Php5 GPC bypass flaw-vulnerability warning-the black bar safety net

2006-10-29T00:00:00
ID MYHACK58:62200612572
Type myhack58
Reporter 佚名
Modified 2006-10-29T00:00:00

Description

In the discussion of specific defects before we start to learn a little about php security aspect of small things. magic_quotes_gpc option is php one of the important security settings, when the option is ON that is open at the time, all from GET, POST, COOKie is passed over the data in the'," and\, and NULL and other meta characters will be automatically added\to achieve escape, this option allows theSql injectionor insert the code andXSSthe introduction of a string or to change program flow become difficult, but in php5, some special variables exist so that in some cases, or will be malicious user to introduce meta-characters to the database and the program. Variables in Php in addition to derived from$_GET,$_POST, and$_Cookie submission, but also derived from$_SERVER, AND$_ENV, AND $_SESSION, etc., of which$_ENV and$_SESSION we can't easily control, and freedom submitted, so the remaining a$_SERVER variable. And$_SERVER variables include things in addition to from the server itself there are also a large part derived from user-submitted HTTP request, such as:

Code: | QUERY_STRING //user GET method to submit the query string HTTP_REFERER //user the source of the request variable, in some applications the user to obtain access to records with more HTTP_USER_AGENT //the user's browser type, but also for the user's access to the record made HTTP_HOST //submit a host of first-class content HTTP_X_FORWARDED_FOR //the user's proxy host information


As the variables in php5. 0 the following is affected by the magic_quotes_gpc option, when magic_quotes_gpc option is ON, the array of meta-characters and other content will do escape processing is OFF, the user submission will not do any processing, directly to the array. Now most of the security points of the program have noted that the$GET,$POST and$Cookie-risk, the following excerpt from Discuz variables the first test of the code:

Code: $magic_quotes_gpc = get_magic_quotes_gpc(); @extract(daddslashes($_POST)); @extract(daddslashes($_GET)); if(!$ magic_quotes_gpc) { $_FILES = daddslashes($_FILES); }


Well, it has been noted coming from$_GET,$_POST, AND$_FILES and$_Cookie variables of security, but the$_SERVER variables? Although magic_quotes_gpc is on in the case of these variables may be protected, but obviously, ignore the$_SERVER result is that security risks increase, you can go looking for the program to obtain the$_SERVER place, was probably the weak point! Similarly, in the Bo-blog in the following code:

Code: $ip_tmp1 = $_SERVER['HTTP_X_FORWARDED_FOR']; if ($ip_tmp1!= "" && $ip_tmp1!= "unknown") $userdetail['ip']=$ip_tmp1; else $userdetail['ip']=$ip_tmp;


Then in tb. php 5 8 lines with the following statement written replies table:

Code: $blog->query("INSERT INTO{$db_prefix}repliesVALUES ('{$currentmaxid}', '4', '{$v_id}', '{$reptime}', '-1', '{$blog_name}', '{$title}', '{$url}', '{$userdetail['ip']}', '{$excerpt}', '0', '0', '0', '0', ", '0', ", '0', ", '0' , ", ", ", ", ", ", ", ")");


Obviously you can see, if we can get around'and then use/*to comment out something behind the words, we can fake IP behind some of the content, since much of the program itself will fail on$_SERVER variables, so long as we bypass the php itself to'escape. In php4, if magic_quotes_gpc is Off then you don't have to worry, but if magic_quotes_gpc is On, we may as it is not so big! But this is the case in php5 to get a thorough improvement on the test found in php5, regardless of whether magic_quotes_gpc is On or Off, the Php the$_SERVER variable is not going to do the escape processing means that we can very easily strip process sequence', A", and the NULL character, which for those variable filter is not a strict program to be fatal! Don't know php5 is for what reason and to do so, use the following script can prove it:

Code: <? echo "a=".$ _GET[a]."\ r\n"; echo "HTTP_X_FORWARDED_FOR=".$ _SERVER['HTTP_X_FORWARDED_FOR']."\ r\n"; echo "HTTP_REFERER=".$ _SERVER['HTTP_REFERER']."\ r\n"; echo "QUERY_STRING=".$ _SERVER['QUERY_STRING']."\ r\n"; ?>


We in magic_quotes_gpc is ON, and Php5 with a case where the NC is submitted to the server: the

Code: GET /eqdkp/includes/3. php? a=Test' HTTP/1.1 Accept: */* Accept-Language: zh-cn Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Host: luckboy.sufee.net Connection: Keep-Alive X-Forwarded-For: 'Test"' Referer: 'Test"' Cookie: herefirst=yes; eqdkp_data=a%3A2%3A%7Bs%3A13%3A%22auto_login_id%2 2%3Bs%3A0%3A%2 2% 2 2%3Bs%3A7%3A%22user_id%2 2%3Bi%3A-1%3B%7D; eqdkp_sid=3c458d65b8c8e504b4427ba8de2eddb3


Will see:

Code: ` Warning: inverse host lookup failed for 221.230.129.116: h_errno 1 1 0 0 4: NO_DATA

heman.sufee.net [221.230.129.116] 8 0 (http) open HTTP/1.1 2 0 0 OK Connection: close Date: Mon, 0 7 Aug 2 0 0 6 0 9:0 2:2 4 GMT Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: PHP/5.0.4 X-Powered-By: ASP.NET

a=Test' HTTP_X_FORWARDED_FOR='Test"' HTTP_REFERER='Test"' QUERY_STRING=a=Test' `


Obviously, in a php5 environment we are the$_SERVER variables will no longer be affected by the magic_quotes_gpc protection, as Program The how to strengthen their own security, or that sentence, to strengthen the program's own filtering mechanism, not dependent on the language itself! Remember that all inputs are harmful.

Thakes To Lake2 & Maple-X