Advisory 10/2005: Yawp/YaWiki Remote URL Include Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hardened-PHP Project
www.hardened-php.net
-= Security Advisory =-
Advisory: Yawp/YaWiki Remote URL Include Vulnerability
Release Date: 2005/07/12
Last Modified: 2005/07/12
Author: Stefan Esser [sesser@xxxxxxxxxxxxxxxx]
Application: Yawp <= 1.0.6
Severity: A global variable can be overwritten which leads
to a remote URL include vulnerability under
some conditions
Risk: Critical
Vendor Status: Vendor has released an updated version
References: http://www.hardened-php.net/advisory-102005.php
Overview:
Quote from http://phpyawp.com/yawiki/
"Yawp is Yet Another Web Programming foundation for PHP applications.
It is one of the easiest "frameworks" you will ever see for PHP (even
though it's not really a framework). Yawp attempts to enhance your
own style of programming, not impose a programming method on you."
A very quick glimpse on the source of Yawp showed that the default
way to use this library is vulnerable to a remote URL inclusion
vulnerability when running under PHP5, with register_globals and
allow_url_fopen turned on.
One of the applications that use Yawp in this unsafe way is YaWiki
from the same author.
Details:
When the Yawp library is started it can be called with a path to a
config file. When this config file is omitted it defaults to a config
file in document root. This behaviour can be overwritten by setting
the global variable _Yawp['conf_path'].
When register_globals is turned on, it is possible to set this
variable f.e. through the URL to an arbitrary config file. There is
a check with file_exists() and therefore it is not possible to put
a remote URL into this for PHP4. However, with PHP5 stat() support
was added to the FTP URL wrapper and therefore it is possible to
exploit this on PHP5 servers by setting the variable to a config
file lying on any FTP server.
Within this config file it is possible to specify f.e. what PHP
files should be included when the framework is started. Because
this include is not protected by anything it is possible to include
any remote URL (unless your server runs our Hardening-Patch) or
any file reachable by the webserver.
Proof of Concept:
The Hardened-PHP Project is not going to release an exploit
for this vulnerability to the public.
Disclosure Timeline:
12. July 2005 - Vendor contacted
12. July 2005 - Vendor releases bugfixed version
12. July 2005 - Public disclosure
Recommendation:
We strongly recommend to upgrade to the vendor supplied
new version
Yawp 1.1.0
http://phpyawp.com/Yawp-1.1.0.tgz
GPG-Key:
http://www.hardened-php.net/hardened-php-signature-key.asc
pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1
Copyright 2005 Stefan Esser. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQFC1BCiRDkUzAqGSqERApOzAJ9vtPhLO/oQWspZrVIg3+jps5Y3ZgCgkMZ9
NsWhok/j+txFCBFwvrXMx34=
=enNp
-----END PGP SIGNATURE-----