below and PHP5 version 5.0.2 and below are affected.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                        Hardened-PHP Project
                        www.hardened-php.net

                      -= Security  Advisory =-



     Advisory: Multiple vulnerabilities within PHP 4/5
 Release Date: 2004/12/15
Last Modified: 2004/12/15
       Author: Stefan Esser [sesser@php.net]

  Application: PHP4 <= 4.3.9
               PHP5 <= 5.0.2
     Severity: Several vulnerabilities within PHP allow 
               local and remote execution of arbitrary code
         Risk: Critical
Vendor Status: Vendor has released bugfixed versions.
   References: http://www.hardened-php.net/advisories/012004.txt


Overview:

   PHP is a widely-used general-purpose scripting language that is 
   especially suited for Web development and can be embedded into HTML.

   During the development of Hardened-PHP which adds security hardening
   features to the PHP codebase, several vulnerabilities within PHP 
   were discovered that reach from bufferoverflows, over information 
   leak vulnerabilities and path truncation vulnerabilities to
   safe_mode restriction bypass vulnerabilities.
   

Details:

   [01 - pack() - integer overflow leading to heap bufferoverflow ]
   
   Insufficient validation of the parameters passed to pack() can
   lead to a heap overflow which can be used to execute arbitrary
   code from within a PHP script. This enables an attacker to
   bypass safe_mode restrictions and execute arbitrary code with
   the permissions of the webserver. Due to the nature of this
   function it is unlikely that a script accidently exposes it to
   remote attackers.
   
   [02 - unpack() - integer overflow leading to heap info leak ]

   Insufficient validation of the parameters passed to unpack() can
   lead to a heap information leak which can be used to retrieve
   secret data from the apache process. Additionally a skilled
   local attacker could use this vulnerability in combination with
   01 to bypass heap canary protection systems. Similiar to 01 this
   function is usually not used on user supplied data within
   webapplications.

   [03 - safe_mode_exec_dir bypass in multithreaded PHP ]
   
   When safe_mode is activated within PHP, it is only allowed to
   execute commands within the configured safe_mode_exec_dir. 
   Unfourtunately PHP does prepend a "cd [currentdir] ;" to any
   executed command when a PHP is running on a multithreaded unix
   webserver (f.e. some installations of Apache2). Because the name
   of the current directory is prepended directly a local attacker
   may bypass safe_mode_exec_dir restrictions by injecting shell-
   commands into the current directory name.
   
   [04 - safe_mode bypass through path truncation ]
   
   The safe_mode checks silently truncated the file path at MAXPATHLEN
   bytes before passing it to realpath(). In combination with certain
   malfunctional implementations of realpath() f.e. within glibc this
   allows crafting a filepath that pass the safe_mode check although
   it points to a file that should fail the safe_mode check.
   
   [05 - path truncation in realpath() ]
   
   PHP uses realpath() within several places to get the real path
   of files. Unfourtunately some implementations of realpath() silently
   truncate overlong filenames (f.e. OpenBSD, and older NetBSD/FreeBSD)
   This can lead to arbitrary file include vulnerabilities if something
   like "include "modules/$userinput/config.inc.php"; is used on such
   systems.
   
   [06 - unserialize() - wrong handling of negative references ]
   
   The variable unserializer could be fooled with negative references
   to add false zvalues to hashtables. When those hashtables get
   destroyed this can lead to efree()s of arbitrary memory addresses
   which can result in arbitrary code execution. (Unless Hardened-PHP's
   memory manager canaries are activated)
   
   [07 - unserialize() - wrong handling of references to freed data ]
   
   Additionally to bug 07 the previous version of the variable 
   unserializer allowed setting references to already freed entries in
   the variable hash. A skilled attacker can exploit this to create 
   an universal string that will pass execution to an arbitrary 
   memory address when it is passed to unserialize(). For AMD64 systems
   a string was developed that directly passes execution to code 
   contained in the string itself.
   
   It is necessary to understand that these strings can exploit a 
   bunch of popular PHP applications remotely because they pass f.e.
   cookie content to unserialize().
   
   Examples of vulnerable scripts:
   
      - phpBB2
      - Invision Board
      - vBulletin
      - Woltlab Burning Board 2.x
      - Serendipity Weblog
      - phpAds(New)
      - ...


Proof of Concept:

   The Hardened-PHP project is not going to release exploits for any 
   of these vulnerabilities to the public.


CVE Information:

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the name CAN-2004-1018 to issues 01, 02, the name 
   CAN-2004-1019 to issues 06, 07, the name CAN-2004-1063 to issue 03
   and the name CAN-2004-1064 to issues 04, 05.


Recommendation:

   It is strongly recommended to upgrade to the new PHP-Releases as
   soon as possible, because a lot of PHP applications expose the
   easy to exploit unserialize() vulnerability to remote attackers.
   Additionally we always recommend to run PHP with the Hardened-PHP
   patch applied.
   

GPG-Key:

   http://www.hardened-php.net/hardened-php-signature-key.asc

   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1


Copyright 2004 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFBwDo7RDkUzAqGSqERAgVxAKC0LnTE49y5HFjeXpwXrZmAjuCL8gCgpQUl
rtmmBfJ3iv9Ksb/xtnyflD0=
=lzXX
-----END PGP SIGNATURE-----

    

- 漏洞信息

12413
PHP realpath() Truncation Arbitrary File Inclusion
Vendor Verified

- 漏洞描述

PHP contains a flaw that may allow an attacker to bypass security restrictions. The issue is due to PHP truncating the file path before passing it to the realpath function. This may allow an attacker to bypass safe mode restrictions.

- 时间线

2004-12-15 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 4.3.10 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站