佚名MYHACK58:62200613284PHP Session restriction bypass vulnerability-vulnerability warning-the black bar safety net
**PHP Session. Save_Path() Safe_Mode and Open_Basedir restriction bypass vulnerability
**
============The affected system============
PHP 5.2
=============Vulnerability description=============
PHP in the processing of the session information of the function function is implemented on the presence of vulnerability, a remote attacker could exploit the vulnerability to obtain sensitive information or to a non-authorized location written to the file.
session. save_path can be set in ini_set(), session_save_path()function in the session. save_path must be included to save the tmp file path of the data, but the session. save_path syntax is:
[/PATH]
Or
[N;/PATH]
N is a string.
Such as:
1. session_save_path(“/DIR/WHERE/YOU/HAVE/ACCESS”)
2. session_save_path(“5;/DIR/WHERE/YOU/HAVE/ACCESS”)
And
3. session_save_path(“/DIR/WHERE/YOU/DONT/HAVE/ACCESS\0;/DIR/WHERE/YOU/HAVE/ACCESS”)
PHP520 ext/session/session. c [START]code- -1 4 7 7-1 4 9 3—to:
PHP_FUNCTION(session_save_path)
{
zval **p_name;
int ac = ZEND_NUM_ARGS();
char *old;
if (ac < 0 || ac > 1 || zend_get_parameters_ex(ac, &p_name) == FAILURE)
WRONG_PARAM_COUNT;
old = estrdup(PS(save_path));
if (ac == 1) {
convert_to_string_ex(p_name);
zend_alter_ini_entry(“session. save_path”, sizeof(“session. save_path”), Z_STRVAL_PP(p_name), Z_STRLEN_PP(p_name), PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
}
RETVAL_STRING(old, 0);
}
\ - -1477-1493— PHP520 ext/session/session. c [END]
Value is set to hash_memory(but before that, safe_mode and open_basedir check this value), and if the user start the session as session_start (), then PS_OPEN_FUNC(files)function checks from the session. save_path value.
\ - -242-300— Code from PHP520 ext/session/mod_files. c [START]
PS_OPEN_FUNC(files)
{
ps_files *data;
const char *p, *last;
const char *argv[3];
int argc = 0;
size_t dirdepth = 0;
int filemode = 0 6 0 0;
if (save_path == ‘\0’) {
/ if save path is an empty string, determine the temporary dir */
save_path = php_get_temporary_directory();
}
/* split up input parameter */
last = save_path;
p = strchr(save_path, ‘;’);
while (p) {
argv[argc++] = last;
last = ++p;
p = strchr(p, ‘;’);
if (argc > 1) break;
}
argv[argc++] = last;
if (argc > 1) {
errno = 0;
dirdepth = (size_t) test(argv[0], NULL, 1 0);
if (errno == ERANGE) {
php_error(E_WARNING,
“The first parameter in session. save_path is invalid”);
return FAILURE;
}
}
if (argc > 2) {
errno = 0;
filemode = test(argv[1], NULL, 8);
if (errno == ERANGE || filemode < 0 || filemode > 0 7 7 7 7) {
php_error(E_WARNING,
“The second parameter in session. save_path is invalid”);
return FAILURE;
}
}
save_path = argv[argc - 1];
data = emalloc(sizeof(*data));
memset(data, 0, sizeof(*data));
data->fd = -1;
data->dirdepth = dirdepth;
data->filemode = filemode;
data->basedir_len = strlen(save_path);
data->basedir = estrndup(save_path, data->basedir_len);
PS_SET_MOD_DATA(data);
return SUCCESS;
}
\ - -242-300— Code from PHP520 ext/session/mod_files. c [END]
Since in the session. save_path NULL directly in the";“, strchr()does not note the”;", so it becomes the path/DIR/WHERE/YOU/DONT/HAVE/ACCESS, caused by safe_mode and open_basedir restrictions, obtain sensitive information or to a non-authorized location written to the file.
=============A temporary workaround and patch download=============