PHP ip2long() function circumvention

2006-08-02T00:00:00
ID SECURITYVULNS:DOC:13693
Type securityvulns
Reporter Securityvulns
Modified 2006-08-02T00:00:00

Description

--- PHP ip2long() function circumvention --------------------------------------

tested on php 5.0.2 " 4.3.3


after some test on miniBB application (http://www.minibb.net/) I obtained that the php ip2long() function can be tricked to return a valid IPv4 Internet network address instead of "-1" even if the ip address argument is not a valid one, through the injection of some chars, ex:

<?php for ($i=0; $i<=255; $i++) { echo $i.":".ip2long("1.1.1.1".chr($i)."'or'a'='a'/*")."\r\n"; } ?>

when chr($i) is chr(0), chr(9), chr(10), chr(11), chr(12), chr(13) or chr(32)

it gives the following (valid) result:

16843009

in minibb case this could result in sql injection, forging an header like this:

X-FOWARDED-FOR: 1.1.1.1[CHR(9)]'[SQL CODE]

or even like this:

X-FOWARDED-FOR: 1[CHR(9)]'[SQL CODE]

(however Minibb limit the string to 15 chars so you will have an unuseful twelve chars sql injection...) also remeber that HTTP headers is not filtered by PHP magic_quotes_gpc, so this could give an attacker the way to fully compromise an application

code taken from MiniBB 2.0 index.php, 248-264 / Banned IPs/IDs stuff / $thisIp=getIP(); <--------------------- here $thisIp becomes our sql code $cen=explode('.', $thisIp);

if(isset($cen[0]) and isset($cen[1]) and isset($cen[2])){ $thisIpMask[0]=$cen[0].'.'.$cen[1].'.'.$cen[2].'.+'; $thisIpMask[1]=$cen[0].'.'.$cen[1].'.+'; } else { $thisIpMask[0]='0.0.0.+'; $thisIpMask[1]='0.0.0.+'; }

if (db_ipCheck($thisIp,$thisIpMask,$user_id)) { //<----------- $thisIp is passed to the db_ipCheck() function $title=$sitename." :: ".$l_accessDenied; echo ParseTpl(makeUp('main_access_denied')); exit; }

bb_functions.php, near lines 123-131 //---------------> function getIP(){ $ip1=getenv('REMOTE_ADDR');$ip2=getenv('HTTP_X_FORWARDED_FOR'); if ($ip2!='' and ip2long($ip2)!=-1) $finalIP=$ip2; else $finalIP=$ip1; //<-- vulnerable code $finalIP=substr($finalIP,0,15); return $finalIP; }

//--------------->

setup_mysql.php, near lines 99-105:

function db_ipCheck($thisIp,$thisIpMask,$user_id){ $res=mysql_query('select id from '.$GLOBALS['Tb'].' where banip='."'".$thisIp."'".' or banip='."'".$thisIpMask[0]."'".' or //<--- sql injection banip='."'".$thisIpMask[1]."'".' or banip='."'".$user_id."'"); echo mysql_error(); if($res and mysql_num_rows($res)>0) return TRUE; else return FALSE; }


1.05 29/07/2006 rgod http://retrogod.altervista.org/php_ip2long.htm