PHP APC 3.1.1 And 3.0.19 Cross Site Scripting

Type packetstorm
Reporter Moritz Naumann
Modified 2008-12-30T00:00:00


                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
PHP APC is an opcode cache for PHP, or, as the developers say: "APC is a  
free, open, and robust framework for caching and optimizing PHP  
intermediate code."  
While at least some of its developers do not consider this an issue  
(based on the assumption that "it is pretty well understood that opcode  
caches need a better defined environment than the chaos of a general  
mass vhosting ISP"), it is not documented and not neccessarily known  
that PHP APC does not provide safety measures against local attacks.  
According to one of the developers, in a multi-user environment, attacks  
that users can currently carry out against other local users are  
* filling the user cache  
* constantly delete the cache  
both of which may lead to a DoS situation.  
In addition, there's a cross site scripting issue which comes into play  
when you have local users which are able to create files and cause those  
to be cached, and a server admin later visits the apc.php web interface  
which comes with PHP APC. See below for further information on this  
specific issue.  
Cross Site Scripting vulnerability in PHP-APC  
PHP APC 3.1.1, 3.0.19 and probably earlier versions of PHP-APC are  
subject to a cross site scripting vulnerability which can be triggered  
by local users.  
This issue is caused by insufficient validation of path and file names  
which are displayed to an authenticated admin when viewing the 'System  
Cache Entries' and 'User Cache Entries' sections on the apc.php web  
management interface.  
This issue can be exploited in all environments which different access  
levels for the PHP APC admin and other users with local write permissions  
A malicious user with local write access (such as an FTP user on shared  
hosting environments) may create two directories  
and create a file named  
in the latter directory, then access this file via HTTP. If PHP-APC is  
active on this host, this file may have been cached and will then be  
listed on the apc.php web interface to a logged in admin. In this  
harmless example, the injected script code will display a javascript  
alert window. However, the attacker could also use this vulnerability to  
steal the PHP APC admins' session data from within the domain apc.php is  
invoked in, as well as all other attacks cross site scripting allows for.  
This issue has been fixed in PHP APC CVS.  
Report by Moritz Naumann, Naumann IT Consulting & Services, Berlin, Germany.  
Version: GnuPG v1.4.9 (GNU/Linux)