Source: http://securityreason.com/achievement_securityalert/34
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[phpinfo() Cross Site Scripting PHP 5.1.2 and 4.4.2]
Author: Maksymilian Arciemowicz (cXIb8O3)
Date:
-Written: 26.2.2006
-Public: 8.4.2006
from SecurityReason.Com
CVE-2006-0996
— 0.Description —
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed
from C, Java and Perl with a couple of unique PHP-specific features thrown
in. The goal of the language is to allow web developers to write dynamically
generated pages quickly.
A nice introduction to PHP by Stig S?ther Bakken can be found at
http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the
PHP Conference Material is freely available.
file: standard/info.c
Function php_print_gpcse_array() for any arrays check 4096b of varible.
file: standard/info.c
-135-154—
if (Z_TYPE_PP(tmp) == IS_ARRAY) {
zval *tmp3;
MAKE_STD_ZVAL(tmp3);
if (!sapi_module.phpinfo_as_text) {
PUTS("<pre>");
}
php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
zend_print_zval_r(*tmp, 0);
php_ob_get_buffer(tmp3 TSRMLS_CC);
php_end_ob_buffer(0, 0 TSRMLS_CC);
elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
PUTS(elem_esc);
efree(elem_esc);
zval_ptr_dtor(&tmp3);
if (!sapi_module.phpinfo_as_text) {
PUTS("</pre>");
}
} else if (Z_TYPE_PP(tmp) != IS_STRING) {
-135-154—
So if we create array longer like 4096, html tags don't be remove.
Exploit:
If in php script is function phpinfo() try create some varibles (array) like
phpinfo.php?cx[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][]=[XSS]
or
phpinfo.php?cx[]=ccccc…~4096chars…ccc[XSS]
— 2. How to fix —
CVS
http://cvs.php.net/viewcvs.cgi/php-src/NEWS
— 3. Greets —
For: sp3x
and
p_e_a, pi3, eax ;]
iD8DBQFEOAIl3Ke13X/fTO4RAo4LAJ0fBxJWN64vWrDYJEuhGkqc/OC42QCbBxip
f35+6LHjuBoqP5D2JV84ufs=
=iz3m
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/